Vanta CRM provides customer relationship management software for businesses. This Privacy Policy explains how Vanta CRM ("Vanta CRM," "we," "us," or "our") collects, uses, discloses, and protects information when you visit our website, create an account, use our services, connect integrations, submit public forms, or communicate with us.

1. Information we collect

We may collect the following categories of information:

Account information. Name, email address, workspace or company name, role, phone number, login credentials, account settings, and billing contact details.
Customer CRM data. Contacts, leads, accounts, pipeline records, notes, tasks, project records, quotes, email metadata, activity history, uploaded files, form submissions, and other content submitted by customers or authorized users.
Usage and device information. Pages viewed, features used, actions taken, timestamps, IP address, browser type, device information, operating system, diagnostic logs, and similar technical data.
Communications. Support requests, sales inquiries, emails, form submissions, feedback, and other messages you send us.
Payment information. Subscription plan, billing status, transaction metadata, and payment processor identifiers. Payment card details are processed by Stripe and are not stored directly by Vanta CRM.
Integration data. Information made available when you connect third-party services, such as Google Workspace, Gmail, calendar tools, email providers, or other integrations.

2. Customer CRM data

Customer CRM data is controlled by the customer that submits it to Vanta CRM. We process Customer CRM data to provide, maintain, secure, support, and improve the services, comply with law, prevent abuse, and follow the customer's instructions or our agreements with the customer. Customers are responsible for ensuring they have the rights, notices, consents, and legal bases needed to process personal information in Vanta CRM.

3. How we use information

We use information to:

provide, operate, maintain, secure, and improve the services;
create accounts, authenticate users, and manage workspaces;
process subscriptions, invoices, payments, and taxes;
send transactional messages such as password resets, verification emails, billing notices, trial reminders, and security alerts;
provide support and respond to requests;
monitor performance, debug errors, and detect service issues;
prevent fraud, abuse, spam, unauthorized access, and security incidents;
develop features, analytics, reporting, automations, and AI-assisted workflows;
comply with legal obligations and enforce our agreements.

4. Cookies and similar technologies

We may use cookies, local storage, pixels, and similar technologies to operate the website and services, keep users signed in, remember preferences, measure usage, improve performance, understand marketing effectiveness, and protect against fraud or abuse. You can control cookies through your browser settings, but disabling certain cookies may affect service functionality.

5. AI-assisted features

Vanta CRM may use artificial intelligence and machine learning service providers, including Anthropic, to help generate summaries, draft content, classify records, score leads, suggest workflows, detect security risks, or provide support. Inputs and related CRM context may be sent to AI providers only as needed to deliver the requested feature. We do not permit AI providers to use Customer CRM data to train their general-purpose models unless a customer expressly authorizes that in writing.

AI outputs should be reviewed by users before being sent, published, relied on, or used in business decisions.

6. Google and Gmail integration data

If you connect a Google account, Vanta CRM may access Google user data that you authorize, such as account information, email metadata, message content, contacts, calendar data, or related records, depending on the permissions you grant. We use Google user data only to provide and improve user-facing CRM features such as email sync, message association, contact logging, activity tracking, and workflow automation.

Vanta CRM's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, use Google user data for advertising, or allow humans to read Google user data except where necessary for security, support with your consent, legal compliance, or system troubleshooting.

OAuth access and refresh tokens are encrypted at rest before storage. Synced Gmail and Calendar records are stored in the customer's tenant-scoped workspace only when they are needed for CRM features, such as matching messages or meetings to existing contacts, leads, activities, or outreach sequences. Messages or events that do not match a CRM workflow are not shown to other workspace users.

Users can disconnect Google at any time in Settings → Integrations, or revoke access directly from their Google Account permissions page. Disconnecting stops future sync and clears stored OAuth tokens. Previously created CRM records remain subject to the customer's workspace retention, export, deletion, and 30-day hard-delete processes described in this Policy and our Terms.

7. How we disclose information

We may disclose information to:

Authorized users. Other users in your workspace may access information according to their role and permissions.
Service providers and subprocessors. Vendors that help us host, store, secure, analyze, support, and operate Vanta CRM, such as hosting providers, database providers, payment processors, email delivery providers, error monitoring tools, rate-limiting infrastructure, security tools, and AI providers. The current list is published at vantacrm.com/subprocessors and is updated with at least 30 days' advance notice before a new subprocessor begins processing customer data.
Integration providers. Third-party services you or your organization choose to connect to Vanta CRM.
Professional advisors. Lawyers, accountants, auditors, insurers, and other advisors where reasonably necessary.
Legal and safety recipients. Courts, regulators, law enforcement, or other parties when required by law or when we believe disclosure is necessary to protect rights, safety, security, or the integrity of the services.
Business transfer parties. Parties involved in a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate confidentiality protections.

We do not sell Customer CRM data. We do not share Customer CRM data for cross-context behavioral advertising.

8. Service providers

The services may rely on providers such as Vercel for application hosting, Supabase or other database infrastructure, Stripe for payments, Resend for transactional email, Sentry for error monitoring, Upstash for rate limiting, Google for connected Google Workspace features, and Anthropic for AI-assisted features. Provider names, roles, and locations may change as the services evolve.

9. Security

We use administrative, technical, and organizational safeguards designed to protect information, including encryption in transit, access controls, authentication controls, logging, monitoring, vendor review, and secure development practices. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If you believe your account or data has been compromised, contact us promptly.

10. Retention and deletion

We retain personal information for as long as reasonably necessary to provide the services, maintain accounts, comply with legal obligations, resolve disputes, enforce agreements, prevent fraud, and support legitimate business purposes. Customer CRM data is retained according to the customer's subscription, account settings, deletion requests, and contractual terms.

Customers may delete records within the services or request account deletion. After deletion or termination, we may retain limited information as required by law, for backup integrity, security, fraud prevention, dispute resolution, or legitimate business purposes. Backup copies are deleted or overwritten according to our backup retention schedule.

11. Your privacy rights

Depending on where you live and subject to applicable law, you may have rights to access, correct, delete, or export personal information; object to or restrict certain processing; withdraw consent; opt out of marketing emails; opt out of certain targeted advertising, sale, or sharing uses; limit use of sensitive personal information; or appeal a privacy request decision. To exercise rights, contact us at privacy@vantacrm.com. We may need to verify your identity before processing a request.

If your information is controlled by one of our customers, we may direct your request to that customer or process it according to the customer's instructions.

12. California and US state privacy disclosures

Depending on your relationship with us and applicable law, we may collect identifiers, commercial information, internet or network activity, professional or employment-related information, approximate location derived from IP address, sensitive account credentials, and inferences from service usage. We use and disclose these categories for the purposes described in this Policy.

We do not sell personal information as the term "sell" is commonly understood. If our use of analytics or advertising technologies is considered a "sale," "sharing," or targeted advertising under applicable law, eligible users may opt out by contacting privacy@vantacrm.com. We will honor legally required browser-based opt-out signals where required by applicable law.

13. Marketing communications

We may send marketing communications where permitted by law. You can unsubscribe from marketing emails using the unsubscribe link in the message or by contacting us. We may still send transactional, security, legal, billing, and service-related messages.

14. International transfers

Vanta CRM is operated from the United States. If you access the services from outside the United States, your information may be processed and stored in the United States or other countries where we or our service providers operate. These countries may have data protection laws different from those in your jurisdiction.

15. Children

Vanta CRM is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will take reasonable steps to delete it.

16. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice as required by law, such as by posting the updated Policy, updating the last updated date, sending email notice, or providing in-product notice.

17. Contact

Questions about this Privacy Policy or our privacy practices may be sent through vantacrm.com/contact or to privacy@vantacrm.com.