FollowUP CRM - Privacy Policy
Effective Date: 10 May 2026 Version: 2.0 Last Updated: 10 May 2026 Governing Language: English (Georgian translation provided for informational purposes only; in case of conflict, this English version controls.)
📋 Quick Summary (TL;DR)
We know you don't want to read a 30-page legal document. Here's what matters most:
- Who we are. Sales Consulting Group LLC (Georgian Company ID 405727254), operating the FollowUP CRM platform built on white-labelled GoHighLevel infrastructure.
- Two roles, two policies. When you visit our website or are our paying customer, we are the Controller of your data - this Policy applies to you. When you use FollowUP CRM to process your customers' / contacts' / leads' data, we act as a Processor on your behalf - that processing is governed by our Data Processing Addendum (DPA), not this Policy.
- What we collect. Account information, billing data, usage data, communications you send us, and (for website visitors) cookies and analytics data.
- What we don't do. We don't sell your personal data. We don't use your customer data to train AI models without your consent.
- Your rights. Access, correction, deletion, data portability, objection, withdrawal of consent - exercisable by emailing info@followup.agency.
- Where your data goes. Most processing happens on infrastructure operated by HighLevel Inc. (USA), a participant in the EU-U.S. Data Privacy Framework. Other Sub-processors are listed at followup.agency/sub-processors.
- How long we keep it. Account data: 7 years after closure (tax law). Marketing data: until you opt out, then 24 months max. Logs: 12 months. Full table in Section 8.
- Questions? info@followup.agency.
1. Introduction and Scope
1.1 Who We Are
This Privacy Policy ("Policy") is published by:
Sales Consulting Group LLC Georgian Company ID: 405727254 Registered Address: Bakhtrioni 11, Tbilisi, Georgia Operating Brand: FollowUP CRM Website: followup.agency
(referred to as "FollowUP CRM", "we", "us", or "our").
1.2 What This Policy Covers
This Policy explains how we collect, use, share, store, and protect personal data when you:
(a) visit our website (followup.agency); (b) create an account, start a free trial, or subscribe to the FollowUP CRM platform (the "Platform"); (c) communicate with us by email, phone, chat, or social media; (d) participate in our Affiliate Program; (e) attend our events, webinars, or demos; or (f) otherwise interact with us in connection with the Platform.
In all of the above activities, we act as a "Data Controller" - meaning we determine why and how your personal data is processed.
1.3 What This Policy Does Not Cover
This Policy does not cover personal data that you, as our Customer, process through the Platform about your end users (your contacts, leads, customers, patients, students, message recipients, etc.). For that processing:
- You are the Data Controller.
- We are the Data Processor, acting on your documented instructions.
- That processing is governed by our Data Processing Addendum (DPA), available at followup.agency/legal/dpa (or as separately executed).
- You - not us - are responsible for providing privacy notices to your end users, obtaining their consents, and responding to their data subject rights requests in the first instance.
Why this distinction matters. If you are a marketing agency using FollowUP CRM to send SMS to your client's customers, those customers' data is your responsibility under data protection law. Our role is purely to operate the technical infrastructure on your instructions. The DPA defines that processor relationship in detail.
1.4 Applicable Laws
This Policy is designed to comply with:
- the Law of Georgia on Personal Data Protection (as amended in 2023);
- the EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679;
- the UK GDPR and Data Protection Act 2018;
- the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and equivalent U.S. state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and others as enacted);
- the EU ePrivacy Directive (2002/58/EC) as transposed into national law (governing electronic marketing and cookies);
- the UK Privacy and Electronic Communications Regulations (PECR);
- where applicable to communications you send through the Platform: the U.S. Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, Canada's Anti-Spam Legislation (CASL), and equivalent regimes (these are addressed in the Master Subscription Agreement, not in this Policy, because they apply to your role as sender, not ours).
Where our practices need to differ in a particular jurisdiction (e.g., for California consumers under CCPA/CPRA), region-specific provisions are set out in Section 13.
2. Personal Data We Collect
We collect personal data in three ways: (a) information you give us, (b) information we collect automatically when you use our website or Platform, and (c) information we receive from third parties.
2.1 Information You Give Us
| Category | Examples | When We Collect |
|---|---|---|
| Identity Data | Full name, business name, job title | Account registration, trial signup, contact forms |
| Contact Data | Email, phone number, billing address, country | Account registration, sales inquiries |
| Account Credentials | Username, hashed password, 2FA secrets | Account creation, login |
| Billing Data | Last 4 digits of payment card, billing address, VAT ID, invoices (full card data is held by Flitt/TBC, not us) | Subscription activation, payment processing |
| Communications Content | Emails, support tickets, chat messages, recorded calls (with notice), survey responses | When you contact us |
| Marketing Preferences | Opt-in/opt-out status, communication preferences | Account settings, signup forms, unsubscribe links |
| Affiliate Program Data | Banking details for payouts, tax ID, identity verification documents | Joining the Affiliate Program |
| User-Provided Content | Anything you voluntarily share - testimonials, reviews, social posts mentioning us | When you provide it |
2.2 Information We Collect Automatically
| Category | Examples | Collection Method |
|---|---|---|
| Device & Browser | IP address, browser type and version, OS, screen resolution, device identifiers | Web/mobile access |
| Usage Data | Pages visited, features used, click patterns, session duration, login frequency, error logs | Web analytics, in-app telemetry |
| Location Data | Approximate location derived from IP (city/country level) - not precise GPS | IP geolocation |
| Cookies & Similar Tech | See our Cookie Policy | Website browsing, in-app activity |
| Performance & Security | Error reports, crash logs, security event logs, anomaly detection signals | Platform monitoring |
| Communications Metadata | Email open/click events, message delivery status, IP of email actions | When you interact with our marketing emails or support replies |
2.3 Information from Third Parties
| Source | What We Receive |
|---|---|
| Payment processors (Flitt/TBC, Stripe) | Confirmation of payments, last 4 digits of card, payment method type - never full card data |
| Single Sign-On providers (Google, Microsoft) | Where you log in via SSO: name, email, profile picture (per your SSO permissions) |
| Marketing partners and integrations | Lead data where you enter our funnel via partner referrals or integrations |
| HighLevel Inc. | Aggregate platform metrics, security signals, sub-processor information |
| Public sources | Business information from public registries (for due-diligence, fraud prevention) |
| Affiliate referrers | Identification of who referred you, for commission tracking |
2.4 Sensitive / Special-Category Data
We do not knowingly collect special-category personal data (health, racial/ethnic origin, political opinions, religious beliefs, genetic/biometric data, sexual orientation, trade union membership) about you in the operation of the Platform.
If you are a healthcare provider, financial services firm, or similar regulated business that processes such data of your end users through the Platform, that processing is governed by the DPA, not by this Policy. In particular, processing of U.S. Protected Health Information (PHI) under HIPAA requires a separate Business Associate Agreement (BAA), and is not currently within our standard offering - contact info@followup.agency if your use case requires HIPAA compliance.
2.5 Children
The Platform is intended for business users aged 18 or older. We do not knowingly collect personal data from children under 18 in the context of this Policy.
For the avoidance of doubt: where the Platform is used by our Customers to communicate with their end users, the responsibility for not targeting minors (and for obtaining parental consent under COPPA, GDPR Article 8, Georgian law, or other applicable rules where minors are involved in the recipient base) sits with the Customer, not with us. Our DPA addresses this allocation.
If we become aware that we have inadvertently collected personal data from a child under 18 in our role as Controller, we will delete it promptly. Please contact info@followup.agency.
3. How We Use Your Personal Data - and the Legal Basis for Each Use
Under GDPR Article 6, Georgian Data Protection Law Article 5, and equivalent laws, we must have a lawful basis for each processing activity. The table below sets out our purposes and the corresponding lawful basis.
| Purpose of Processing | Categories of Data Used | Lawful Basis (GDPR / Georgian Law) |
|---|---|---|
| Account creation, login, authentication | Identity, Contact, Credentials | Contract performance (Art. 6(1)(b)) |
| Providing the Platform and its features to you | Identity, Contact, Usage, Account Credentials | Contract performance (Art. 6(1)(b)) |
| Processing payments and managing billing | Identity, Billing | Contract performance + Legal obligation (tax law) (Art. 6(1)(b), (c)) |
| Tax record-keeping and compliance | Identity, Billing | Legal obligation (Art. 6(1)(c)) |
| Customer support and service communications | Identity, Contact, Communications Content | Contract performance + Legitimate interest (Art. 6(1)(b), (f)) |
| Security monitoring, fraud prevention, abuse detection | Usage, Device, Performance & Security | Legitimate interest in protecting the Platform and users (Art. 6(1)(f)) + Legal obligation where security incident notification is required (Art. 6(1)(c)) |
| Product analytics and improvement (aggregated/pseudonymized) | Usage (aggregated) | Legitimate interest in improving the Platform (Art. 6(1)(f)) |
| Marketing communications to existing customers about similar products | Identity, Contact, Marketing Preferences | Legitimate interest with opt-out (Art. 6(1)(f)), or Consent in jurisdictions requiring it (Art. 6(1)(a)) |
| Marketing to non-customers (newsletter, demos, events) | Identity, Contact, Marketing Preferences | Consent (Art. 6(1)(a)) |
| Cookies and similar technologies (non-essential) | Device, Usage | Consent (ePrivacy Directive Art. 5(3)) |
| Cookies (strictly necessary) | Device | Legitimate interest / "no consent required" exception (ePrivacy Directive Art. 5(3) caveat) |
| Affiliate Program operations and payouts | Identity, Contact, Affiliate Program Data | Contract performance + Legal obligation (Art. 6(1)(b), (c)) |
| Responding to legal requests, court orders, regulator inquiries | Whatever is responsive | Legal obligation (Art. 6(1)(c)) |
| Defending or asserting legal claims | Whatever is relevant | Legitimate interest (Art. 6(1)(f)) |
| Corporate transactions (M&A, restructuring, future U.S. subsidiary spin-up) | Whatever is necessary | Legitimate interest (Art. 6(1)(f)), with notice and continuation of this Policy's protections |
| AI-assisted features (where you use them as Customer) | Customer-provided inputs | Contract performance with respect to your use; the underlying model providers act as Sub-processors (see Sub-Processor Page). We do not use your inputs to train general-purpose AI models without your consent. |
3.1 What We Do Not Do
- We do not sell your personal data to data brokers, advertisers, or any third party for monetary or other valuable consideration.
- We do not engage in cross-context behavioral advertising that would qualify as "sharing" or "selling" under CCPA/CPRA, except to the extent that loading an analytics or advertising cookie on our marketing pages may be deemed "sharing" under California law - and where it is, we honor opt-out signals (see Section 13).
- We do not use your Customer Data (the data you process through the Platform about your end users) for our own marketing or to train AI models - this is governed by the DPA.
- We do not perform automated decision-making with legal or similarly significant effects on you within the meaning of GDPR Article 22.
4. How We Share Personal Data
We share personal data only with the categories of recipients described below, and only as necessary for the purposes set out in Section 3.
4.1 Sub-Processors (Service Providers)
We use carefully selected service providers to operate the Platform. The current list is published at followup.agency/legal/sub-processors and is updated when sub-processors are added or removed. Categories include:
| Category | Representative Providers | Purpose |
|---|---|---|
| Underlying SaaS platform | HighLevel Inc. (USA) | Core Platform infrastructure |
| Cloud hosting | Google Cloud Platform (USA, EU regions) | Server, storage, networking |
| Communications (SMS / Voice) | Twilio Inc. / LeadConnector | Sending SMS, voice, MMS |
| Email delivery | Mailgun, SendGrid, Amazon SES | Transactional and marketing email |
| Payment processing | Flitt (TBC Bank Group), Stripe Inc. (future US affiliate) | Payment processing |
| AI model providers | OpenAI, Anthropic, ElevenLabs, Google (where AI features used) | Powering Platform AI features |
| Analytics | Google Analytics 4, in-product analytics tools | Usage analytics |
| Customer support tools | Help-desk, ticketing, in-app chat providers | Supporting customer inquiries |
| Domain & DNS services | Cloudflare | Domain management, DDoS protection |
| Security & monitoring | Logging, vulnerability scanning, penetration testing partners | Platform security |
Each Sub-processor is bound by a written contract that imposes confidentiality, security, and data-protection obligations consistent with GDPR Article 28 and equivalent laws.
4.2 Within Our Group / Affiliated Entities
If we form a U.S. affiliate (anticipated as a Stripe Atlas Delaware LLC), we may share your personal data with that affiliate as necessary to operate as a unified business. The affiliate will be bound by this Policy and by intra-group data transfer agreements (including, where relevant, EU Standard Contractual Clauses).
4.3 Professional Advisors
Lawyers, accountants, auditors, and consultants who advise us, bound by professional confidentiality.
4.4 Authorities
We disclose personal data to courts, regulators, law enforcement, or other government authorities where:
- we are legally compelled (by valid court order, subpoena, or equivalent);
- we are required to report (e.g., a data breach notification to the Personal Data Protection Service of Georgia or an EU supervisory authority);
- we believe in good faith that disclosure is necessary to protect rights, property, or safety.
When permitted by law, we will notify you of the request and challenge over-broad demands.
4.5 Corporate Transactions
If we are involved in a merger, acquisition, sale of assets, financing, reorganization, bankruptcy, or similar corporate transaction, personal data may be disclosed or transferred to the counterparty or successor, subject to confidentiality and continuation of equivalent protections. We will notify you of any change in Controller.
4.6 With Your Consent or at Your Direction
For example, if you ask us to integrate the Platform with a third-party service, or to publish a testimonial.
4.7 What We Don't Share
- We do not share your personal data with advertising networks for cross-context behavioral advertising on the FollowUP CRM Platform.
- We do not share End User data (data you process through the Platform) outside the scope of the DPA.
5. International Data Transfers
5.1 Where Your Data Is Processed
Your personal data is processed primarily in:
- the United States (HighLevel Inc.'s infrastructure, hosted on Google Cloud Platform; Twilio; OpenAI; Anthropic; many other Sub-processors);
- the European Union (some Sub-processors operate in EU regions);
- Georgia (our own administrative operations, customer support);
- other countries where Sub-processors operate.
5.2 Transfer Mechanisms
For data flowing from the EEA, UK, or Switzerland to the United States or other "third countries":
(a) HighLevel Inc. is certified under the EU-U.S. Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-U.S. Data Privacy Framework. This provides a lawful transfer mechanism under GDPR Article 45 (adequacy). Certification status: verifiable at dataprivacyframework.gov.
(b) For Sub-processors not covered by the DPF, we rely on:
- EU Standard Contractual Clauses (SCCs) - Commission Implementing Decision (EU) 2021/914, as supplemented by additional safeguards where required by post-Schrems II Transfer Impact Assessments;
- UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, for UK-origin data;
- Adequacy decisions where the European Commission has determined the destination provides adequate protection (e.g., the UK, Switzerland, Canada-commercial, Japan, South Korea, the Channel Islands);
- Derogations under GDPR Article 49 only in limited, exceptional cases (with documented justification).
5.3 Transfer Impact Assessments
Where we transfer personal data to a country without an adequacy decision, we conduct (with input from the relevant Sub-processor) a Transfer Impact Assessment (TIA) to evaluate the risk of government surveillance and other interferences with EU rights. Where TIAs identify residual risk, we implement additional safeguards (for example, end-to-end encryption with keys held by us, or pseudonymization).
5.4 Your Rights to Information
You may obtain a copy of the relevant transfer mechanism (SCCs, IDTA, etc.) by emailing info@followup.agency, redacted as necessary to protect commercial confidentiality.
6. How We Protect Your Personal Data
6.1 Technical and Organizational Measures
We implement security measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction. Many of these measures are inherited from HighLevel's certified security program:
- Encryption at rest: AES-256 for sensitive data
- Encryption in transit: TLS 1.2 or higher for all communications
- Access controls: Role-based access (RBAC), least-privilege principles, multi-factor authentication for administrative access
- Network security: Web Application Firewall (WAF), DDoS mitigation, network segregation
- Monitoring: Continuous security monitoring, anomaly detection, audit logging of privileged access
- Vulnerability management: Quarterly vulnerability scans, annual third-party penetration testing
- Data segregation: Logical isolation of customer data
- Secure software development: Defined SDLC, code review, security testing in CI/CD
- Personnel: Background checks, mandatory security training, confidentiality agreements
- Vendor risk management: Due diligence on Sub-processors, contractual security requirements
- Backup and disaster recovery: Regular backups, tested recovery procedures
- Incident response: Documented incident response plan with defined ownership
6.2 Certifications of Our Underlying Infrastructure
Through HighLevel Inc., the underlying infrastructure of the Platform holds:
- ISO/IEC 27001:2022 - information security management
- SOC 2 Type II - annual third-party audit of security, availability, and confidentiality controls
- EU-U.S. Data Privacy Framework - international transfer compliance
- HIPAA-ready capability (for Customers on the HIPAA tier with executed BAA - not yet generally offered by us)
6.3 Your Role in Protecting Your Data
Security is a shared responsibility. You should:
- Use a strong, unique password
- Enable two-factor authentication (2FA) on your account
- Keep your devices, browsers, and operating systems updated
- Be alert to phishing attempts (we will never ask you for your password by email)
- Promptly notify us at info@followup.agency of any suspected unauthorized access
6.4 Data Breach Notification
If a personal data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with GDPR Article 34, Georgian Data Protection Law, and other applicable laws. We will also notify the relevant supervisory authority within 72 hours where required, as Controller.
7. How Long We Keep Your Personal Data
We keep personal data only as long as necessary for the purposes set out in this Policy, plus any retention period required by law. Specific retention periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of your subscription | Service provision |
| Account data after closure | 7 years | Georgian tax and accounting law (typically 6 years + buffer); equivalent rules elsewhere |
| Billing and tax records | 7 years from the end of the relevant tax year | Tax law |
| Marketing data (where consent withdrawn or no engagement) | 24 months after last interaction | Legitimate interest balanced against user expectations |
| Customer support tickets | 3 years from closure | Service improvement, defense of claims |
| Security and audit logs | 12 months (some logs longer for forensic/legal need) | Security, fraud prevention, legal obligation |
| Backups | Up to 90 days rolling, then overwritten | Disaster recovery |
| Affiliate program records (after termination) | 7 years | Tax and commission audit requirements |
| Payment transaction records (last 4 of card, type, date) | 7 years | Tax law; fraud detection |
| Cookies and analytics data | See Cookie Policy | Per cookie type |
| Recordings of demo/sales calls (where given notice) | 24 months | Sales training, compliance |
| Legal hold data | As required by the relevant proceeding | Legal obligation |
After the applicable retention period, we either delete the data or irreversibly anonymize it.
8. Your Rights
Depending on where you are located, you may have the following rights with respect to your personal data. We facilitate the exercise of these rights regardless of where you are located, subject to verification of your identity.
8.1 Rights for Individuals in the EU/EEA, UK, and Switzerland (GDPR / UK GDPR)
(a) Right of access - to obtain confirmation of whether we process your personal data, and a copy of it (Art. 15). (b) Right to rectification - to correct inaccurate or incomplete data (Art. 16). (c) Right to erasure ("right to be forgotten") - to have your data deleted in certain circumstances (Art. 17). (d) Right to restriction of processing - to "freeze" processing in certain circumstances (Art. 18). (e) Right to data portability - to receive your data in a structured, commonly used, machine-readable format and transfer it to another controller (Art. 20). (f) Right to object - to object to processing based on legitimate interests, including direct marketing (Art. 21). For direct marketing, the objection is absolute. (g) Right not to be subject to automated decision-making - including profiling, with legal or similarly significant effects (Art. 22). We do not engage in such automated decision-making. (h) Right to withdraw consent - at any time, where processing is based on consent (Art. 7(3)). Withdrawal does not affect lawfulness of past processing. (i) Right to lodge a complaint - with a supervisory authority. For Georgia, this is the Personal Data Protection Service of Georgia (PDPS) at personaldata.ge. For EU residents, you may complain to the supervisory authority of your habitual residence, place of work, or place of alleged infringement.
8.2 Rights for Individuals in Georgia
Under the Law of Georgia on Personal Data Protection, you have rights equivalent to those in Section 8.1, including: access, correction, deletion, blocking of processing, withdrawal of consent, and complaint to the Personal Data Protection Service of Georgia (PDPS), personaldata.ge.
8.3 Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights:
- Right to know what personal information we collect, use, disclose, and (if applicable) sell or share, including categories, sources, purposes, and recipients.
- Right to delete personal information we have collected about you (with statutory exceptions).
- Right to correct inaccurate personal information.
- Right to opt-out of "sale" or "sharing" of personal information. We do not sell personal information for monetary consideration. To the extent loading certain advertising/analytics cookies on our marketing site may be deemed "sharing" for cross-context behavioral advertising, you may opt out via our cookie preferences interface or via Global Privacy Control (see Section 13).
- Right to limit use of sensitive personal information - we do not use sensitive personal information for purposes that would trigger this right.
- Right to non-discrimination for exercising your rights.
8.4 Rights for Other U.S. State Residents
Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws have rights equivalent to the California rights, with state-specific variations. We honor these rights in accordance with applicable state law.
8.5 How to Exercise Your Rights
Send your request to info@followup.agency with:
- a description of the right you wish to exercise;
- enough information to verify your identity (we may need to confirm with information already in your account);
- the email address associated with your account, if applicable.
Response time:
- GDPR / UK GDPR / EEA / Switzerland: within one month (extendable by up to two further months for complex requests, with notice).
- Georgia: within 10 business days under the Georgian Data Protection Law.
- California / other U.S. states: within the timeframe required by the applicable state law (typically 45 days, extendable).
Exercising these rights is free of charge, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse, and we will explain why).
8.6 Authorized Agents
You may use an authorized agent to make a request on your behalf. We may require: (a) verification of the agent's authority (signed permission, power of attorney); and (b) verification of your identity directly with you.
9. Marketing Communications
9.1 To Existing Customers
We may send you marketing emails about features, updates, similar products, or events, based on our legitimate interest under GDPR Article 6(1)(f) and the "soft opt-in" rule under PECR/ePrivacy. You can opt out at any time by:
- clicking the "unsubscribe" link in any marketing email;
- adjusting your preferences in your account settings;
- emailing info@followup.agency.
9.2 To Non-Customers (Newsletter, Demos, Lead Generation)
We send marketing communications to non-customers only with explicit consent, captured at the point of signup. Each communication contains an easy unsubscribe mechanism.
9.3 SMS / Phone Marketing
We do not send SMS or voice marketing to non-customers. Where you provide a phone number to us as a customer, we may use it for transactional and service messages (e.g., security alerts, account changes, support callbacks) - not for marketing - unless you have explicitly opted in to SMS marketing.
9.4 Customer Communications You Send Through the Platform
The compliance obligations for SMS, email, voice, and other communications you send through the Platform to your end users are governed by the Master Subscription Agreement (Section 6) and applicable laws (TCPA, CAN-SPAM, CASL, GDPR Art. 6 and ePrivacy, etc.). You - not we - are the sender for those communications.
10. Cookies and Similar Technologies
We use cookies and similar technologies (pixels, local storage, SDKs) on our website and within the Platform. Detailed information - including the categories of cookies, individual cookies in use, their purposes, durations, and your consent and control options - is in our separate Cookie Policy at followup.agency/legal/cookies.
In summary:
- Strictly necessary cookies are loaded automatically; no consent is required.
- All other cookies (functional, analytics, marketing) are loaded only after you provide consent through our cookie banner, and you may withdraw consent at any time via the "Cookie Preferences" link in our website footer.
- We honor Global Privacy Control (GPC) signals as a valid opt-out for California consumers.
11. Third-Party Links and Integrations
The Platform and our website may include links to third-party websites, integrations with third-party services (Stripe, Calendly, social media platforms, AI providers, etc.), and content provided by third parties. We are not responsible for the privacy practices of third parties. Their handling of your personal data is governed by their own privacy policies. Where you choose to integrate a third-party service with your Platform Account, that service may receive personal data from us at your direction, and you are responsible for ensuring you have the legal basis to share it.
12. Affiliate Program
If you participate in our Affiliate Program (described in MSA Section 12), we collect additional personal data: tax identification (for payouts), banking details, identity verification documents (for AML/KYC compliance), and the email addresses of people you refer to us (for attribution).
Affiliate-specific note for referred persons: if you have been referred to FollowUP CRM by an affiliate, we may receive your name and email from that affiliate solely for the purpose of attributing the referral. We process this data on the legal basis of legitimate interest in commission tracking. You can object to this processing by emailing info@followup.agency.
13. Region-Specific Provisions
13.1 California Residents (CCPA/CPRA)
In addition to your rights in Section 8.3:
- Categories of personal information collected (last 12 months): Identifiers (name, email, IP), Commercial information (transactions), Internet/network activity (usage data), Geolocation (approximate), Inferences (preferences derived from usage). We do not collect biometric, health, or precise geolocation data.
- Sources: directly from you, automatically from your use of the website/Platform, from third parties (payment processors, SSO providers, integrations).
- Purposes: providing services, security, communications, billing - as detailed in Section 3.
- Disclosures: Sub-processors (Section 4); authorities (Section 4.4).
- "Sale" or "sharing": We do not sell personal information for monetary consideration. To the extent loading advertising/analytics cookies on our marketing pages may constitute "sharing" for cross-context behavioral advertising, you may opt out via our cookie banner or by submitting a Global Privacy Control (GPC) signal, which we honor.
- Notice of financial incentive: none currently offered.
- Authorized agents: see Section 8.6.
13.2 European Economic Area & United Kingdom (GDPR / UK GDPR)
Your rights are detailed in Section 8.1.
Current status - EU / UK Representative. As of the Effective Date of this Privacy Policy, FollowUP CRM does not actively offer the Platform to data subjects in the European Economic Area or the United Kingdom (our Customer base is currently limited to Georgia). For this reason, we have not appointed an Article 27 representative at this time, on the basis that GDPR Article 27(2) exempts processing that is occasional, does not include large-scale processing of special-category data, and is unlikely to result in a risk to data subjects' rights and freedoms.
We will appoint an Article 27 representative (and, separately, a UK Representative under UK GDPR Article 27) before we begin actively targeting or offering the Platform to data subjects established in the EEA or UK on a regular and systematic basis. We will update this section accordingly when that occurs.
In the interim, EU and UK data subjects who interact with us through any channel may contact us directly at info@followup.agency for all matters under this Policy. We will respond to data subject rights requests in accordance with GDPR Article 12 timelines (one month, extendable in complex cases).
13.3 Georgia (Personal Data Protection Service)
- Supervisory authority: Personal Data Protection Service of Georgia
- Website: personaldata.ge
- Address: Tbilisi, Georgia (current address per personaldata.ge)
- Filing a complaint: see procedures at personaldata.ge
13.4 Other Jurisdictions
If you are located elsewhere and have specific rights under local law not addressed here, please contact us at info@followup.agency and we will endeavor to honor your rights to the extent required.
14. Data Protection Officer / Privacy Contact
We have appointed a Privacy Lead who serves as the primary contact for data protection matters:
Privacy Lead, FollowUP CRM Email: info@followup.agency Postal: Bakhtrioni 11, Tbilisi, Georgia (mark "Privacy Lead - Confidential")
A formal Data Protection Officer (DPO) under GDPR Article 37 will be appointed if and when our processing activities require it (which becomes likely as our customer base in regulated sectors and EU residents grows). Until then, the Privacy Lead serves the equivalent function.
15. Changes to This Policy
We may update this Policy from time to time. When we do:
- Material changes (changes that meaningfully reduce your rights, expand the categories of data we collect, change purposes of processing, or add new categories of recipients) will be communicated by email and prominent in-product/website notice at least 30 days before they take effect.
- Non-material changes (clarifications, typographical corrections, links updates, structural improvements) will be reflected in the "Last Updated" date at the top of this Policy.
A version history of material changes is available on request at info@followup.agency.
16. How to Contact Us
For any privacy-related question, request, or complaint:
Sales Consulting Group LLC (operating as FollowUP CRM) Bakhtrioni 11, Tbilisi, Georgia Company ID: 405727254
- General privacy inquiries / DSR requests: info@followup.agency
- Security incidents: info@followup.agency
- General support: info@followup.agency
- Legal: info@followup.agency
We respond to all good-faith inquiries.
End of Privacy Policy v2.0
