Skip to content
    FollowUP Logo

    Privacy Policy

    How we collect, use, and protect your personal data - GDPR, CCPA, and Georgian Law compliance.

    FollowUP CRM - Privacy Policy

    Effective Date: 10 May 2026 Version: 2.0 Last Updated: 10 May 2026 Governing Language: English (Georgian translation provided for informational purposes only; in case of conflict, this English version controls.)


    📋 Quick Summary (TL;DR)

    We know you don't want to read a 30-page legal document. Here's what matters most:

    • Who we are. Sales Consulting Group LLC (Georgian Company ID 405727254), operating the FollowUP CRM platform built on white-labelled GoHighLevel infrastructure.
    • Two roles, two policies. When you visit our website or are our paying customer, we are the Controller of your data - this Policy applies to you. When you use FollowUP CRM to process your customers' / contacts' / leads' data, we act as a Processor on your behalf - that processing is governed by our Data Processing Addendum (DPA), not this Policy.
    • What we collect. Account information, billing data, usage data, communications you send us, and (for website visitors) cookies and analytics data.
    • What we don't do. We don't sell your personal data. We don't use your customer data to train AI models without your consent.
    • Your rights. Access, correction, deletion, data portability, objection, withdrawal of consent - exercisable by emailing info@followup.agency.
    • Where your data goes. Most processing happens on infrastructure operated by HighLevel Inc. (USA), a participant in the EU-U.S. Data Privacy Framework. Other Sub-processors are listed at followup.agency/sub-processors.
    • How long we keep it. Account data: 7 years after closure (tax law). Marketing data: until you opt out, then 24 months max. Logs: 12 months. Full table in Section 8.
    • Questions? info@followup.agency.

    1. Introduction and Scope

    1.1 Who We Are

    This Privacy Policy ("Policy") is published by:

    Sales Consulting Group LLC Georgian Company ID: 405727254 Registered Address: Bakhtrioni 11, Tbilisi, Georgia Operating Brand: FollowUP CRM Website: followup.agency

    (referred to as "FollowUP CRM", "we", "us", or "our").

    1.2 What This Policy Covers

    This Policy explains how we collect, use, share, store, and protect personal data when you:

    (a) visit our website (followup.agency); (b) create an account, start a free trial, or subscribe to the FollowUP CRM platform (the "Platform"); (c) communicate with us by email, phone, chat, or social media; (d) participate in our Affiliate Program; (e) attend our events, webinars, or demos; or (f) otherwise interact with us in connection with the Platform.

    In all of the above activities, we act as a "Data Controller" - meaning we determine why and how your personal data is processed.

    1.3 What This Policy Does Not Cover

    This Policy does not cover personal data that you, as our Customer, process through the Platform about your end users (your contacts, leads, customers, patients, students, message recipients, etc.). For that processing:

    • You are the Data Controller.
    • We are the Data Processor, acting on your documented instructions.
    • That processing is governed by our Data Processing Addendum (DPA), available at followup.agency/legal/dpa (or as separately executed).
    • You - not us - are responsible for providing privacy notices to your end users, obtaining their consents, and responding to their data subject rights requests in the first instance.

    Why this distinction matters. If you are a marketing agency using FollowUP CRM to send SMS to your client's customers, those customers' data is your responsibility under data protection law. Our role is purely to operate the technical infrastructure on your instructions. The DPA defines that processor relationship in detail.

    1.4 Applicable Laws

    This Policy is designed to comply with:

    • the Law of Georgia on Personal Data Protection (as amended in 2023);
    • the EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679;
    • the UK GDPR and Data Protection Act 2018;
    • the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and equivalent U.S. state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and others as enacted);
    • the EU ePrivacy Directive (2002/58/EC) as transposed into national law (governing electronic marketing and cookies);
    • the UK Privacy and Electronic Communications Regulations (PECR);
    • where applicable to communications you send through the Platform: the U.S. Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, Canada's Anti-Spam Legislation (CASL), and equivalent regimes (these are addressed in the Master Subscription Agreement, not in this Policy, because they apply to your role as sender, not ours).

    Where our practices need to differ in a particular jurisdiction (e.g., for California consumers under CCPA/CPRA), region-specific provisions are set out in Section 13.


    2. Personal Data We Collect

    We collect personal data in three ways: (a) information you give us, (b) information we collect automatically when you use our website or Platform, and (c) information we receive from third parties.

    2.1 Information You Give Us

    CategoryExamplesWhen We Collect
    Identity DataFull name, business name, job titleAccount registration, trial signup, contact forms
    Contact DataEmail, phone number, billing address, countryAccount registration, sales inquiries
    Account CredentialsUsername, hashed password, 2FA secretsAccount creation, login
    Billing DataLast 4 digits of payment card, billing address, VAT ID, invoices (full card data is held by Flitt/TBC, not us)Subscription activation, payment processing
    Communications ContentEmails, support tickets, chat messages, recorded calls (with notice), survey responsesWhen you contact us
    Marketing PreferencesOpt-in/opt-out status, communication preferencesAccount settings, signup forms, unsubscribe links
    Affiliate Program DataBanking details for payouts, tax ID, identity verification documentsJoining the Affiliate Program
    User-Provided ContentAnything you voluntarily share - testimonials, reviews, social posts mentioning usWhen you provide it

    2.2 Information We Collect Automatically

    CategoryExamplesCollection Method
    Device & BrowserIP address, browser type and version, OS, screen resolution, device identifiersWeb/mobile access
    Usage DataPages visited, features used, click patterns, session duration, login frequency, error logsWeb analytics, in-app telemetry
    Location DataApproximate location derived from IP (city/country level) - not precise GPSIP geolocation
    Cookies & Similar TechSee our Cookie PolicyWebsite browsing, in-app activity
    Performance & SecurityError reports, crash logs, security event logs, anomaly detection signalsPlatform monitoring
    Communications MetadataEmail open/click events, message delivery status, IP of email actionsWhen you interact with our marketing emails or support replies

    2.3 Information from Third Parties

    SourceWhat We Receive
    Payment processors (Flitt/TBC, Stripe)Confirmation of payments, last 4 digits of card, payment method type - never full card data
    Single Sign-On providers (Google, Microsoft)Where you log in via SSO: name, email, profile picture (per your SSO permissions)
    Marketing partners and integrationsLead data where you enter our funnel via partner referrals or integrations
    HighLevel Inc.Aggregate platform metrics, security signals, sub-processor information
    Public sourcesBusiness information from public registries (for due-diligence, fraud prevention)
    Affiliate referrersIdentification of who referred you, for commission tracking

    2.4 Sensitive / Special-Category Data

    We do not knowingly collect special-category personal data (health, racial/ethnic origin, political opinions, religious beliefs, genetic/biometric data, sexual orientation, trade union membership) about you in the operation of the Platform.

    If you are a healthcare provider, financial services firm, or similar regulated business that processes such data of your end users through the Platform, that processing is governed by the DPA, not by this Policy. In particular, processing of U.S. Protected Health Information (PHI) under HIPAA requires a separate Business Associate Agreement (BAA), and is not currently within our standard offering - contact info@followup.agency if your use case requires HIPAA compliance.

    2.5 Children

    The Platform is intended for business users aged 18 or older. We do not knowingly collect personal data from children under 18 in the context of this Policy.

    For the avoidance of doubt: where the Platform is used by our Customers to communicate with their end users, the responsibility for not targeting minors (and for obtaining parental consent under COPPA, GDPR Article 8, Georgian law, or other applicable rules where minors are involved in the recipient base) sits with the Customer, not with us. Our DPA addresses this allocation.

    If we become aware that we have inadvertently collected personal data from a child under 18 in our role as Controller, we will delete it promptly. Please contact info@followup.agency.


    3. How We Use Your Personal Data - and the Legal Basis for Each Use

    Under GDPR Article 6, Georgian Data Protection Law Article 5, and equivalent laws, we must have a lawful basis for each processing activity. The table below sets out our purposes and the corresponding lawful basis.

    Purpose of ProcessingCategories of Data UsedLawful Basis (GDPR / Georgian Law)
    Account creation, login, authenticationIdentity, Contact, CredentialsContract performance (Art. 6(1)(b))
    Providing the Platform and its features to youIdentity, Contact, Usage, Account CredentialsContract performance (Art. 6(1)(b))
    Processing payments and managing billingIdentity, BillingContract performance + Legal obligation (tax law) (Art. 6(1)(b), (c))
    Tax record-keeping and complianceIdentity, BillingLegal obligation (Art. 6(1)(c))
    Customer support and service communicationsIdentity, Contact, Communications ContentContract performance + Legitimate interest (Art. 6(1)(b), (f))
    Security monitoring, fraud prevention, abuse detectionUsage, Device, Performance & SecurityLegitimate interest in protecting the Platform and users (Art. 6(1)(f)) + Legal obligation where security incident notification is required (Art. 6(1)(c))
    Product analytics and improvement (aggregated/pseudonymized)Usage (aggregated)Legitimate interest in improving the Platform (Art. 6(1)(f))
    Marketing communications to existing customers about similar productsIdentity, Contact, Marketing PreferencesLegitimate interest with opt-out (Art. 6(1)(f)), or Consent in jurisdictions requiring it (Art. 6(1)(a))
    Marketing to non-customers (newsletter, demos, events)Identity, Contact, Marketing PreferencesConsent (Art. 6(1)(a))
    Cookies and similar technologies (non-essential)Device, UsageConsent (ePrivacy Directive Art. 5(3))
    Cookies (strictly necessary)DeviceLegitimate interest / "no consent required" exception (ePrivacy Directive Art. 5(3) caveat)
    Affiliate Program operations and payoutsIdentity, Contact, Affiliate Program DataContract performance + Legal obligation (Art. 6(1)(b), (c))
    Responding to legal requests, court orders, regulator inquiriesWhatever is responsiveLegal obligation (Art. 6(1)(c))
    Defending or asserting legal claimsWhatever is relevantLegitimate interest (Art. 6(1)(f))
    Corporate transactions (M&A, restructuring, future U.S. subsidiary spin-up)Whatever is necessaryLegitimate interest (Art. 6(1)(f)), with notice and continuation of this Policy's protections
    AI-assisted features (where you use them as Customer)Customer-provided inputsContract performance with respect to your use; the underlying model providers act as Sub-processors (see Sub-Processor Page). We do not use your inputs to train general-purpose AI models without your consent.

    3.1 What We Do Not Do

    • We do not sell your personal data to data brokers, advertisers, or any third party for monetary or other valuable consideration.
    • We do not engage in cross-context behavioral advertising that would qualify as "sharing" or "selling" under CCPA/CPRA, except to the extent that loading an analytics or advertising cookie on our marketing pages may be deemed "sharing" under California law - and where it is, we honor opt-out signals (see Section 13).
    • We do not use your Customer Data (the data you process through the Platform about your end users) for our own marketing or to train AI models - this is governed by the DPA.
    • We do not perform automated decision-making with legal or similarly significant effects on you within the meaning of GDPR Article 22.

    4. How We Share Personal Data

    We share personal data only with the categories of recipients described below, and only as necessary for the purposes set out in Section 3.

    4.1 Sub-Processors (Service Providers)

    We use carefully selected service providers to operate the Platform. The current list is published at followup.agency/legal/sub-processors and is updated when sub-processors are added or removed. Categories include:

    CategoryRepresentative ProvidersPurpose
    Underlying SaaS platformHighLevel Inc. (USA)Core Platform infrastructure
    Cloud hostingGoogle Cloud Platform (USA, EU regions)Server, storage, networking
    Communications (SMS / Voice)Twilio Inc. / LeadConnectorSending SMS, voice, MMS
    Email deliveryMailgun, SendGrid, Amazon SESTransactional and marketing email
    Payment processingFlitt (TBC Bank Group), Stripe Inc. (future US affiliate)Payment processing
    AI model providersOpenAI, Anthropic, ElevenLabs, Google (where AI features used)Powering Platform AI features
    AnalyticsGoogle Analytics 4, in-product analytics toolsUsage analytics
    Customer support toolsHelp-desk, ticketing, in-app chat providersSupporting customer inquiries
    Domain & DNS servicesCloudflareDomain management, DDoS protection
    Security & monitoringLogging, vulnerability scanning, penetration testing partnersPlatform security

    Each Sub-processor is bound by a written contract that imposes confidentiality, security, and data-protection obligations consistent with GDPR Article 28 and equivalent laws.

    4.2 Within Our Group / Affiliated Entities

    If we form a U.S. affiliate (anticipated as a Stripe Atlas Delaware LLC), we may share your personal data with that affiliate as necessary to operate as a unified business. The affiliate will be bound by this Policy and by intra-group data transfer agreements (including, where relevant, EU Standard Contractual Clauses).

    4.3 Professional Advisors

    Lawyers, accountants, auditors, and consultants who advise us, bound by professional confidentiality.

    4.4 Authorities

    We disclose personal data to courts, regulators, law enforcement, or other government authorities where:

    • we are legally compelled (by valid court order, subpoena, or equivalent);
    • we are required to report (e.g., a data breach notification to the Personal Data Protection Service of Georgia or an EU supervisory authority);
    • we believe in good faith that disclosure is necessary to protect rights, property, or safety.

    When permitted by law, we will notify you of the request and challenge over-broad demands.

    4.5 Corporate Transactions

    If we are involved in a merger, acquisition, sale of assets, financing, reorganization, bankruptcy, or similar corporate transaction, personal data may be disclosed or transferred to the counterparty or successor, subject to confidentiality and continuation of equivalent protections. We will notify you of any change in Controller.

    4.6 With Your Consent or at Your Direction

    For example, if you ask us to integrate the Platform with a third-party service, or to publish a testimonial.

    4.7 What We Don't Share

    • We do not share your personal data with advertising networks for cross-context behavioral advertising on the FollowUP CRM Platform.
    • We do not share End User data (data you process through the Platform) outside the scope of the DPA.

    5. International Data Transfers

    5.1 Where Your Data Is Processed

    Your personal data is processed primarily in:

    • the United States (HighLevel Inc.'s infrastructure, hosted on Google Cloud Platform; Twilio; OpenAI; Anthropic; many other Sub-processors);
    • the European Union (some Sub-processors operate in EU regions);
    • Georgia (our own administrative operations, customer support);
    • other countries where Sub-processors operate.

    5.2 Transfer Mechanisms

    For data flowing from the EEA, UK, or Switzerland to the United States or other "third countries":

    (a) HighLevel Inc. is certified under the EU-U.S. Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-U.S. Data Privacy Framework. This provides a lawful transfer mechanism under GDPR Article 45 (adequacy). Certification status: verifiable at dataprivacyframework.gov.

    (b) For Sub-processors not covered by the DPF, we rely on:

    • EU Standard Contractual Clauses (SCCs) - Commission Implementing Decision (EU) 2021/914, as supplemented by additional safeguards where required by post-Schrems II Transfer Impact Assessments;
    • UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, for UK-origin data;
    • Adequacy decisions where the European Commission has determined the destination provides adequate protection (e.g., the UK, Switzerland, Canada-commercial, Japan, South Korea, the Channel Islands);
    • Derogations under GDPR Article 49 only in limited, exceptional cases (with documented justification).

    5.3 Transfer Impact Assessments

    Where we transfer personal data to a country without an adequacy decision, we conduct (with input from the relevant Sub-processor) a Transfer Impact Assessment (TIA) to evaluate the risk of government surveillance and other interferences with EU rights. Where TIAs identify residual risk, we implement additional safeguards (for example, end-to-end encryption with keys held by us, or pseudonymization).

    5.4 Your Rights to Information

    You may obtain a copy of the relevant transfer mechanism (SCCs, IDTA, etc.) by emailing info@followup.agency, redacted as necessary to protect commercial confidentiality.


    6. How We Protect Your Personal Data

    6.1 Technical and Organizational Measures

    We implement security measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction. Many of these measures are inherited from HighLevel's certified security program:

    • Encryption at rest: AES-256 for sensitive data
    • Encryption in transit: TLS 1.2 or higher for all communications
    • Access controls: Role-based access (RBAC), least-privilege principles, multi-factor authentication for administrative access
    • Network security: Web Application Firewall (WAF), DDoS mitigation, network segregation
    • Monitoring: Continuous security monitoring, anomaly detection, audit logging of privileged access
    • Vulnerability management: Quarterly vulnerability scans, annual third-party penetration testing
    • Data segregation: Logical isolation of customer data
    • Secure software development: Defined SDLC, code review, security testing in CI/CD
    • Personnel: Background checks, mandatory security training, confidentiality agreements
    • Vendor risk management: Due diligence on Sub-processors, contractual security requirements
    • Backup and disaster recovery: Regular backups, tested recovery procedures
    • Incident response: Documented incident response plan with defined ownership

    6.2 Certifications of Our Underlying Infrastructure

    Through HighLevel Inc., the underlying infrastructure of the Platform holds:

    • ISO/IEC 27001:2022 - information security management
    • SOC 2 Type II - annual third-party audit of security, availability, and confidentiality controls
    • EU-U.S. Data Privacy Framework - international transfer compliance
    • HIPAA-ready capability (for Customers on the HIPAA tier with executed BAA - not yet generally offered by us)

    6.3 Your Role in Protecting Your Data

    Security is a shared responsibility. You should:

    • Use a strong, unique password
    • Enable two-factor authentication (2FA) on your account
    • Keep your devices, browsers, and operating systems updated
    • Be alert to phishing attempts (we will never ask you for your password by email)
    • Promptly notify us at info@followup.agency of any suspected unauthorized access

    6.4 Data Breach Notification

    If a personal data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with GDPR Article 34, Georgian Data Protection Law, and other applicable laws. We will also notify the relevant supervisory authority within 72 hours where required, as Controller.


    7. How Long We Keep Your Personal Data

    We keep personal data only as long as necessary for the purposes set out in this Policy, plus any retention period required by law. Specific retention periods:

    Data CategoryRetention PeriodReason
    Active account dataDuration of your subscriptionService provision
    Account data after closure7 yearsGeorgian tax and accounting law (typically 6 years + buffer); equivalent rules elsewhere
    Billing and tax records7 years from the end of the relevant tax yearTax law
    Marketing data (where consent withdrawn or no engagement)24 months after last interactionLegitimate interest balanced against user expectations
    Customer support tickets3 years from closureService improvement, defense of claims
    Security and audit logs12 months (some logs longer for forensic/legal need)Security, fraud prevention, legal obligation
    BackupsUp to 90 days rolling, then overwrittenDisaster recovery
    Affiliate program records (after termination)7 yearsTax and commission audit requirements
    Payment transaction records (last 4 of card, type, date)7 yearsTax law; fraud detection
    Cookies and analytics dataSee Cookie PolicyPer cookie type
    Recordings of demo/sales calls (where given notice)24 monthsSales training, compliance
    Legal hold dataAs required by the relevant proceedingLegal obligation

    After the applicable retention period, we either delete the data or irreversibly anonymize it.


    8. Your Rights

    Depending on where you are located, you may have the following rights with respect to your personal data. We facilitate the exercise of these rights regardless of where you are located, subject to verification of your identity.

    8.1 Rights for Individuals in the EU/EEA, UK, and Switzerland (GDPR / UK GDPR)

    (a) Right of access - to obtain confirmation of whether we process your personal data, and a copy of it (Art. 15). (b) Right to rectification - to correct inaccurate or incomplete data (Art. 16). (c) Right to erasure ("right to be forgotten") - to have your data deleted in certain circumstances (Art. 17). (d) Right to restriction of processing - to "freeze" processing in certain circumstances (Art. 18). (e) Right to data portability - to receive your data in a structured, commonly used, machine-readable format and transfer it to another controller (Art. 20). (f) Right to object - to object to processing based on legitimate interests, including direct marketing (Art. 21). For direct marketing, the objection is absolute. (g) Right not to be subject to automated decision-making - including profiling, with legal or similarly significant effects (Art. 22). We do not engage in such automated decision-making. (h) Right to withdraw consent - at any time, where processing is based on consent (Art. 7(3)). Withdrawal does not affect lawfulness of past processing. (i) Right to lodge a complaint - with a supervisory authority. For Georgia, this is the Personal Data Protection Service of Georgia (PDPS) at personaldata.ge. For EU residents, you may complain to the supervisory authority of your habitual residence, place of work, or place of alleged infringement.

    8.2 Rights for Individuals in Georgia

    Under the Law of Georgia on Personal Data Protection, you have rights equivalent to those in Section 8.1, including: access, correction, deletion, blocking of processing, withdrawal of consent, and complaint to the Personal Data Protection Service of Georgia (PDPS), personaldata.ge.

    8.3 Rights for California Residents (CCPA/CPRA)

    If you are a California resident, you have additional rights:

    • Right to know what personal information we collect, use, disclose, and (if applicable) sell or share, including categories, sources, purposes, and recipients.
    • Right to delete personal information we have collected about you (with statutory exceptions).
    • Right to correct inaccurate personal information.
    • Right to opt-out of "sale" or "sharing" of personal information. We do not sell personal information for monetary consideration. To the extent loading certain advertising/analytics cookies on our marketing site may be deemed "sharing" for cross-context behavioral advertising, you may opt out via our cookie preferences interface or via Global Privacy Control (see Section 13).
    • Right to limit use of sensitive personal information - we do not use sensitive personal information for purposes that would trigger this right.
    • Right to non-discrimination for exercising your rights.

    8.4 Rights for Other U.S. State Residents

    Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws have rights equivalent to the California rights, with state-specific variations. We honor these rights in accordance with applicable state law.

    8.5 How to Exercise Your Rights

    Send your request to info@followup.agency with:

    • a description of the right you wish to exercise;
    • enough information to verify your identity (we may need to confirm with information already in your account);
    • the email address associated with your account, if applicable.

    Response time:

    • GDPR / UK GDPR / EEA / Switzerland: within one month (extendable by up to two further months for complex requests, with notice).
    • Georgia: within 10 business days under the Georgian Data Protection Law.
    • California / other U.S. states: within the timeframe required by the applicable state law (typically 45 days, extendable).

    Exercising these rights is free of charge, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse, and we will explain why).

    8.6 Authorized Agents

    You may use an authorized agent to make a request on your behalf. We may require: (a) verification of the agent's authority (signed permission, power of attorney); and (b) verification of your identity directly with you.


    9. Marketing Communications

    9.1 To Existing Customers

    We may send you marketing emails about features, updates, similar products, or events, based on our legitimate interest under GDPR Article 6(1)(f) and the "soft opt-in" rule under PECR/ePrivacy. You can opt out at any time by:

    • clicking the "unsubscribe" link in any marketing email;
    • adjusting your preferences in your account settings;
    • emailing info@followup.agency.

    9.2 To Non-Customers (Newsletter, Demos, Lead Generation)

    We send marketing communications to non-customers only with explicit consent, captured at the point of signup. Each communication contains an easy unsubscribe mechanism.

    9.3 SMS / Phone Marketing

    We do not send SMS or voice marketing to non-customers. Where you provide a phone number to us as a customer, we may use it for transactional and service messages (e.g., security alerts, account changes, support callbacks) - not for marketing - unless you have explicitly opted in to SMS marketing.

    9.4 Customer Communications You Send Through the Platform

    The compliance obligations for SMS, email, voice, and other communications you send through the Platform to your end users are governed by the Master Subscription Agreement (Section 6) and applicable laws (TCPA, CAN-SPAM, CASL, GDPR Art. 6 and ePrivacy, etc.). You - not we - are the sender for those communications.


    10. Cookies and Similar Technologies

    We use cookies and similar technologies (pixels, local storage, SDKs) on our website and within the Platform. Detailed information - including the categories of cookies, individual cookies in use, their purposes, durations, and your consent and control options - is in our separate Cookie Policy at followup.agency/legal/cookies.

    In summary:

    • Strictly necessary cookies are loaded automatically; no consent is required.
    • All other cookies (functional, analytics, marketing) are loaded only after you provide consent through our cookie banner, and you may withdraw consent at any time via the "Cookie Preferences" link in our website footer.
    • We honor Global Privacy Control (GPC) signals as a valid opt-out for California consumers.

    11. Third-Party Links and Integrations

    The Platform and our website may include links to third-party websites, integrations with third-party services (Stripe, Calendly, social media platforms, AI providers, etc.), and content provided by third parties. We are not responsible for the privacy practices of third parties. Their handling of your personal data is governed by their own privacy policies. Where you choose to integrate a third-party service with your Platform Account, that service may receive personal data from us at your direction, and you are responsible for ensuring you have the legal basis to share it.


    12. Affiliate Program

    If you participate in our Affiliate Program (described in MSA Section 12), we collect additional personal data: tax identification (for payouts), banking details, identity verification documents (for AML/KYC compliance), and the email addresses of people you refer to us (for attribution).

    Affiliate-specific note for referred persons: if you have been referred to FollowUP CRM by an affiliate, we may receive your name and email from that affiliate solely for the purpose of attributing the referral. We process this data on the legal basis of legitimate interest in commission tracking. You can object to this processing by emailing info@followup.agency.


    13. Region-Specific Provisions

    13.1 California Residents (CCPA/CPRA)

    In addition to your rights in Section 8.3:

    • Categories of personal information collected (last 12 months): Identifiers (name, email, IP), Commercial information (transactions), Internet/network activity (usage data), Geolocation (approximate), Inferences (preferences derived from usage). We do not collect biometric, health, or precise geolocation data.
    • Sources: directly from you, automatically from your use of the website/Platform, from third parties (payment processors, SSO providers, integrations).
    • Purposes: providing services, security, communications, billing - as detailed in Section 3.
    • Disclosures: Sub-processors (Section 4); authorities (Section 4.4).
    • "Sale" or "sharing": We do not sell personal information for monetary consideration. To the extent loading advertising/analytics cookies on our marketing pages may constitute "sharing" for cross-context behavioral advertising, you may opt out via our cookie banner or by submitting a Global Privacy Control (GPC) signal, which we honor.
    • Notice of financial incentive: none currently offered.
    • Authorized agents: see Section 8.6.

    13.2 European Economic Area & United Kingdom (GDPR / UK GDPR)

    Your rights are detailed in Section 8.1.

    Current status - EU / UK Representative. As of the Effective Date of this Privacy Policy, FollowUP CRM does not actively offer the Platform to data subjects in the European Economic Area or the United Kingdom (our Customer base is currently limited to Georgia). For this reason, we have not appointed an Article 27 representative at this time, on the basis that GDPR Article 27(2) exempts processing that is occasional, does not include large-scale processing of special-category data, and is unlikely to result in a risk to data subjects' rights and freedoms.

    We will appoint an Article 27 representative (and, separately, a UK Representative under UK GDPR Article 27) before we begin actively targeting or offering the Platform to data subjects established in the EEA or UK on a regular and systematic basis. We will update this section accordingly when that occurs.

    In the interim, EU and UK data subjects who interact with us through any channel may contact us directly at info@followup.agency for all matters under this Policy. We will respond to data subject rights requests in accordance with GDPR Article 12 timelines (one month, extendable in complex cases).

    13.3 Georgia (Personal Data Protection Service)

    • Supervisory authority: Personal Data Protection Service of Georgia
    • Website: personaldata.ge
    • Address: Tbilisi, Georgia (current address per personaldata.ge)
    • Filing a complaint: see procedures at personaldata.ge

    13.4 Other Jurisdictions

    If you are located elsewhere and have specific rights under local law not addressed here, please contact us at info@followup.agency and we will endeavor to honor your rights to the extent required.


    14. Data Protection Officer / Privacy Contact

    We have appointed a Privacy Lead who serves as the primary contact for data protection matters:

    Privacy Lead, FollowUP CRM Email: info@followup.agency Postal: Bakhtrioni 11, Tbilisi, Georgia (mark "Privacy Lead - Confidential")

    A formal Data Protection Officer (DPO) under GDPR Article 37 will be appointed if and when our processing activities require it (which becomes likely as our customer base in regulated sectors and EU residents grows). Until then, the Privacy Lead serves the equivalent function.


    15. Changes to This Policy

    We may update this Policy from time to time. When we do:

    • Material changes (changes that meaningfully reduce your rights, expand the categories of data we collect, change purposes of processing, or add new categories of recipients) will be communicated by email and prominent in-product/website notice at least 30 days before they take effect.
    • Non-material changes (clarifications, typographical corrections, links updates, structural improvements) will be reflected in the "Last Updated" date at the top of this Policy.

    A version history of material changes is available on request at info@followup.agency.


    16. How to Contact Us

    For any privacy-related question, request, or complaint:

    Sales Consulting Group LLC (operating as FollowUP CRM) Bakhtrioni 11, Tbilisi, Georgia Company ID: 405727254

    We respond to all good-faith inquiries.


    End of Privacy Policy v2.0