This Privacy Policy explains how 2a Productions, Inc. ("we", "us", or "Deal Desk") collects, uses, and protects information when you use Deal Desk (the "Service"). We've written this in plain English. If something is unclear, email us at support@deal-desk.xyz.
We never sell your data. Full stop. Your deal data is yours — we only process it to run the Service for you.
1. What we collect
We collect only what's needed to run Deal Desk:
- Account info: your name, email, hashed password, and role (rep / manager / admin).
- CRM content you create: accounts, deals, contacts, notes, reminders, commission settings, transcripts you upload.
- Integration data (if you connect it): Google Calendar events, Salesforce account data (read-only), Zoom recordings/transcripts, Stripe payment info (for billing only — handled by Stripe).
- Usage metadata: login timestamps, failed login attempts (for brute-force protection), basic error logs.
- Cookies: a session cookie (HttpOnly, secure) and a CSRF cookie. We do not use third-party tracking or advertising cookies.
2. What we do with it
- Show your data back to you in the app.
- Process AI-assisted features (deal summaries, transcript generation) via OpenAI. Your data is sent to OpenAI under their API terms (no training on your data).
- Send transactional emails (password reset, email verification) via Resend.
- Charge for paid plans, if applicable, via Stripe.
- Detect abuse and keep the Service secure (rate limiting, account lockout, audit logs).
We do not: sell your data, share it with advertisers, train AI models on it, or use it for any purpose outside running the Service.
3. Sub-processors we use
Like most modern apps, we use a small set of trusted vendors. Each one only sees the data it strictly needs.
- MongoDB Atlas — primary data storage (encrypted at rest).
- OpenAI — AI features (deal assistant, transcription via Whisper). Data is sent over their API; OpenAI does not train on API data by default.
- Google — only if you connect Google Calendar (OAuth).
- Salesforce — only if you connect a Salesforce org (OAuth, read-only).
- Zoom — only if you connect Zoom (OAuth).
- Resend — transactional email delivery.
- Stripe — payment processing, if you subscribe to a paid plan.
- Cloud hosting — our backend and database run on commercial cloud infrastructure with industry-standard security.
4. How we protect your data
- Passwords are hashed with bcrypt — we cannot read or recover them.
- All traffic is encrypted in transit (HTTPS / TLS).
- Session cookies are HttpOnly + Secure, with SameSite enforcement and CSRF tokens on mutating requests.
- Brute-force lockout: 5 failed logins locks an account for 15 minutes.
- User-generated HTML is sanitized server-side (Bleach) and client-side (DOMPurify) to prevent XSS.
- Each user's data is strictly scoped — no cross-user leakage.
- OAuth tokens are stored encrypted alongside user records and revoked on disconnect.
5. Your rights
Wherever you live, you can:
- Access all data we have about you — email us and we'll send you an export.
- Correct anything inaccurate — most of it you can edit yourself in the app.
- Delete your account and all associated data. Email support@deal-desk.xyz and we'll process it within 30 days.
- Disconnect any integration (Google, Salesforce, Zoom) at any time from Settings.
- Object / restrict processing — let us know and we'll work with you.
If you're in the EU/UK, these are your GDPR rights. If you're in California, these are your CCPA / CPRA rights.
6. Data retention
We keep your data for as long as your account is active. If you delete your account, we delete your data within 30 days, except where we're legally required to keep it longer (e.g., tax/billing records via Stripe).
7. International transfers
Our servers are hosted in the United States. If you're outside the US, your data may be transferred to and processed in the US. We use industry-standard safeguards for any such transfer.
8. Children
Deal Desk is built for sales professionals. It's not intended for, and we don't knowingly collect data from, anyone under 16.
9. Changes to this policy
If we make material changes, we'll update the "Last updated" date and notify active users by email. Continued use after the change means you accept the updated policy.
10. Contact us
2a Productions, Inc.
New York, NY, USA
support@deal-desk.xyz
This Privacy Policy is provided for transparency. It is not a substitute for legal advice. If you operate in a regulated industry or have unique requirements, please consult your own attorney.