TSworkflow – AI-powered CRM
Sign in
Privacy

Privacy policy

Last updated: 12 May 2026

Who we are

TSworkflow AS is a Norwegian company providing an AI-powered CRM platform. For privacy questions, contact post@tsworkflow.com.

What data we collect

  • Account data: name, email, organisation, role, profile photo (if provided)
  • Customer data: contacts, deals, quotes, contracts, calendar, email threads — entered or synced by you
  • Usage data: page views, button clicks (anonymised when possible), error reports
  • Technical data: IP, browser, OS — for security and abuse prevention

How we use it

  • To provide the platform features you have enabled
  • To respond to support requests
  • To improve the platform and detect abuse
  • To meet legal obligations (e.g. accounting, security)

Data residency

All customer data is stored within the EU (Supabase EU regions, Google Cloud europe-north1). No transfer to third countries without explicit consent.

Your rights (GDPR)

  • Right of access — download all your data
  • Right to rectification — fix inaccurate data
  • Right to erasure — delete your account and associated data
  • Right to portability — export in machine-readable format
  • Right to object — opt out of non-essential processing

To exercise any right, email us. We respond within 30 days.

Subprocessors

We use the following processors. All are GDPR-compliant.

  • Supabase — database and auth (EU)
  • Google Cloud Run — application hosting (europe-north1)
  • OpenAI — AI inference (with EU data residency option)
  • Telnyx — phone/voice provider (US, with DPA)
  • Sentry — error monitoring (EU)

Third-party platform integrations

When you connect a platform account (Facebook Page, Instagram Business, Google Ads, TikTok Business, Gmail, Outlook, Tripletex), TSworkflow accesses data you authorise. Each integration only accesses what is strictly required to deliver the feature you enable. Access tokens are stored encrypted using envelope encryption (AES-256-GCM).

Meta (Facebook + Instagram)

  • pages_show_list — list the Facebook Pages you administer, so you can choose which one to connect.
  • pages_messaging + pages_messaging_subscriptions — read and reply to messages sent to your Page on your behalf via our AI assistant. Messages are processed in real time and stored encrypted at rest in EU.
  • pages_manage_metadata — subscribe your Page to our webhook so we receive new messages as they arrive.
  • instagram_basic + instagram_manage_messages — same as above, for your Instagram Business account connected to the Page.
  • We do not post content to your Page or Instagram feed. We do not access your friends list, profile information, or any data outside the specific Page/Instagram account you connect.

Google (Workspace + Ads)

  • gmail.readonly + gmail.send — read incoming emails for your connected mailbox and send AI-generated replies on your behalf.
  • calendar + calendar.events — sync appointments to your CRM and create bookings when customers ask.
  • contacts.readonly + userinfo.profile — auto-fill CRM contacts and identify the signed-in user.
  • adwords — read campaign performance and (with your approval) push ad creative generated by Dennis. Read-only by default; write requires explicit opt-in per organisation.

TikTok Business

  • Receive Lead Gen Form submissions via webhook and forward them to your CRM.
  • Read campaign performance metrics (opt-in).

Tripletex

  • Read/write orders, invoices and contacts via API token you provide.

Data deletion

You can revoke any integration at any time from Settings → Integrations. We will delete the associated access tokens and stop accessing the platform within 24 hours. For Meta-specific deletion requests, see our Data Deletion Request page.

Cookies

We use functional cookies for sign-in and language preference. Optional analytics cookies (Plausible) are aggregated and contain no personal data. We ask for consent before any non-essential tracking.

Retention

Active customer data is retained until account deletion. Logs are kept up to 90 days for security purposes, then deleted automatically.

Changes to this policy

We notify users of material changes via email at least 30 days before they take effect.