Last updated May 3, 2026
Soulful CRM ("we," "us," or "our") is operated by James Rodney Petty, doing business as Soulful CRM, based in Carson, CA, United States. We are committed to protecting your personal information and your right to privacy.
This Privacy Policy describes how we collect, use, store, and share information when you use our platform at soulfulcrm.com, including all features: client management, session tracking, AI-generated recaps, direct booking, practitioner-to-client email, automated email triggers, webhook integrations, SMS notifications, outbound event dispatching, and onboarding tools.
By using the Services, you agree to the collection and use of information in accordance with this policy.
We collect the following categories of personal information, as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Name, email address, IP address, and account identifiers. Collected when you create an account, update your profile, or use the platform.
Password (stored as a one-way secure hash and never readable by us), display name, practice modalities, tone preferences, and phrases you choose to exclude from AI outputs. We also record the date and time you accepted our Terms of Service.
You may enter client profiles for your own clients, including their names, email addresses, phone numbers, pronouns, intake notes, and session histories. You may also enter raw session notes which are processed by our AI system to generate summaries and follow-up suggestions. This data is associated with your practitioner account and visible only to you.
Session notes, intake notes, and client summaries entered by practitioners may contain health-adjacent or wellness-related information about their clients — for example, notes from Reiki sessions, energy work, or intuitive coaching. Under the CPRA, this type of information may qualify as sensitive personal information.
We process this information solely to provide the Service — specifically, to generate AI-powered session recaps and client summaries at the practitioner's explicit request. We do not use this information for advertising, profiling, or any purpose beyond the immediate service delivery. We do not sell or share this information with third parties for cross-context behavioral advertising. Practitioners retain full control over this data and may delete it at any time.
California residents have the right to limit our use of sensitive personal information to what is necessary to perform the requested Service. See Section 6 (Your CPRA/CCPA Privacy Rights) for instructions on how to exercise this right.
If you enable your public booking page, we collect the name, email address, phone number (optional), requested appointment time, and any optional notes submitted by individuals who book sessions through your page. This information is stored within your practitioner account as a client record and session entry. Booking data is not used by Soulful CRM for any purpose beyond facilitating the booking and populating your CRM.
Individuals who submit a booking are not required to create a Soulful CRM account. Their data is retained as part of your client records and is subject to your own data practices as the practitioner. Individuals wishing to request deletion of their booking data should contact the practitioner directly. Practitioners may also delete client records from within their account at any time.
Paid plan subscribers may send emails to their clients through Soulful CRM. When you use this feature, we store the email templates you create, the automated trigger configurations you set up, and a log of every email sent — including the recipient's email address, subject line, message body, send timestamp, delivery status, and any error messages. This data is associated with your account and the relevant client record.
Client email send logs are stored for up to 12 months and are visible to you within the client's email history tab. These logs are accessible only to you as the practitioner and to Soulful CRM administrators for operational and support purposes.
All client emails are sent through Resend, our third-party email delivery provider. The content of emails and recipient addresses are transmitted to Resend for delivery. Resend operates under its own privacy policy. Client email content is never used by Soulful CRM for advertising, AI training, or any purpose other than facilitating delivery and maintaining your send history.
Soulful CRM supports inbound webhook integrations that allow external services such as Zapier and Squarespace to submit client intake data directly to your account. When an inbound webhook request is received, the submitted data — including name, email address, phone number, notes, and source identifier — is stored as a client record and intake session note within your practitioner account. This data is processed identically to data you enter manually and is subject to the same retention and deletion policies.
Each practitioner may generate a unique webhook secret token to secure their inbound endpoint. This token is stored in encrypted form in our database and is used solely to authenticate incoming webhook requests to your account. You may revoke or regenerate this token at any time from your Settings page.
Soulful CRM also supports outbound webhooks, allowing you to configure a URL to which we will send event notifications when key actions occur in your account — such as a client being created, a session being logged, a booking being confirmed, or a billing event occurring. When outbound webhooks are enabled, data associated with these events — including client names, email addresses, session metadata, and subscription status — is transmitted to the URL you specify. You are solely responsible for the security and privacy compliance of any endpoint you configure to receive this data. Soulful CRM is not responsible for the handling of data by third-party services you connect via outbound webhooks.
If a practitioner has enabled SMS notifications, Soulful CRM will send a booking confirmation SMS to clients who provide a phone number when booking a session through your public booking page. The client's phone number and the content of the SMS message are transmitted to Twilio, our SMS delivery provider, solely for the purpose of delivering the message. Twilio operates under its own privacy policy.
Phone numbers collected through the booking form are stored within your client records and are not used for any marketing or communications purpose beyond the booking confirmation SMS you have enabled. Practitioners who provide their own Twilio credentials are responsible for ensuring their use of Twilio complies with applicable telecommunications laws, including TCPA consent requirements.
We track certain in-app milestone actions to power your onboarding checklist, measure product activation, and send contextually relevant automated emails. Specifically, we record the following named funnel events in our database, linked to your user account, when they occur for the first time:
Each of these events is recorded at most once per user account in our database. They are used to determine your position in the onboarding flow, display your progress in the Quick Start guide on your dashboard, and trigger relevant automated guidance emails described in Section 1(J).
These same eight milestone events are also transmitted to PostHog, our product analytics provider, server-side at the time they are recorded. PostHog receives your account identifier and the event name. This data is used solely to measure product activation rates and improve the onboarding experience. It is never used to build behavioral profiles for advertising and is never sold or shared with third parties for marketing purposes. See Section 3 for details on PostHog as a subprocessor.
In addition, we track general activity events on an ongoing basis — such as creating a client, logging a session, generating an AI recap, or upgrading your subscription — to fire the automated email trigger system and power the onboarding flow. These ongoing events are distinct from the first-occurrence milestone events described above and serve the same operational purpose: helping you get value from the product faster.
We also write a browser-local storage key (soulful_happypath_dismissed) to your device when you dismiss the Quick Start guide on your dashboard. This value is stored locally in your browser only, is never transmitted to our servers, and controls whether the Quick Start guide is shown on subsequent visits. It contains no personal information.
Soulful CRM sends automated system emails through Resend. We track whether these emails are opened using a standard 1×1 pixel image embedded in emails. If you open an email, we record the timestamp. This data is used solely to understand whether our communications are useful and to improve the product. We do not share email engagement data with third parties for marketing purposes.
System email send logs — including the recipient address, subject line, send time, and delivery status — are stored in our database and accessible only to Soulful CRM administrators.
Based on the onboarding milestone events described in Section 1(I), we send the following behavioral trigger emails to registered users (practitioners) during the trial period:
Each behavioral trigger email is sent at most once per user. Deduplication is enforced server-side; you will not receive repeated nudges for the same step. All behavioral trigger emails include an unsubscribe link. You may opt out of non-essential automated emails at any time. Strictly transactional emails — including password reset and billing notifications — cannot be opted out of as they are necessary to operate your account.
All payments are processed by Stripe. We do not store your full credit card number, CVV, or billing address. We receive and store a Stripe customer ID and subscription status to manage your access level. Billing events — such as successful payments, subscription changes, and payment failures — are processed via Stripe webhooks and may be transmitted to any outbound webhook URL you have configured. For details on how Stripe handles your payment data, see stripe.com/privacy.
We collect standard technical data including IP address, browser type, device type, pages visited, and timestamps through our hosting provider Vercel. This data is used to maintain platform security, diagnose errors, and understand general usage patterns.
We also use PostHog, a product analytics provider, to collect client-side usage data including page views, navigation paths, and session recordings. PostHog session recordings capture your interactions with the dashboard — including mouse movements, clicks, and scrolling — to help us identify usability issues and improve the product. All form inputs are masked in session recordings; passwords, client notes, and other typed content are never captured. PostHog also collects your IP address and browser identifiers as part of standard analytics instrumentation.
When you are logged in, PostHog associates analytics data with your account identifier so that usage patterns can be linked to a specific user session. When you sign out, your PostHog identity is reset, and subsequent activity is not linked to your account until you sign in again. PostHog analytics data is used solely for product improvement and is never sold or shared with third parties for advertising.
We use collected information to:
We do not use your data to train AI models. Your client notes and session data are sent to AI providers solely for the purpose of generating the output you requested and are not retained by those providers for model training under our agreements with them.
AI-generated outputs are not used to make consequential decisions about you or your clients. All AI outputs — session recaps, client summaries, follow-up suggestions — are informational tools presented to you for review and use at your discretion. No automated decision with legal or significant effect is made on the basis of these outputs.
We do not sell your personal information. We share limited data only with the following service providers, each acting as a data processor on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting | All account and application data; stored in the United States |
| Vercel | Application hosting and edge delivery | IP address, request logs, technical usage data |
| Stripe | Payment processing | Email address, subscription status; full card data handled directly by Stripe |
| Resend | Email delivery (system and practitioner-to-client) | Recipient email addresses, email content, delivery status |
| Twilio | SMS delivery for booking confirmations | Client phone number and SMS message content, transmitted only when SMS is enabled by the practitioner |
| OpenRouter | AI processing gateway (routes to Anthropic, OpenAI, Mistral) | Session notes and practitioner profile settings submitted for AI recap generation; not retained for model training |
| Anthropic / OpenAI / Mistral | AI model inference (via OpenRouter) | Session note content for recap generation only; not retained for training under our agreements |
| PostHog | Product analytics, session recordings, and funnel measurement | Account identifier, page views, navigation events, the 8 named onboarding milestone events, session recording data (inputs masked), IP address, and browser identifiers. Never includes client notes, session content, or health-adjacent data. |
| Zapier / Third-party webhook endpoints | Outbound event delivery to practitioner-configured URLs | Client names, email addresses, session metadata, and billing event data — only transmitted when outbound webhook URL is configured by the practitioner |
All subprocessors are contractually required to process data only as directed by us and in accordance with applicable privacy law. We do not authorize any subprocessor to sell or use your data for their own purposes beyond service delivery.
Note on outbound webhooks: When you configure an outbound webhook URL, data is transmitted to a third-party endpoint of your choosing. Soulful CRM does not control or take responsibility for how data is handled by external services you connect via this feature. You are responsible for ensuring that any third-party service receiving your webhook data complies with applicable privacy law.
We may disclose your information if required to do so by law or in response to valid legal process, to protect the rights and safety of our users or the public, or to enforce our Terms of Service.
We retain different categories of data for the following periods:
soulful_happypath_dismissed) is stored only in your browser and is never transmitted to our servers. It persists until you clear your browser storage or use a different browser or device.Certain residual data may remain in encrypted backups for up to 90 days before being permanently deleted following an account deletion request.
When you use Soulful CRM to store and manage data about your own clients — including names, contact information, session notes, booking records, webhook intake submissions, SMS communications, and email communications — you act as the data controller for that client data, and Soulful CRM acts as the data processor on your behalf.
As the data controller, you are responsible for:
Soulful CRM processes your clients' data only as instructed by you through your use of the Service. We do not use your clients' data for any independent purpose and do not share it with third parties except as described in Section 3 (subprocessors necessary to deliver the Service).
PostHog does not receive any client data. Analytics instrumentation is scoped to practitioner account activity only — page views, navigation, and the named milestone events listed in Section 1(I). Client names, contact details, session notes, and health-adjacent data are never transmitted to PostHog.
If one of your clients contacts us directly to request access to or deletion of their data, we will direct them to you as the responsible data controller.
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights with respect to your personal information:
You have the right to request that we disclose: the categories of personal information we have collected about you; the categories of sources from which we collected it; the business or commercial purpose for collecting it; the categories of third parties with whom we share it; and the specific pieces of personal information we have collected about you.
You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., where retention is required to complete a transaction, detect security incidents, or comply with a legal obligation). You may also delete your account directly from the Account Settings page within the dashboard. Account deletion is permanent and cannot be undone.
You have the right to request that we correct inaccurate personal information we maintain about you. You may update most of your account information directly within the Account Settings page. For data you cannot update yourself, contact us at hello@soulfulcrm.com.
We do not sell your personal information and we do not share your personal information with third parties for cross-context behavioral advertising. You therefore have no need to opt out of a sale or sharing of personal information, as neither activity occurs. If this practice ever changes, we will update this policy and provide a clear opt-out mechanism before any such activity begins.
You have the right to limit our use of sensitive personal information (as defined by the CPRA) to what is necessary to perform the Service you requested. As described in Section 1(D), session notes and health-adjacent data are used solely to generate AI recaps at your explicit request. If you do not want this data processed by AI, you may simply not use the AI recap or client summary features. If you wish to formally exercise a limit on sensitive PI use, contact us at hello@soulfulcrm.com.
We will not discriminate against you for exercising any of your CPRA/CCPA rights. We will not deny you goods or services, charge you different prices, or provide you with a lesser quality of service because you exercised a privacy right.
You have the right to receive a copy of your personal information in a portable, usable format. To request a data export, contact us at hello@soulfulcrm.com.
To exercise any of your CPRA/CCPA rights, submit a verifiable consumer request to:
Email: hello@soulfulcrm.com
Subject line: CPRA Privacy Request
We will respond to a verifiable consumer request within 45 days of receipt. If we require more time (up to an additional 45 days), we will inform you of the reason and extension period in writing. We may need to verify your identity before processing your request by confirming your account email address.
You may designate an authorized agent to make a request on your behalf. We may require written proof of authorization before honoring such a request.
If you are a client of a practitioner using Soulful CRM — for example, someone who booked an appointment, received an email or SMS through the platform, or had your information submitted via a third-party form integration — and you wish to request access to or deletion of your data, please contact the practitioner directly. As described in Section 5, practitioners control their own client records. If you are unable to reach the practitioner and need assistance, contact us at hello@soulfulcrm.com and we will do our best to assist.
By creating an account, you consent to receiving transactional and onboarding system emails from Soulful CRM. These may include welcome messages, feature guidance, inactivity reminders, trial expiration notices, and behavioral trigger emails sent based on your onboarding milestone progress as described in Section 1(J).
You may opt out of non-essential automated system emails at any time by clicking the unsubscribe link included at the bottom of every system email. Unsubscribing is immediate and requires no account login. You cannot opt out of strictly transactional emails such as password reset emails or billing notifications, as these are necessary to operate your account. To re-enable system emails after unsubscribing, contact us at hello@soulfulcrm.com.
If you receive an email sent through Soulful CRM by a practitioner, that email was sent by the practitioner using our platform. To opt out of emails from a specific practitioner, contact them directly using the reply-to address on the email.
We use email open tracking (a standard 1×1 pixel image) on system emails to measure whether our communications are being received and read. Open tracking is not applied to practitioner-to-client emails. If you prefer not to be tracked on system emails, you can disable image loading in your email client.
If a practitioner has enabled SMS notifications, Soulful CRM will send an automated booking confirmation SMS to clients who provide a phone number when booking a session. SMS messages are sent via Twilio and contain booking confirmation details only. By providing a phone number on a practitioner's booking page, you consent to receiving this single transactional SMS confirmation.
Soulful CRM does not send marketing SMS messages. Phone numbers are not shared with third parties for marketing purposes. If you have questions about SMS communications from a specific practitioner, contact them directly.
Practitioners who enable SMS are responsible for ensuring their use of this feature complies with the Telephone Consumer Protection Act (TCPA) and any other applicable telecommunications regulations in their jurisdiction.
Soulful CRM uses session cookies and JWT tokens to authenticate your account and maintain your login state. We do not use third-party advertising cookies or tracking pixels for advertising purposes. We do not display ads and do not share your data with advertising networks.
Our hosting provider Vercel may set analytics cookies to measure platform performance. These are limited to technical performance data and do not identify you personally.
We use PostHog for product analytics. PostHog sets cookies in your browser to associate page views and navigation events with a session and, when you are logged in, with your account identifier. PostHog cookies do not track you across unrelated websites and are used solely to improve the Soulful CRM product. PostHog also performs session recordings of logged-in dashboard activity. All form inputs — including passwords, client names, and session notes — are masked and are never captured in recordings. You can learn more about PostHog's data practices at posthog.com/privacy.
We implement reasonable technical and organizational measures to protect your data, including TLS encryption in transit, hashed password storage, JWT-based authentication, row-level security on database tables, and role-based access controls. Webhook secrets are stored securely and are unique per user. However, no system is completely secure. We cannot guarantee absolute security of information transmitted over the internet or to third-party webhook endpoints you configure.
If you believe your account has been compromised, please contact us immediately at hello@soulfulcrm.com.
The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete that information promptly.
The Services are hosted and operated in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Services, you acknowledge and consent to this transfer. We take steps to ensure data is handled securely and in accordance with this Privacy Policy regardless of where it is processed.
Soulful CRM does not sell your personal information. Soulful CRM does not share your personal information with third parties for cross-context behavioral advertising. This applies to all categories of personal information described in this policy, including sensitive personal information.
We share personal information only with service providers (subprocessors) acting on our behalf to deliver the Service, as described in Section 3. These sharing relationships do not constitute a "sale" or "sharing" under the CCPA/CPRA.
If this practice ever changes in the future, we will update this Privacy Policy, notify you in advance, and provide a clear and accessible mechanism to opt out before any such activity begins.
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify registered users by email. Continued use of the Services after changes become effective constitutes acceptance of the revised policy.
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data — including CPRA/CCPA requests — contact us at: