Effective Date: March 4, 2026
1. Introduction
This Privacy Policy explains how CallerPlugins ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our services, including:
- The CallerPlugins web dashboard at dashboard.callerplugins.com
- The CallerPlugins Viber Dialer browser extension for Pipedrive
- Our website at callerplugins.com
CallerPlugins is operated by Agenda 2050 (KVK 90748026), registered in the Netherlands. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and other applicable Dutch and European data protection laws.
Important: By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of our services.
2. Data We Collect
2.1 Account Information
When you register for an account or activate the browser extension, we collect:
- Full name
- Email address
- Password (stored as a bcrypt hash — we never store your actual password)
- Company/team name (derived from your email domain)
- Role within your team (admin, manager, or user)
2.2 Billing & Payment Data
When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store:
- Stripe customer ID and subscription ID (references only)
- Subscription plan type, status, and billing dates
- Invoice amounts and payment status
We do not store your credit card number, CVV, or full payment card details. These are handled exclusively by Stripe in accordance with PCI-DSS standards.
2.3 Usage Data
We log the following when you use our services:
- Call logs: phone numbers dialed via the Viber button, call duration, status, and timestamp
- API request logs: endpoint, method, status code, and timestamp (for rate limiting and security)
- Whether a call was made on a free or pro plan
2.4 Session & Technical Data
- Session cookies (httpOnly, secure) for authentication
- Browser extension storage: license status, call counts, and daily reset timestamps
- IP address (for rate limiting purposes only; not stored long-term)
2.5 License Key Data
- License key, type, activation status, and the associated user and team
3. How We Use Your Data
| Purpose | Data Used |
|---|
| Provide and operate our services | Account info, usage data, session data |
| Process payments and manage subscriptions | Billing data (via Stripe) |
| Send transactional emails (welcome, payment confirmations, team notifications) | Email address, name |
| Enforce usage limits (free-tier call limits) | Call logs, plan type |
| Security and abuse prevention | IP address, API logs, rate limiting data |
| License key validation | Email, license key |
| Weekly usage digest emails | Email, team usage statistics |
We do not sell your personal data to third parties. We do not use your data for advertising or profiling purposes.
4. Legal Basis for Processing (GDPR)
We process your personal data on the following legal grounds:
- Contractual necessity (Art. 6(1)(b) GDPR) — Processing required to provide our services, manage your account, and fulfill subscriptions.
- Legitimate interest (Art. 6(1)(f) GDPR) — Security measures, rate limiting, fraud prevention, and service improvement.
- Consent (Art. 6(1)(a) GDPR) — Optional marketing communications or weekly digest emails (you can opt out at any time).
- Legal obligation (Art. 6(1)(c) GDPR) — Tax and financial record-keeping requirements.
5. Third-Party Services
We share data with the following third-party processors, each operating under their own privacy policies and GDPR-compliant data processing agreements:
| Service | Purpose | Data Shared |
|---|
| Stripe (USA) | Payment processing | Email, name, payment details |
| SendGrid / Twilio (USA) | Transactional emails | Email address, name |
| Hostinger (EU) | Web hosting and database | All service data (stored on EU servers) |
| Google Chrome Web Store | Extension distribution | No user data shared by us |
International transfers: Where data is transferred to processors outside the EEA (such as Stripe and SendGrid in the USA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions.
6. Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy:
- Account data: Retained while your account is active and up to 12 months after deletion request, to allow for reactivation.
- Call logs: Retained for up to 24 months for usage analytics and billing verification.
- API request logs: Retained for up to 90 days for security and debugging.
- Billing records: Retained for 7 years to comply with Dutch tax obligations.
- Session data: Automatically expires and is deleted upon session timeout.
7. Data Security
We take the security of your data seriously. Measures include:
- Passwords are hashed with bcrypt (never stored in plain text)
- Sessions use httpOnly and secure cookies (in production)
- Helmet.js for HTTP security headers
- CORS restricted to our frontend domain
- Rate limiting on authentication endpoints (15 requests/minute)
- Database access restricted and encrypted in transit
8. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — Request deletion of your personal data.
- Right to restrict processing — Request that we limit how we use your data.
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to object — Object to processing based on legitimate interest.
- Right to withdraw consent — Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, please contact us at the address listed below. We will respond within 30 days.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
9. Cookies
Our services use a minimal set of cookies:
- Session cookie (essential) — Required for authentication on the dashboard. HttpOnly and secure. Expires when the session ends.
- Chrome extension local storage — Stores license status and call counts locally in your browser. This data is not transmitted to third parties.
We do not use advertising cookies, tracking cookies, or analytics cookies. For more details, see our Cookie Policy.
10. Children's Privacy
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of significant changes via email or a prominent notice on our website. The "Effective Date" at the top reflects the most recent revision.
If you have any questions about this Privacy Policy or wish to exercise your data rights, contact us: