Evano Development LLC – CrewX Platform
Privacy Policy
This Privacy Policy describes how CrewX handles information in connection with its CRM, messaging integrations with Facebook, Instagram and WhatsApp, and its AI assistant features.
Last updated: April 14, 2026
1. Introduction
CrewX is a software-as-a-service CRM platform developed by Evano Development LLC (“CrewX”, “we”, “us”). The CrewX Platform lets businesses manage customer relationships, conversations, AI assistants and operational follow-up across digital channels including Facebook Messenger, Instagram Direct and the WhatsApp Business Platform.
This Privacy Policy explains how CrewX collects, uses, stores and protects information when businesses, their authorized users, and connected integrations use the Platform. It also discloses the Meta permissions we request and how we handle data received from the Meta Services in compliance with the Meta Platform Terms and the WhatsApp Business Messaging Policy.
2. Information We Collect
We collect and process the following categories of information:
- Account information: name, email address, Firebase Auth identifier, and optionally the Facebook user ID of the person who authorizes a Meta integration.
- Workspace data: CRM records, pipelines, leads, contacts, internal notes, team activity, AI training examples and workspace settings.
- Conversation data: message content, timestamps, sender identifiers, media attachments, delivery states and channel metadata for every connected channel (Meta, ManyChat, Twilio, SMS).
- Meta integration data: Facebook Page, Instagram Business account and WhatsApp Business Account identifiers, the access tokens minted during the OAuth flow, the granted scopes and the webhook events Meta pushes to our endpoints.
- Usage analytics: feature usage, device and browser context, IP address, and product performance telemetry.
- Uploaded files or media that users choose to store or process within CrewX.
3. How We Use Information
We use collected information to operate and improve the CrewX Platform, including to:
- Provide CRM services and manage customer relationship workflows.
- Process, organize and display messages and conversation history across every connected Meta channel.
- Enable integrations with Meta Services and other connected providers, and to authenticate calls to their APIs.
- Improve product functionality, reliability and user experience.
- Train and operate AI assistants that generate draft replies and summaries, strictly within the scope of a single customer workspace.
- Provide customer support and respond to operational requests.
- Monitor security, prevent abuse and investigate suspicious activity.
4. Meta Platform Data Usage
CrewX accesses data from the Meta Services only for the purposes declared below, and only after the authorizing user has granted the corresponding permission through Facebook Login or the WhatsApp Embedded Signup flow. CrewX never sells Meta data, never uses it for advertising, and never transfers it to third parties except as strictly required to operate the Platform (for example, our hosting and database providers).
| Permission | Platform | How CrewX uses it | Data received |
|---|---|---|---|
| public_profile | Cross | Identify the business user who is authorizing CrewX so we can associate the connection with their CRM workspace. | Facebook user ID, name, profile picture URL. |
| Cross | Keep a working contact channel for account recovery, billing notices and security alerts tied to the connection. | Email address registered with Facebook. | |
| pages_show_list | Let the business user pick which Facebook Page they want to connect to CrewX during the integration flow. | List of Pages the authorizing user manages, including Page ID, name and category. | |
| pages_read_engagement | Read Page metadata needed to render the Page card inside the CrewX inbox and integrations dashboard. | Page profile picture, category, tasks the user can perform on the Page. | |
| pages_manage_metadata | Subscribe the connected Page to CrewX's webhook so inbound Messenger events are routed into the shared inbox in real time. | Webhook subscription flags on the Page. | |
| pages_messaging | Send and receive Messenger messages on behalf of the connected Page. This is how CrewX powers the Facebook channel inside the shared CRM inbox. | Messenger conversation threads, message text and media, timestamps, sender identifiers, delivery status. | |
| business_management | Cross | Operate as a Tech Provider for the business user so their Meta Business Manager assets (Pages, Instagram Business accounts, WhatsApp Business Accounts) can be linked to CrewX. | Business ID, name, and the list of assets the authorizing user manages. |
| instagram_basic | Access the Instagram Business account linked to the connected Facebook Page so we can show it inside the CrewX integrations dashboard. | Instagram Business account ID, username, display name and profile picture. | |
| instagram_manage_messages | Send and receive Instagram Direct messages from the CrewX shared inbox on behalf of the connected Instagram Business account. | Instagram Direct conversation threads, message text and media, timestamps, sender identifiers. | |
| whatsapp_business_management | Register and manage WhatsApp Business phone numbers and message templates on behalf of the customer, so their workspace can send compliant WhatsApp campaigns and automated replies. | WhatsApp Business Account (WABA) ID, phone number ID, display name, template content and status. | |
| whatsapp_business_messaging | Send and receive WhatsApp Business Platform messages from the CrewX shared inbox, including replies within the 24-hour session window and approved templates outside of it. | WhatsApp conversation threads, message text and media, timestamps, sender phone numbers, delivery receipts. |
5. Legal Basis for Processing
Where the General Data Protection Regulation (GDPR) or similar privacy laws apply, CrewX processes personal data on the following legal bases: (a) performance of a contract when we deliver the Platform to a paying customer; (b) consent when the user explicitly authorizes a Meta integration; and (c) legitimate interests in operating, securing and improving the Platform where those interests are not overridden by the rights and freedoms of the data subject.
6. Data Sharing
CrewX does not sell personal data. We only share information when necessary to operate the service or comply with the law:
- Infrastructure providers (Google Cloud / Firebase, Vercel) that host, secure or process platform data.
- Meta Services (Facebook, Instagram, WhatsApp Business) when you use those channels through CrewX.
- AI providers (OpenAI, Pinecone) to generate suggested replies and index context for retrieval; these providers process data under their own data processing agreements.
- Payment processors (Stripe, Mercado Pago) for subscription billing.
- Legal authorities or regulators when required by applicable law or legal process.
7. Data Security
CrewX uses modern administrative, technical and organizational safeguards to protect information against unauthorized access, loss, misuse or disclosure.
- All traffic to the Platform is served over HTTPS with TLS 1.2 or higher.
- Access tokens minted by Meta are stored server-side and are never exposed to the browser; only a short preview suffix is retained for UI display.
- Role-based access control inside each workspace, enforced by Firestore Security Rules.
- Webhook payloads from Meta are verified with the
X-Hub-Signature-256HMAC header before they are processed.
8. Data Retention
We retain account and platform data only for as long as needed to provide the service, resolve disputes, enforce our agreements, and comply with legal, tax, regulatory or security obligations.
- Active workspace data is retained while the workspace exists.
- Meta conversation data is retained until the workspace owner deletes it, disconnects the integration, or triggers a data deletion request.
- Automatic backups are rotated out of cold storage within 30 days.
- Audit logs and security events are retained for up to 12 months so we can investigate incidents.
9. Your Privacy Rights
Subject to applicable law, you may request access to, correction of, export of, or deletion of your personal data. You can also object to or restrict certain processing activities and withdraw consent for optional processing at any time.
To exercise any of these rights, contact customer@evanodevelopment.com. We respond within 30 days.
10. Meta Data Deletion
CrewX honors the Meta Data Deletion Callback specification. When you remove the CrewX app from your Facebook account settings, Meta notifies our servers and we permanently delete every CrewX record linked to your Facebook user ID, including:
- Your CrewX user profile and authentication records.
- Every workspace that was provisioned through your Meta authorization, together with all of its conversations, messages, leads, contacts, pipelines, AI memory and training examples.
- All Meta integration credentials (Facebook Page, Instagram Business account, WhatsApp Business Account) attached to your Facebook user ID.
You may also request deletion at any time by emailing customer@evanodevelopment.com. You can track the status of a callback-initiated request at /data-deletion/<confirmation-code>.
11. Third-Party Services
CrewX integrates with or relies on third-party services such as Facebook, Instagram, WhatsApp, OpenAI, Pinecone, Stripe, Mercado Pago and Google Cloud. These third-party services maintain their own privacy policies, terms and data handling practices. We encourage users to review the privacy policies of any third-party services they connect to CrewX.
12. International Transfers
CrewX is operated from the United States and its infrastructure providers may process data in the United States, Europe and Latin America. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to lawfully transfer personal data across borders.
13. Changes to this Policy
We may update this Privacy Policy from time to time. If we make a material change we will notify you by email or by posting a notice within the Platform before the change takes effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.