App Privacy Policy
Last updated 7 July 2026
This Privacy Policy applies to the vizrm application, accessible at app.vizrm.com and via the vizrm browser extension (together "the App"), and to any account you create with us. It applies to you as a vizrm account holder from the moment you register. If you are looking for the privacy policy that covers our public marketing website at vizrm.com, please see our Website Privacy Policy.
vizrm is a product of CodeBriada UG (haftungsbeschränkt) (referred to as "our company", "we" and "us").
This policy informs you, in accordance with Art. 13 and 14 of the General Data Protection Regulation (GDPR) (EU) 2016/679, about what personal data we process through the App, how we use it, who we share it with, how long we keep it, and what rights you have.
A key principle of the App is that we do not store your CRM data (contacts, organizations, deals, activities) outside of your connected CRM (HubSpot or Pipedrive) except where necessary to render and operate the App as described below.
This policy is structured as follows:
- I. Information about us as controller of your data
- II. The rights of users and data subjects
- III. Information about the data processing in the App
I. Information about us as controller of your data
The party responsible for the App for purposes of data protection law (the "controller") is:
CodeBriada UG (haftungsbeschränkt)St. Rochus Str. 1
82433 Bad Kohlgrub
Germany
Email: info@vizrm.com
Our contact for data protection matters is Jakob Porer, reachable at info@vizrm.com.
Our two roles. The App processes two fundamentally different categories of data, and our role differs for each:
- User Data - data about you as a vizrm account holder: your name, email address, company name, password, IP address, usage behaviour, billing information, and communications with us. For this data, we are the controller, and this policy applies in full.
- Customer Data - data from your connected CRM (contacts, companies, deals, activities), account map data you create in vizrm (relationship lines, groups, placeholders, saved views), and LinkedIn data captured via the browser extension. For this data, you (or your organization) are the controller and we act solely as your processor under Art. 28 GDPR. This relationship is governed by our Data Processing Agreement (DPA), which forms part of our Terms of Use and applies automatically to every customer - no separate signature is required. Nothing in this policy limits or replaces the DPA.
Customer Data is hosted exclusively on Microsoft Azure in the EEA and is not shared with or accessible to any of our other service providers - including our analytics, communications, marketing, scheduling, and support tools.
II. The rights of users and data subjects
With regard to the data processing described below, users and data subjects have the right:
- To confirmation of whether data concerning them is being processed, information about the data being processed, further information about the nature of the data processing, and copies of the data (Art. 15 GDPR);
- To correct or complete incorrect or incomplete data (Art. 16 GDPR);
- To the immediate deletion of data concerning them (Art. 17 GDPR), or, alternatively, if further processing is necessary as stipulated in Art. 17 Para. 3 GDPR, to restrict said processing per Art. 18 GDPR;
- To receive copies of the data concerning them and/or provided by them and to have the same transmitted to other providers/controllers (Art. 20 GDPR);
- Where processing is based on consent, to withdraw that consent at any time with effect for the future, without affecting the lawfulness of processing carried out before the withdrawal (Art. 7 Para. 3 GDPR);
- To file complaints with a supervisory authority if they believe that data concerning them is being processed by the controller in breach of data protection provisions (Art. 77 GDPR). Complaints may be filed in particular with the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement.
Right to object (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to processing of your data carried out on the basis of Art. 6 Para. 1 lit. f) GDPR. Where your data is processed for direct marketing, you may object at any time without giving reasons.
We respond to requests to exercise these rights within one month, free of charge. The controller is obliged to inform all recipients to whom it discloses data of any corrections, deletions, or restrictions placed on processing per Art. 16, 17 Para. 1, 18 GDPR, unless such notification is impossible or involves a disproportionate effort. Users have a right to information about these recipients.
Please note: where your request concerns Customer Data (e.g. you are a contact stored in one of our customers' CRMs), our customer is the controller. We will forward your request to the relevant customer without undue delay, as set out in the DPA.
III. Information about the data processing in the App
Your data processed through the App will be deleted or blocked as soon as the purpose for its storage ceases to apply, provided the deletion is not in breach of any statutory storage obligations and unless otherwise stipulated below.
Account and registration data
When you create a vizrm account, we collect and store your name, work email address, company name, and password (stored in hashed form). We also store the IP address and the date and time of your registration. This data is used exclusively to provide, secure, and administer your account, and is not transferred to third parties except as described below. Providing this data is required to enter into and perform the contract with us; without it, we cannot provide you an account.
The legal basis for this processing is Art. 6 Para. 1 lit. b) GDPR (performance of our contract with you).
Customer Data - CRM and account map data (vizrm as your processor)
To provide the App's core functionality, you connect vizrm to your CRM (HubSpot or Pipedrive) via OAuth. Once connected, the App reads and writes CRM records on your behalf - contacts, companies/organizations, deals, and activities/tasks - in order to display and let you edit your org charts, buying roles, and account plans.
Consistent with our design principle above, CRM data is read from your CRM in real time and written back immediately when you make changes in the App. We do not maintain a separate, persistent copy of your CRM records outside your CRM, other than the temporary technical caching necessary to display the App and any data you separately create in the App (relationship lines, groups, placeholders, saved views), which is stored on our infrastructure so it can be shared across your team.
Where this data includes personal data, you (or your organization) act as the controller and we act as your processor, as described in Section I. The details of this processing - including its subject matter, duration, security measures, sub-processors, and your instructions to us - are set out in the DPA and its annexes.
CRM data and account map data is processed exclusively on Microsoft Azure infrastructure in the EEA. It is not transmitted to or accessible by any of our other service providers, including our analytics, communications, marketing, scheduling, or support tools.
LinkedIn browser extension data
If you install the vizrm browser extension, it reads publicly visible profile information on LinkedIn pages you visit (such as name, job title, company, and profile URL) in order to let you create or match a corresponding CRM contact with a single click, and to let you log LinkedIn messages and connection requests as CRM activities when you choose to do so. This data is only transmitted to your connected CRM at your direction; the extension does not scrape or store LinkedIn data beyond what is needed to complete the action you initiate. LinkedIn data handled via the browser extension is treated as Customer Data for the purposes of this policy: you act as controller, we act as your processor under the DPA, and the data is not shared with our service providers.
Payment and billing data
If you subscribe to a paid plan, billing information (such as company name, billing address, and VAT ID) is collected to issue invoices. Payment card and payment method data is collected and processed directly by our payment processor, Stripe; we do not store payment details on our own systems.
The legal basis for this processing is Art. 6 Para. 1 lit. b) GDPR and, with respect to statutory invoicing and retention duties, Art. 6 Para. 1 lit. c) GDPR.
Support and communications
If you contact us for support, or we communicate with you about your account (e.g. onboarding, service notices, or billing), we process the content of that communication and associated account data to respond to you and to keep a record of the support relationship.
The legal basis for this processing is Art. 6 Para. 1 lit. b) GDPR and, for legitimate service and security notices, Art. 6 Para. 1 lit. f) GDPR.
Product updates and similar-service communications
As an account holder, we send you e-mails about product updates and new features of the Service you use, and we may occasionally contact you about our own similar services (including re-engagement messages if you have been inactive). We use your name and e-mail address for this purpose. You can opt out of these communications at any time - via the unsubscribe link contained in each e-mail or by contacting info@vizrm.com - without incurring any costs other than basic transmission costs. Transactional messages required to operate your account (e.g. security, billing, or service-change notices) are not affected by an opt-out.
The legal basis for this processing is Art. 6 Para. 1 lit. f) GDPR; our legitimate interest lies in informing our existing customers about our services in accordance with § 7 Para. 3 of the German Act Against Unfair Competition (UWG).
Product usage and technical data
We collect technical and usage data generated automatically when you use the App: session identifiers, browser and operating system information, IP address, pages and features used, and timestamps of actions (e.g. loading a chart, creating an activity). This data is used to operate, secure, and improve the App, and to understand which features are used so we can prioritize product development. This usage data relates to you as an account holder only; it does not include Customer Data.
The legal basis for this processing is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the security, stability, and improvement of the App. You may object to this processing as described in Section II.
The App uses cookies and similar technologies (e.g. local storage) that are strictly necessary to operate the App, such as session and authentication cookies (§ 25 Para. 2 TDDDG).
Service providers (processors) for User Data
For User Data - data about you as an account holder - we use the service providers listed below as processors under Art. 28 GDPR. Each provider receives only the data necessary for its specific function and is bound by a data processing agreement consistent with the GDPR. For providers located outside the European Economic Area (EEA), data transfers are made under the European Commission's Standard Contractual Clauses (SCCs) or another valid transfer mechanism under Chapter V GDPR.
Note on terminology: only Microsoft Azure processes Customer Data and is therefore a Sub-Processor within the meaning of our DPA. The other providers listed here process User Data only.
- Hosting and infrastructure - Microsoft Azure (Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; EEA; hosting region Germany West Central). Processes all data categories: User Data, CRM data, and account map data. Azure is the only provider that processes Customer Data.
- Payment processing - Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland; EEA). Processes billing and payment data.
- Product analytics - Amplitude (Amplitude, Inc., 631 Howard Street, Floor 5, San Francisco, CA 94105, USA; non-EEA; transfer under SCCs). Processes usage and technical data.
- Customer support- Intercom (Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Ireland; EEA). Processes account data and support communications.
- Customer communications - HubSpot (HubSpot Ireland Limited, 1 Sir John Rogerson's Quay, Dublin 2, Ireland; EEA). Processes name, email address, and company name for onboarding, product, and account communications.
- Transactional email - Courier (Trycourier, Inc., 340 Pine Street, Suite 702, San Francisco, CA 94104, USA; non-EEA; transfer under SCCs). Processes name and email address for delivering account notifications and alerts.
- Sales and outreach - lemlist (lemlist SAS, 5 rue Aubry du Bochet, 75003 Paris, France; EEA). Processes name and email address for the communications described under "Product updates and similar-service communications" above.
- Workflow automation - Make (Make s.r.o., Prague, Czech Republic; EEA). Processes User Data as necessary to automate workflows between the above services.
- Meeting scheduling - Calendly (Calendly LLC, 271 17th St NW, Atlanta, GA 30363, USA; non-EEA; transfer under SCCs). Processes name and email address for scheduling onboarding and support calls.
A current list of these providers is available on request at info@vizrm.com.
Automated decision-making and profiling
We do not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you.
Data retention
We apply the following retention periods:
- Account and registration data: retained for the lifetime of your account; deleted within 30 days of account cancellation, except where longer retention is required by law or to establish, exercise, or defend legal claims.
- Billing and invoice data: retained for 10 years from the invoice date as required under German commercial and tax law (§ 257 HGB, § 147 AO).
- Product usage and technical data: retained for 12 months from collection, or for the account lifetime if shorter.
- Support communications: retained for 3 years from the last communication, or for the account lifetime if shorter.
- CRM data: not stored persistently by vizrm; read in real time from your CRM.
- Account map data (relationship lines, saved views, etc.): handled in accordance with the DPA, including any return or deletion instruction given under it; absent such instruction, deleted within 30 days of account cancellation.
- Payment card data: not stored by vizrm; held by Stripe under their retention policy.
Security
We use appropriate technical and organizational measures to protect your data against unauthorized access, loss, or misuse, including encryption in transit, access controls, and regular review of our infrastructure and service providers. The measures applying to Customer Data are described in Annex 2 of the DPA. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Changes to this policy
We keep this App Privacy Policy under regular review and will post any updates on this page. Material changes will be communicated to active account holders by e-mail or in-app notice before they take effect. This policy was last updated on 7 July 2026.
How to contact us
If you have any questions about this App Privacy Policy, the data we hold on you, or you would like to exercise one of your data protection rights, please contact us at info@vizrm.com.
How to contact the supervisory authority
You may lodge a complaint with any data protection supervisory authority, in particular in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement (Art. 77 GDPR). The supervisory authority responsible for our company is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany - https://www.lda.bayern.de