Privacy Policy
Effective date: June 17, 2026
Who we are
Foxadex (the "Service," "we," or "us") is a product of Monster Motorsports Corp (the "Company").
We provide a multi-tenant business platform — CRM, contact management, email and calendar sync, marketing broadcasts, landing pages, and related tools — used by organizations ("customers") and their employees ("users").
The roles we play
For data about you as a user of the Service (your name, email, login credentials, billing details), we act as a data controller.
For data about your contacts and customers that you upload or sync into the platform, we act as a data processor on your behalf — you remain the controller of that data and are responsible for obtaining the legal basis to collect and use it.
What data we collect
Account information
- Name, email address, and password (stored as a salted hash — we never see the original).
- Organization name, role, and team membership.
- Profile photo, timezone, and display preferences (if provided).
CRM and contact data
- Contacts you create or import (names, email addresses, phone numbers, companies, tags, notes, custom fields).
- Deals, tasks, calls, meetings, attachments, and other CRM records you create.
- Activity history (who changed what, when).
Email and calendar sync
- If you connect a Google or Microsoft account, we access your email and calendar with read/write permissions only to log messages and events linked to your CRM contacts and to send replies from within the app. You can disconnect at any time from Settings.
- We do not sell, advertise against, or train any AI model on your mailbox or calendar contents.
Broadcast / marketing email
- Subject lines, message bodies, recipient lists, and send timestamps for broadcasts you create.
- Per-recipient send, delivery, bounce, open, click, and unsubscribe events.
- Suppression list (email addresses that have unsubscribed, bounced, or filed a complaint).
Billing
- Plan, seat count, subscription status, and invoice history.
- Payment card details are collected and processed by Stripe; we never see full card numbers. We store only Stripe customer/subscription IDs.
Technical / usage data
- Browser, device type, IP address, and timestamps for security and abuse-prevention purposes.
- Session cookies (used only to keep you logged in) and a handful of preference cookies (theme, sidebar state). We do not use third-party advertising trackers.
How we use your data
- To provide, secure, and maintain the Service.
- To authenticate you and protect your account.
- To process payments and manage your subscription.
- To send transactional emails (password resets, invoices, security alerts) — you can't opt out of these without closing your account.
- To answer support requests and improve the product.
- To comply with our legal obligations (tax, accounting, fraud prevention, law-enforcement requests where legally required).
We do not sell your personal data. We do not use your data to train AI models. We do not share your CRM contacts with other customers.
AI features
Some optional features (text summarization, OCR on business cards, contact suggestions) send the specific content you choose to process — and only that content — to third-party AI providers including OpenRouter, Anthropic, and Google. These providers process the content under contracts that prohibit training on the data and require deletion within their stated retention windows.
AI features are off by default where applicable. You can avoid them entirely by not using them; we will not silently route your data to an AI provider.
Third-party processors we use
- Render — application hosting and database.
- Resend — broadcast email delivery.
- Stripe — payment processing.
- Google — OAuth, Gmail and Calendar sync (only if you connect a Google account).
- Microsoft — OAuth, Outlook and Calendar sync (only if you connect a Microsoft account).
- OpenRouter / Anthropic / Google AI — for the AI-powered features described above.
- Pexels — public stock photography (no personal data is sent).
Each processor is bound by a data-processing agreement that limits how they can use the data we share with them.
Data retention
- Account data is retained for the life of your account plus 30 days after closure, then deleted.
- CRM data is controlled by your organization — when an admin deletes a record, it is removed from active storage and purged from backups within 30 days.
- Unsubscribe and suppression records are retained indefinitely for CAN-SPAM and GDPR compliance even after a broadcast itself is deleted.
- Email/calendar sync data is deleted when you disconnect the source account.
- Billing records are retained as long as required by applicable tax and accounting law (typically 7 years).
Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate information.
- Delete your account and the personal data we control.
- Export your data in a portable format.
- Object to or restrict certain types of processing.
- Withdraw consent for processing that relies on it (e.g. disconnecting OAuth integrations).
- Lodge a complaint with a supervisory authority in your jurisdiction.
For data we process on behalf of an organization (e.g. you are a contact in someone else's CRM), please contact that organization directly to exercise these rights — we will forward your request if you contact us.
To make a request, email support@monstermotorsports.com. We will respond within 30 days.
Security
We encrypt data in transit (TLS) and at rest. Passwords are stored as bcrypt hashes. OAuth tokens and API keys are stored encrypted. We apply the principle of least privilege internally and log access for audit purposes.
No system is perfectly secure. If we ever discover a breach affecting your personal data, we will notify you and the relevant authorities within the timeframes required by law (72 hours under GDPR).
International transfers
We host primarily in the United States and may transfer data to other jurisdictions where our processors operate. Where applicable, we rely on Standard Contractual Clauses and equivalent transfer mechanisms to keep your data protected to the standard required by your local law.
Children
The Service is not directed to anyone under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data through the Service, contact us and we will delete it.
Changes to this policy
We may update this policy from time to time. If we make material changes, we will email you and post a notice in the app at least 30 days before they take effect. The "Effective date" at the top of this page reflects the most recent revision.
Contact us
Questions or privacy requests? Email support@monstermotorsports.com.
This document is a starting point, not legal advice. Replace the [PLACEHOLDER] markers with your real company information and have a lawyer in your jurisdiction review it before relying on it for compliance.