Get early access
Legal

Privacy Policy

Last updated April 21, 2026

Last updated: April 12, 2026

Introduction

Manage It, LLC (“ManageIt,” “we,” “us,” or “our”) operates the ManageIt platform, a white-label multi-tenant CRM and business management service. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have over your data.

This policy applies to all users of the ManageIt platform, including agency owners, subaccount users, contacts whose data is stored in the platform, and visitors who interact with forms, documents, or booking pages hosted through ManageIt.

By using ManageIt, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the platform.

Information We Collect

We collect information in several ways depending on how you interact with the platform.

Account Information: When you create an account, we collect your name, email address, and password (which is stored in hashed form, never as plain text). If you join multiple agencies or subaccounts, we store your membership and role information for each.

Contact Data: Agencies and subaccounts store contact records that may include first name, last name, email address, and phone number. Agencies can also create custom fields to collect additional information such as date of birth, mailing address, company name, or any other data relevant to their business. The specific data collected through custom fields is determined by the agency, not by ManageIt.

Document Data: The platform stores documents including invoices, proposals, and contracts. These contain line items, pricing information, and associated contact details. Documents may also include comments and version history.

E-Signature Data: When someone signs a document electronically, we collect the signer’s name, email address, IP address, browser information (user agent string), and a timestamp. If the signer grants permission, we may also collect approximate geolocation (latitude and longitude) to support the legal validity of the signature.

Payment Information: ManageIt does not directly collect or store credit card numbers or bank account details. All payment processing is handled by Stripe. We store only Stripe reference IDs, transaction amounts, payment status, and related metadata.

Form Submissions: When someone submits a form built with ManageIt, we collect whatever data the form requests. This can include text responses, dates, file uploads (such as PDFs, images, or documents), and any other information the form creator configured. We also record the submitter’s IP address.

Scheduler Bookings: When someone books an appointment through a ManageIt scheduler, we collect the guest’s name, email address, selected time slot, and any notes or responses to custom booking fields. We also record the booker’s IP address.

Automatically Collected Information: We collect IP addresses associated with logins, form submissions, bookings, e-signatures, API token usage, and audit log entries. We use session cookies to maintain your login state. We do not use tracking cookies, analytics pixels, or remarketing tools.

File Uploads: Forms and documents may include file attachments uploaded by users or their contacts. These files are stored securely and associated with the relevant record.

How We Use Your Information

We use collected information for the following purposes:

Providing the Service: To operate the platform, manage user accounts, process documents, handle payments, deliver form submissions, manage bookings, and run automations configured by agencies.

Authentication and Security: To verify your identity, maintain session state, enforce access controls across the multi-tenant structure, and detect unauthorized access.

E-Signature Compliance: To create legally valid audit trails for electronic signatures, including capturing IP addresses, browser information, timestamps, and optional geolocation.

Communication: To send transactional emails such as document delivery notifications, booking confirmations, payment receipts, and form submission acknowledgments. Agencies may also configure automated email notifications through the automation engine.

Billing and Payments: To process subscription payments for agencies and subaccounts, and to facilitate document payments between agencies and their clients through Stripe.

Data Export and Deletion: To fulfill data access, export, and deletion requests from users and contacts.

Aggregated and Anonymized Data: We may create anonymized and aggregated datasets derived from platform usage for the purposes of usage analysis, performance monitoring, and service improvement. These datasets cannot be used to re-identify any individual. Because aggregated data does not constitute personal data, it is not subject to individual privacy rights requests.

Platform Improvement: To monitor system performance, diagnose errors, and improve reliability. We do not use personal data for advertising, profiling, or automated decision-making.

Multi-Tenant Data Processing

ManageIt operates as a three-tier multi-tenant platform: Platform, Agency, and Subaccount. Understanding this structure is important for understanding how your data is handled.

Agencies are businesses that use ManageIt to manage their operations and client relationships. When an agency stores contact data, creates documents, or collects form submissions, the agency acts as the data controller and ManageIt acts as the data processor.

Subaccounts are client accounts within an agency. Data within a subaccount is scoped to that subaccount and its parent agency.

This means that the agency you interact with (not ManageIt) determines what data is collected about you, how it is used, and how long it is retained. If you have questions about how a specific agency handles your data, you should contact that agency directly.

Agencies may configure outgoing webhooks that transmit data (including contact information, document details, payment information, form submissions, and booking details) to external URLs that the agency controls. ManageIt is not responsible for how agencies handle data once it leaves the platform through webhooks or data exports.

Third-Party Services

We use the following third-party services to operate the platform. Each service receives only the minimum data necessary for its function.

Stripe: Handles all payment processing for subscription billing, document payments, and auto-pay. Stripe receives payment method details directly from the payer and returns reference IDs to ManageIt. We never see or store full card numbers. Stripe’s privacy policy is available at stripe.com/privacy.

Google Calendar: When an agency connects Google Calendar for scheduler integration, booking details (guest name, email, and appointment times) are shared with Google to create calendar events. This integration is optional and initiated by the agency. Google’s privacy policy is available at policies.google.com/privacy.

SMTP Email Providers: Transactional emails are sent through SMTP services such as Amazon SES, Postmark, or custom SMTP servers configured by agencies. These services receive the recipient’s email address and message content in order to deliver emails.

CAPTCHA Services: Forms may use reCAPTCHA, Cloudflare Turnstile, or hCaptcha for spam protection. These services may collect IP addresses and browser data to distinguish humans from bots. Their respective privacy policies govern that data.

Sentry: We use Sentry for error monitoring and crash reporting. Sentry collects technical error information such as stack traces, request URLs, and browser details. We do not intentionally send personal information to Sentry.

Cloudflare: For agencies using custom domains, Cloudflare provides DNS and SSL certificate management. Cloudflare may process IP addresses and request metadata as part of its network services.

DigitalOcean: Our platform infrastructure, including application servers, databases, and file storage, is hosted on DigitalOcean. DigitalOcean provides the compute, storage, and networking infrastructure on which ManageIt operates. DigitalOcean may have technical access to data stored on its infrastructure as part of providing hosting services. DigitalOcean’s privacy policy is available at digitalocean.com/legal/privacy-policy.

Cookies

ManageIt uses only session cookies that are essential for the platform to function. These cookies maintain your login state and are deleted when your session ends or expires.

We do not use advertising cookies, analytics cookies, tracking pixels, or any form of cross-site tracking. We do not participate in ad networks or data broker exchanges.

Third-party CAPTCHA services used on forms may set their own cookies as part of bot detection. These are governed by the respective service’s cookie policy.

Do Not Track Signals: ManageIt does not track users across third-party websites. Because we do not engage in cross-site tracking, our practices are consistent with Do Not Track (DNT) browser signals by default. No change in behavior is necessary when a DNT signal is received.

Data Retention

We retain data according to the following schedule:

Active Account Data: Retained for as long as your account is active and the associated agency or subaccount exists.

Soft-Deleted Records: When contacts, documents, or other records are deleted, they are soft-deleted and retained for 90 days before permanent removal. This allows for recovery if a deletion was accidental.

Audit Logs: Activity and audit log entries are retained for 365 days to support compliance, security investigations, and e-signature validity.

Account Deletion: When a user requests account deletion, there is a 7-day grace period during which data is automatically exported. After the grace period, the account and associated personal data are permanently removed.

Agencies may configure different retention periods for their data within the ranges allowed by the platform. Contact the relevant agency for details about their specific retention practices.

Your Rights

Depending on where you live, you may have some or all of the following rights regarding your personal data.

Right to Access: You can request a copy of the personal data we hold about you.

Right to Export: Users can export all of their personal data as a ZIP file through the platform. Exports are rate-limited and available for download for 7 days.

Right to Deletion: Users can request deletion of their account and personal data. Contacts can submit data erasure requests through the contact portal, which are reviewed and processed by the agency. When approved, personal data is fully anonymized.

Right to Correction: You can update your personal information through your account settings or by contacting us.

Right to Object: You can object to specific types of processing by contacting us at the email address below.

Right to Restrict Processing: Data subjects may request that we restrict the processing of their personal data while a dispute regarding accuracy, lawfulness, or our need for the data is being resolved. When processing is restricted, we will continue to store the data but will not further process it without consent, except for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another person. This right is provided in accordance with GDPR Article 18.

Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV) and to transmit that data to another controller without hindrance. This right applies to personal data you have provided to us where processing is based on consent or contract and is carried out by automated means, in accordance with GDPR Article 20. You may exercise this right through the platform’s data export feature or by contacting us.

Right to Opt Out of Communications: Users can manage their email notification preferences on a per-type basis through their account settings.

Consent Tracking: For contacts added to the platform, we track the source of consent (how and when the contact was added) and the date consent was recorded.

Response Timeframes: We will acknowledge receipt of any privacy rights request within 5 business days. We will provide a substantive response within 30 calendar days of receiving the request. For complex or numerous requests, the response period may be extended by an additional 60 calendar days. If an extension is necessary, we will notify you of the extension and the reasons for the delay within the initial 30-day period.

To exercise any of these rights, contact us at privacy@getmanageit.io. For data held by a specific agency, you may also contact that agency directly.

If you are a contact whose data is stored by an agency using ManageIt, and the agency is unable or unwilling to address your request, you may contact us and we will assist to the extent we are able.

California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights.

Categories of Personal Information Collected: In accordance with Cal. Civ. Code Section 1798.140(v), we collect the following categories of personal information:

(A) Identifiers: Name, email address, IP address, account name, and unique personal identifiers.
(B) Customer records information: Name, address, telephone number, and financial information (limited to Stripe reference IDs and transaction metadata; we do not store payment card numbers).
(D) Commercial information: Records of services purchased, subscription history, and transaction details.
(F) Internet or other electronic network activity information: Browsing history within the platform, interaction with platform features, and search queries.
(G) Geolocation data: Approximate geolocation collected during e-signature events when the signer grants permission.
(K) Inferences: Inferences drawn from any of the above categories to create a profile about preferences and characteristics, limited to platform usage patterns for service improvement.

We do NOT collect: (C) protected classification characteristics, (E) biometric information, (H) sensory data (audio, electronic, visual, thermal, olfactory, or similar information), (I) professional or employment-related information (unless voluntarily provided through custom fields by an agency), or (J) non-public education information.

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.

Right to Opt Out of Sale: We do not sell personal information. We do not share personal information with third parties for their direct marketing purposes.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, contact us at privacy@getmanageit.io. We will verify your identity before processing the request and respond within 45 days.

European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights and protections.

Lawful Bases for Processing: We process personal data based on the following legal bases, mapped to specific processing activities:

Contract Performance (GDPR Article 6(1)(b)): Processing necessary to provide the ManageIt service to account holders, including account creation, account management, user authentication, membership management, document generation and delivery, payment processing, form submission handling, and scheduler booking management.

Legitimate Interests (GDPR Article 6(1)(f)): Processing necessary for platform security and fraud prevention, audit logging and activity tracking, error monitoring and crash reporting, service performance monitoring and improvement, and enforcement of our Terms of Service. We have conducted balancing tests to ensure these interests do not override the fundamental rights and freedoms of data subjects.

Consent (GDPR Article 6(1)(a)): Processing based on your explicit and freely given consent, specifically the collection of approximate geolocation data (latitude and longitude) during electronic signature events. You may withdraw consent at any time by declining the geolocation prompt during signing, and withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Legal Obligation (GDPR Article 6(1)(c)): Processing necessary to comply with applicable laws, including maintenance of tax and financial records as required by tax authorities, response to lawful requests from law enforcement or regulatory bodies, and compliance with data breach notification requirements.

We do not rely on vital interests (GDPR Article 6(1)(d)) or public interest (GDPR Article 6(1)(e)) as legal bases for processing personal data.

Data Protection Officer: ManageIt has not appointed a Data Protection Officer (DPO). Under GDPR Articles 37 through 39, a DPO is required when an organization’s core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of data or data relating to criminal convictions and offenses. ManageIt’s core activities do not involve large-scale systematic monitoring of individuals, nor do we process special category data (such as health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation) as a core business activity. For all data protection inquiries, questions, or concerns, please contact us at privacy@getmanageit.io.

Automated Decision-Making and Profiling: ManageIt does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects data subjects within the meaning of GDPR Article 22. The automation engine available on the platform is a rule-based workflow system configured by agencies to automate business processes such as sending notifications, updating records, and triggering actions based on predefined conditions. These automations execute deterministic rules set by human operators and do not involve algorithmic profiling, scoring, or automated evaluation of personal aspects. No decisions affecting individual rights or access to services are made without human involvement.

International Data Transfers: ManageIt is operated from the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States. We rely on the following mechanisms to provide appropriate safeguards for international data transfers:

EU-US Data Privacy Framework: Where applicable, we rely on the EU-US Data Privacy Framework (and the UK Extension and Swiss-US Data Privacy Framework) as a valid transfer mechanism for personal data transfers from the EEA, UK, and Switzerland to the United States.

Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission as an alternative transfer mechanism. Our third-party sub-processors that process personal data outside the EEA are also bound by SCCs.

Supplementary Technical Measures: In addition to legal transfer mechanisms, we implement supplementary technical measures to protect transferred data, including encryption of data in transit using TLS and at rest, strict role-based access controls and multi-tenant data isolation ensuring that data is accessible only to authorized personnel and within the correct tenant scope, comprehensive audit logging of all access to personal data, and regular security assessments of our infrastructure and sub-processors.

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

Nevada Privacy Rights (SB 220)

If you are a Nevada consumer, Nevada Senate Bill 220 (SB 220) gives you the right to opt out of the sale of certain covered information that a website operator has collected or will collect about you. ManageIt does not sell your covered information as defined under Nevada law. If you wish to submit a verified request to opt out of any future sale, or if you have questions about our data practices as they relate to Nevada law, please contact us at privacy@getmanageit.io.

Other US State Privacy Laws

Residents of certain US states have additional privacy rights under their respective state laws. This section addresses rights provided by the Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act, and Montana Consumer Data Privacy Act.

If you are a resident of any of these states, you may have the following rights with respect to your personal data:

Right to Access: You have the right to confirm whether we are processing your personal data and to access that data.

Right to Correct: You have the right to correct inaccuracies in your personal data, taking into account the nature of the data and the purposes of processing.

Right to Delete: You have the right to request deletion of your personal data that we have collected from or about you.

Right to Data Portability: You have the right to obtain a copy of your personal data in a portable and readily usable format that allows you to transmit the data to another controller without hindrance, where processing is carried out by automated means.

Right to Opt Out: You have the right to opt out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

ManageIt does not sell personal data as defined under any of these state privacy laws. ManageIt does not process personal data for the purposes of targeted advertising. ManageIt does not engage in profiling that produces legal or similarly significant effects on consumers.

Appeal Process: If we decline to take action on your privacy request, you have the right to appeal our decision. To submit an appeal, contact us at privacy@getmanageit.io with the subject line “Privacy Rights Appeal” and include a description of your original request and the reason you believe our decision should be reconsidered. We will respond to appeals within the timeframes required by the applicable state law, generally within 45 to 60 days. If your appeal is denied, you will be provided with information on how to contact your state attorney general to submit a complaint.

To exercise any of these rights, contact us at privacy@getmanageit.io. We will verify your identity before processing the request.

Canada (PIPEDA)

If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides you with rights regarding your personal data.

Right to Access: You have the right to request access to the personal information we hold about you and to be informed of its use and disclosure.

Right to Correct: You have the right to challenge the accuracy and completeness of your personal information and request that it be amended as appropriate.

Right to Challenge Compliance: You have the right to challenge our compliance with PIPEDA by contacting our privacy office. If your concern is not resolved to your satisfaction, you may file a complaint with the Office of the Privacy Commissioner of Canada.

Consent: We collect, use, and disclose personal information only with your knowledge and consent, except where permitted or required by law. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

We will respond to access and correction requests within 30 days of receipt. If we require additional time, we will notify you of the expected response date.

To exercise any of these rights, contact us at privacy@getmanageit.io.

Security

We implement reasonable technical and organizational measures to protect your personal data, including:

  • Passwords are hashed using industry-standard algorithms and are never stored in plain text.
  • All data in transit is encrypted using TLS/SSL.
  • Access to data is restricted by role-based permissions and tenant scoping, ensuring users can only access data within their authorized agencies and subaccounts.
  • API tokens are hashed and never displayed after creation.
  • Administrative actions are recorded in audit logs.
  • File uploads are validated for type and size to prevent security exploits.

No system is completely secure. While we take reasonable precautions, we cannot guarantee the absolute security of your data.

Data Breach Notification: If we become aware of a security breach affecting personal data, we will take the following steps:

For data subjects in the European Economic Area or United Kingdom, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify affected data subjects without undue delay, as required by GDPR Article 34.

For data subjects in the United States, we will comply with all applicable state data breach notification laws, which generally require notification to affected individuals without unreasonable delay. Where required by state law, we will also notify the relevant state attorney general or other designated authority.

For data subjects in Canada, we will notify the Privacy Commissioner and affected individuals as required by PIPEDA’s breach notification provisions.

Breach notifications will include, to the extent known, the nature of the breach, the categories and approximate number of individuals affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.

Third-Party Links

The ManageIt platform, as well as content created by agencies using the platform (including documents, forms, and booking pages), may contain links to third-party websites, services, or resources that are not operated or controlled by ManageIt. We provide these links for convenience and informational purposes only.

ManageIt is not responsible for the privacy practices, content, or security of any third-party websites or services. We do not endorse and make no representations about the accuracy, reliability, or completeness of any content on third-party sites. We encourage you to review the privacy policies of any third-party websites you visit.

The inclusion of a link to a third-party website does not imply affiliation, sponsorship, or endorsement by ManageIt of that website or its operator.

Children’s Privacy

ManageIt is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@getmanageit.io and we will promptly delete the information.

Agencies are responsible for ensuring that they do not use ManageIt to knowingly collect personal information from children in violation of applicable laws, including the Children’s Online Privacy Protection Act (COPPA).

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify users by posting the updated policy on the platform and updating the “Last Updated” date at the top of this page. For significant changes, we may also send an email notification to registered account holders.

Your continued use of the platform after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you should stop using the platform and contact us to delete your account.

Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, contact us at:

Manage It, LLC
6545 S. Fort Apache, Suite 135 – #415
Las Vegas, NV 89148

Email: privacy@getmanageit.io