Privacy Policy

Last updated: 28 March 2026

1. Who We Are

Lysander CRM is a product of Haijahr Limited, a company registered in England and Wales ("we", "us", "our"). We are the data controller for personal data collected through our website and platform.

Contact: hello@lysander.app

2. What Data We Collect

We collect the following categories of personal data:

Account Data

  • Name, email address, phone number
  • Password (stored securely using one-way hashing)
  • Profile photo (if uploaded)
  • Organization name and industry

CRM Data

Data you enter into the platform about your contacts, companies, deals, leads, and other records. You are the data controller for this data and we process it on your behalf as a data processor.

Usage Data

  • IP address, browser type, device type, and operating system
  • Pages visited and referral source
  • Approximate geographic location (derived from IP address)

Payment Data

We do not store credit card numbers. Payment processing is handled by Stripe, who act as an independent data controller for payment data. See Stripe's Privacy Policy.

Interest Registration Data

If you register your interest on our website, we collect your name, email, company name, and industry.

3. How We Use Your Data

We use your data for the following purposes:

  • Providing the service — creating and managing your account, processing your CRM data, sending transactional emails (legal basis: contract performance)
  • Billing — managing subscriptions and payments via Stripe (legal basis: contract performance)
  • Communications — sending product updates, beta invitations, and responding to your enquiries (legal basis: legitimate interest or consent)
  • Analytics — understanding how our website and platform are used so we can improve them (legal basis: legitimate interest)
  • Security — protecting against fraud, abuse, and unauthorized access (legal basis: legitimate interest)

4. Data Sharing

We share personal data only with the following categories of recipients:

  • Stripe, Inc. — payment processing
  • Mailtrap (Railsware Products, Inc.) — sending transactional and CRM emails on your behalf
  • Hosting providers — our servers are hosted by infrastructure providers to deliver the service

We do not sell your personal data to third parties. We do not share your CRM data with other tenants — each organization's data is fully isolated.

5. Data Retention

  • Account data — retained for as long as your account is active, plus 30 days after deletion to allow for recovery
  • CRM data — retained for as long as your organization exists on the platform. Soft-deleted records are permanently purged after 90 days
  • Usage/analytics data — retained for 12 months
  • Interest registration data — retained until you unsubscribe or ask us to delete it

6. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Restriction — request we limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interest

To exercise your right to data portability, you can download your personal data directly from your account (login required). This exports your account information, owned records, activities, and tasks in a machine-readable JSON format.

For all other rights, email us at hello@lysander.app. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Data Security

We take appropriate technical and organizational measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Passwords hashed using industry-standard algorithms (bcrypt)
  • Tenant data isolation at the database level — organizations cannot access each other's data
  • Regular security updates and monitoring

8. International Transfers

Some of our service providers (such as Stripe) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

9. Children's Privacy

Our service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Lysander CRM, a product of Haijahr Limited
Email: hello@lysander.app