Privacy Policy
Last updated: March 19, 2026
1. Introduction
This Privacy Policy describes how STEHRWAY ("STEHRWAY", "we", "us", or "our"), a company based in Canada, collects, uses, discloses, and protects personal information in connection with the Pipedrive Outlook Integration add-in for Microsoft Outlook and the associated website (collectively, the "Service").
We are committed to protecting your privacy and handling your personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (GDPR) where applicable, and other relevant privacy legislation.
For the purposes of the GDPR, STEHRWAY acts as the data controller (Article 4(7)) for account and billing data, and as a data processor (Article 4(8)) when accessing your Pipedrive CRM data on your behalf.
The add-in runs on pipedrive.stehrway.app and is distributed through Microsoft AppSource for use within Microsoft Outlook. The promotional website for the Service is available at pipedrive-outlook-integration.stehrway.com.
By using the Service, you explicitly consent to the collection and processing of your personal information as described in this Privacy Policy.
2. Scope
This policy applies to:
- Users of the Pipedrive Outlook Integration add-in
- Visitors to our website
- Prospective and current subscribers
3. Information We Collect
3.1 Account Information
When you create an account by connecting your Pipedrive CRM, we collect:
- Your display name and email address
- Your Pipedrive user ID and company ID
- Your Pipedrive company name
- Your locale, timezone, and preferred currency
3.2 Authentication Credentials
To access your Pipedrive CRM on your behalf, we store OAuth tokens (access token and refresh token) issued by Pipedrive. We do not store your Pipedrive password. Tokens are automatically refreshed and can be revoked at any time by disconnecting the integration from your Pipedrive account settings.
3.3 Email Metadata from Microsoft Outlook
When you use the add-in within Outlook, the Service reads the following from the email you are currently viewing:
- Sender and recipient information: display names and email addresses from the From, To, CC, and BCC fields
- Phone numbers: the email body is scanned locally for phone number patterns to facilitate contact matching
We do not store, transmit, or retain the content of your emails. Email metadata is processed in real time solely to look up contacts in your Pipedrive CRM. Phone number extraction occurs client-side and is not sent to our servers.
3.4 Pipedrive CRM Data
When you use the Service, we act as a pass-through to your Pipedrive account. We read and write CRM data (contacts, organizations, deals, activities, notes, leads, pipelines, and stages) on your behalf via the Pipedrive API. This data is not stored on our servers — it is fetched in real time from Pipedrive and displayed to you within the add-in.
3.5 Payment Information
Payments are processed by Stripe. When you subscribe, Stripe collects your name, email, billing address, and payment method. We store only your Stripe customer ID and subscription plan identifier. We do not have access to your full credit card number or payment details.
3.6 Automatically Collected Information
We store the following in your browser's local storage to provide a seamless experience:
- Authentication token (JWT, expires after 30 days)
- Basic profile information (display name, email, settings preferences)
- User preference settings (default currency, display options)
4. Cookies and Local Storage
We use cookies and browser local storage to operate the Service and maintain your session. Specifically:
- Authentication cookie: a single secure, HttpOnly cookie containing your session token, with a 30-day expiration. This cookie is strictly necessary for the Service to function.
- Local storage: your browser stores authentication tokens, basic profile data, and user preferences locally to provide a seamless experience within the add-in.
We do not use tracking cookies, analytics cookies, advertising pixels, or any similar tracking technologies. You can instruct your browser to refuse cookies, but this will prevent the Service from functioning.
5. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the Service | Performance of a contract (Art. 6(1)(b)) |
| Authenticating your identity and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (e.g., free trial expiration notices) | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Protecting vital interests (e.g., preventing fraud, ensuring security) | Vital interests (Art. 6(1)(d)) / Legitimate interest (Art. 6(1)(f)) |
Under PIPEDA, we process your information based on your consent, which you provide when you connect your Pipedrive account and agree to this Privacy Policy.
6. Third-Party Services
We share personal information with the following third-party service providers, solely as necessary to operate the Service:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Pipedrive | CRM data access via OAuth | OAuth tokens; CRM read/write operations on your behalf | EU / US |
| Stripe | Payment processing | Email, name, billing address, payment method | US (EU-US DPF certified) |
| Microsoft | Outlook add-in platform | Email metadata provided by the Office JS API | As per your Microsoft tenant |
| Cloud hosting provider | Application and database hosting | Account data, OAuth tokens, server logs | US / EU |
| Email service provider | Transactional email delivery | Email address, display name | US |
We do not sell, rent, or trade your personal information to any third party. We do not use your data for advertising or profiling.
7. International Data Transfers
Your information may be transferred to and processed in countries outside of your jurisdiction, including Canada and the United States. Where data is transferred outside the European Economic Area (EEA), we rely on:
- EU-U.S. Data Privacy Framework certifications held by our sub-processors (e.g., Stripe)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions — Canada has been recognized by the European Commission as providing adequate data protection (PIPEDA)
8. Data Retention
We retain your personal information as follows:
- Account data: retained for as long as your account is active and for a reasonable period thereafter to comply with legal obligations
- Pipedrive OAuth tokens: retained while your Pipedrive account is connected; deleted when you disconnect
- Payment records: retained as required by applicable tax and accounting laws
- Free trial tracking: we store a one-way hash (MD5) of your email address to track free trial eligibility; this cannot be used to identify you
- Transactional emails: delivery records retained by our email service provider per their retention policy
Email metadata from Outlook is processed in real time and is not retained on our servers.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption in transit: all communications are encrypted via HTTPS/TLS
- Secure authentication: signed session tokens; authentication cookies are HttpOnly, Secure, and SameSite
- Webhook verification: all inbound webhooks are cryptographically verified
- Database encryption: data at rest is encrypted by our database provider
- No password storage: we use OAuth exclusively; we never store your Pipedrive or Microsoft passwords
While we take reasonable steps to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
10. Microsoft Outlook Add-in Permissions
The add-in requests ReadWriteMailbox permission from Microsoft Outlook. This permission is required to read email participants (for CRM contact lookup) and to function across both message reading and composing contexts. The add-in:
- Reads sender and recipient information (names and email addresses)
- Reads email body content solely for client-side phone number extraction
- Does not send, forward, or modify your emails
- Does not access email attachments
- Does not access your mailbox beyond the currently open item
11. Your Rights
Under GDPR (EEA Residents)
If you are located in the European Economic Area, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate personal data (Art. 16)
- Erase your personal data ("right to be forgotten") (Art. 17)
- Restrict processing of your personal data (Art. 18)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7(3))
- Lodge a complaint with your local supervisory authority
Under PIPEDA (Canadian Residents)
If you are located in Canada, you have the right to:
- Access your personal information held by us
- Challenge the accuracy and completeness of your information and have it amended
- Withdraw your consent to the collection, use, or disclosure of your personal information
- File a complaint with the Office of the Privacy Commissioner of Canada
Exercising Your Rights
To exercise any of these rights, please contact us at support@stehrway.com. We will respond to your request within 30 days. You may also disconnect your Pipedrive account at any time through the add-in settings or through Pipedrive's marketplace settings, which will trigger automatic deletion of your stored OAuth credentials.
12. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated policy.
14. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
STEHRWAY
Email: support@stehrway.com
Canada