Last updated: June 2, 2026
Nutshell, Inc. (“Nutshell,” “we,” “our,” or “us“) provides customer relationship management (CRM) and related software products, websites, and services (collectively, the “Service“). This Privacy Policy explains what personal data we collect about visitors to our websites, prospects, customers, customers’ authorized users, and other individuals whose data we process; how we use it; with whom we share it; how long we keep it; and the rights and controls available to you.
This Privacy Policy applies to nutshell.com, app.nutshell.com, the Nutshell mobile applications, our APIs, our Model Context Protocol (MCP) connectors, and any other product or website that links to or references this Privacy Policy. It is incorporated by reference into our Terms of Service and, where applicable, our Data Processing Addendum (DPA).
If you are a contact of a Nutshell customer (i.e. a record in a Nutshell customer’s CRM, or a visitor to a website that uses Nutshell features like forms, chat, or analytics), please note that the Nutshell customer — not Nutshell — is generally the “controller” of personal data about you, and you should direct privacy requests to that customer in the first instance. We assist our customers in honoring valid requests, as described below.
For data that our customers upload, sync, or otherwise submit to the Service (“Customer Data“), Nutshell acts as a “processor” or “service provider” under applicable data protection laws (including the EU and UK GDPR, the Swiss FADP, the California Consumer Privacy Act (“CCPA”), the Canadian PIPEDA, and the Brazilian LGPD), and the Nutshell customer is the “controller” or “business.” Our processing of Customer Data on behalf of customers is governed by the DPA.
For data we collect from visitors to our websites, prospective customers, account administrators, billing contacts, support correspondents, recipients of our marketing communications, and applicants for employment, Nutshell is the “controller” or “business.” Sections 2–11 of this Privacy Policy describe that processing.
We collect personal data in the following categories.
When you create an account, request a demo, contact sales, attend an event, communicate with us, or otherwise interact with the Service, you may provide us with:
When you visit our websites or use the Service, we and our service providers automatically collect:
We may receive personal data about you from:
We generate certain personal data, including unique user and account identifiers, audit logs, security event records, account-health scores, and inferences drawn from how you use the Service (for example, “active user” or “feature adopter” flags used for our own product analytics).
We do not knowingly collect, request, or process: protected health information (PHI) subject to HIPAA, full payment-card numbers (these are processed by our PCI-compliant processors), government-issued identifiers (such as Social Security numbers, driver’s-license numbers, or passport numbers), biometric identifiers, precise geolocation, or other categories considered “sensitive” or “special category” data under applicable law.
We also do not solicit, request, or intentionally collect access credentials, multi-factor authentication or one-time-passcode (MFA/OTP) values, API keys, encryption keys, or other authentication secrets through any channel — whether in the Nutshell UI, in support interactions, in our forms, or through our AI features and MCP connectors. The only credentials Nutshell handles are those required to authenticate you to your own Nutshell account (which are stored as salted, hashed values, never in plaintext) and OAuth tokens issued by third-party services you choose to integrate (which are encrypted at rest and used only to operate the integration you authorized). If you receive a request that appears to ask for a credential outside this scope, do not provide it and report it to [email protected].
Customers must not upload restricted or sensitive data to the Service (see Section 3.4 of the Terms of Service).
We do not knowingly collect personal data from children under 13 (or the applicable minimum age in your jurisdiction). If we learn we have collected such data, we will delete it.
By interacting with Nutshell through chat, contact forms, email, phone, video, AI chatbots, or any other channel, you acknowledge that the interaction may be recorded, logged, or transcribed. We use these recordings and transcripts to provide and improve customer support, train our team, ensure quality, prevent fraud, and meet legal obligations. Recordings and transcripts are subject to the same protections as other personal data described in this Privacy Policy.
We process personal data for the following purposes:
Where the EU/UK GDPR or Swiss FADP applies, we rely on the following legal bases:
We do not “sell” your personal information for money. We engage in certain advertising activities (see Section 5) that may be classified as “sharing” or as “sale” of personal information under some U.S. state privacy laws even though no money changes hands; you may opt out of these activities as described in Section 9.
We do not use Customer Data to train, fine-tune, or otherwise improve generalized AI or machine-learning models, whether Nutshell’s own models or those operated by our AI subprocessors. We may use Service Data, aggregated data, and de-identified data to evaluate and improve the Service.
We share personal data only as described below.
We use service providers (“Subprocessors”) to host, store, transmit, secure, monitor, and otherwise support the Service. Subprocessors include cloud-infrastructure providers (e.g., Amazon Web Services), email and SMS delivery providers, payment processors, analytics providers, AI model providers (used to power AI features in the Service), customer-support tooling, and similar vendors. A current list is maintained at trust.nutshell.com/subprocessors. Each Subprocessor is bound by written terms requiring confidentiality, security, and use of personal data only for the purposes we authorize.
Geographic restriction: Nutshell does not engage Subprocessors that are domiciled in, or that store Customer Data in, the Democratic People’s Republic of Korea (North Korea) or the Islamic Republic of Iran.
We work with third-party advertising and analytics providers, including Google Analytics, Google Ads, Microsoft Advertising, LinkedIn, Meta, X/Twitter, and The Trade Desk, to measure marketing performance and to deliver targeted advertising on third-party sites based on your interactions with our websites and emails. These partners may use cookies, web beacons, and similar technologies to collect information about you, including your IP address, device identifiers, and browsing activity. See Section 6 for cookie controls and Section 9 for advertising opt-outs.
When you or a user in your account connect a third-party service to your Nutshell account (for example, Google Workspace, Microsoft 365, an email or accounting tool, or an MCP-compatible AI assistant), we share data with that service as necessary to operate the integration you have enabled. You can revoke these authorizations at any time in your account settings or in the third-party service.
Nutshell offers AI-powered features within the Service and publishes MCP (Model Context Protocol) connectors that allow customers to interact with Nutshell from compatible AI assistants such as ChatGPT (via the OpenAI Apps SDK) and Claude (via Anthropic Connectors). When you or your end user invokes an AI feature or MCP tool:
Nutshell is part of a corporate group. We may share personal data with our parent company and sibling companies for shared corporate functions such as finance, security, and legal compliance. They are bound by the same protections in this Privacy Policy.
We may disclose personal data if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, legal process, or an enforceable government request; (b) enforce our agreements; (c) protect the rights, property, or safety of Nutshell, our users, or others; or (d) investigate or prevent illegal activity, fraud, or abuse. Where legally permitted, we will direct law enforcement to request Customer Data directly from the customer.
If Nutshell is involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of its assets or equity, personal data may be transferred to the surviving or acquiring entity as part of that transaction, subject to commitments at least as protective as those in this Privacy Policy.
We share personal data in any other manner that you specifically direct or consent to.
We use advertising and remarketing technologies provided by Google, Microsoft, LinkedIn, Meta, X/Twitter, The Trade Desk, and other ad platforms to measure the effectiveness of our marketing and to deliver advertising about Nutshell to people who have visited our website, used our Service, or otherwise expressed interest in similar products. These technologies may set cookies in your browser, embed tracking pixels, or share hashed identifiers (such as a hashed email address) with the ad platform so it can match you with its user base and serve targeted ads on its properties. The ad platforms may also use this information for their own purposes, subject to their privacy policies.
You can opt out of interest-based advertising as described in Section 9.
A “cookie” is a small file placed on your device by a website. We use cookies and similar technologies (such as web beacons, pixels, local storage, and SDKs) for the following purposes:
Visitor cookies on customer websites: If you are visiting a website operated by one of our customers, that customer may have embedded a Nutshell code snippet to power features such as VisitorIQ, Nutshell Analytics, Nutshell Forms, or chat. The customer is the controller of that data, and you should consult the customer’s privacy policy for details and exercise rights through them.
Your choices: You can manage cookies through your browser settings, our cookie consent banner (where available), and the opt-out mechanisms in Section 9.
We retain personal data only for as long as necessary to fulfill the purposes for which we collected it, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention practices include:
Upon your request, we will delete personal data we hold about you sooner, subject to legal exceptions described in Section 9.
Nutshell is headquartered in the United States, and our Subprocessors operate in the United States, Canada, the EU/EEA, the United Kingdom, and other jurisdictions outside your country of residence. By using the Service, you understand that personal data may be transferred to, processed, and stored in jurisdictions whose laws may not provide the same level of protection as the laws of your country.
For transfers of personal data from the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss-equivalent mechanisms set forth in the DPA. For transfers from other jurisdictions, we use the transfer mechanism approved or accepted by that jurisdiction’s authorities.
As described in Sections 4.1 and 8 of the Terms of Service, Nutshell does not engage Subprocessors that are domiciled in North Korea or Iran.
Depending on where you live, you may have the following rights with respect to personal data we hold about you:
How to exercise these rights: Email [email protected], or use the in-product privacy controls in your account. We will respond within the time frame required by applicable law (typically 30 days, extendable to 90 days for complex requests). We may need to verify your identity. There is no charge for reasonable requests.
End users of our customers: If your personal data is in a Nutshell customer’s CRM or otherwise was uploaded to the Service by a customer, the customer is the controller. Please direct your request to that customer.
If you have a privacy concern, we ask that you contact us first at [email protected].
We maintain administrative, technical, and physical safeguards designed to protect personal data against loss, theft, unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit (TLS 1.2+) and at rest (AES-256), network segmentation, access controls and least-privilege provisioning, multifactor authentication for production systems, continuous vulnerability management and annual third-party penetration testing, secure software-development practices, security training for personnel, and incident-response procedures. Nutshell is SOC 2 Type 1 attested by an independent third-party auditor. Our security commitments to customers are described in Annex II of the DPA. Trust center materials, including the most recent attestation report, are available under NDA at trust.nutshell.com.
You are responsible for choosing a strong, unique password, keeping it confidential, and notifying us promptly of any suspected account compromise. Nutshell is not responsible for data loss or compromise due to
If you authorize Nutshell to access your Google account (for example, to sync email or calendar events), Nutshell’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
This includes transmitting Google user data to our AI and transcription Subprocessors (listed at https://trust.nutshell.com/subprocessors) solely to power the specific features you invoke — for example, email content may be sent to an AI model provider to generate a summary or reply suggestion, and meeting recordings from Google Meet may be sent to a transcription provider to generate a transcript.
Specifically:
You can revoke Nutshell’s access to your Google data at any time at myaccount.google.com/permissions.
The Service is not directed to children under 13 (or the equivalent minimum age in the applicable jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact [email protected] and we will delete it.
The Service and our websites may contain links to third-party sites and services. We are not responsible for the privacy practices of those third parties. You should review their privacy policies before providing them with personal data.
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. We will post the revised policy at nutshell.com/legal/privacy. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
For questions about this Privacy Policy or to exercise your rights:
For privacy complaints we have been unable to resolve, see Section 9.2.
The following table summarizes the categories of personal information we have collected, used, and disclosed in the preceding 12 months for purposes of the California Consumer Privacy Act (as amended by the CPRA) and similar U.S. state privacy laws.
| Category | Examples | Sources | Purposes | Disclosed to (categories) |
|---|---|---|---|---|
| Identifiers | name, email, phone, IP, account ID | you; cookies; integrations; data enrichment | provide Service; marketing; security | Subprocessors; ad partners; integrations you authorize |
| Customer records | billing address, payment info (tokenized) | you | billing; tax compliance | payment processors; accounting providers |
| Commercial information | products purchased, transaction history | you; the Service | provide Service; account management | Subprocessors |
| Internet/network activity | browsing history on our sites; usage logs; click data | automatic | analytics; security; advertising | analytics & ad providers |
| Geolocation (approximate) | IP-derived city/region | automatic | analytics; security | analytics providers |
| Audio/visual | recordings of chat, phone, and chatbot interactions | you | support; training; quality | support tooling Subprocessors |
| Professional/employment | job title, company, industry | you; integrations; enrichment | marketing; CRM functionality | Subprocessors; ad partners |
| Inferences | inferred buyer-stage, account-health score | the Service | analytics; product improvement | none, except aggregated |
We do not knowingly collect “sensitive personal information” as defined under the CCPA (other than account log-in credentials, which we use only to authenticate you and which we do not “sell” or “share”). We do not knowingly sell or share personal information of consumers under 16.
You have the right to know, delete, correct, opt out of “sale” and “sharing,” limit use of sensitive personal information, and to non-discrimination. Submit requests at [email protected] or via the “Do Not Sell or Share My Personal Information” link on our website.
You have rights of access, deletion, correction, portability, and opt-out of targeted advertising, “sale,” and certain profiling. Submit requests at [email protected].
See Section 3.1 for legal bases and Section 9 for the full list of rights, including the right to lodge a complaint with your supervisory authority.
You have rights of confirmation, access, correction, anonymization, blocking, deletion, portability, information about sharing, and revocation of consent.
You have rights of access and correction, and may file a complaint with the Office of the Privacy Commissioner of Canada.
