Effective Date: April 3, 2026
This Privacy Policy describes how F&D Ventures LLC, doing business as Tormano (“Tormano,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information when you use our websites (tormano.com, crm.tormano.com, npcrm.tormano.com), applications, APIs, and related services (collectively, the “Service”). By using the Service, you agree to the practices described in this Privacy Policy.
1.1 Information You Provide. We collect information you provide directly, including: (a) account registration information (name, email address, organization name, password); (b) billing information (processed and stored by our payment processor, Stripe; we do not store payment card numbers); (c) Customer Data you upload or enter into the Service (contacts, companies, deals, donations, activities, communications, documents, and related records); (d) communications you send us (support requests, feedback, survey responses); and (e) information provided during onboarding or setup (industry, organization size, preferences).
1.2 Information We Collect Automatically. When you use the Service, we automatically collect: (a) device and browser information (IP address, browser type, operating system, device identifiers); (b) usage data (pages visited, features used, actions taken, timestamps, session duration); (c) log data (server logs, error reports, API requests); and (d) cookies and similar technologies (authentication tokens stored in browser localStorage for session management; theme preferences).
1.3 Information from Third Parties. We may receive information from: (a) third-party integrations you connect (e.g., QuickBooks, Stripe, Xero, Twilio, SendGrid) as authorized by you; (b) publicly available sources for data enrichment purposes; and (c) identity verification services for fraud prevention.
We use the information we collect for the following purposes: (a) providing, operating, and maintaining the Service; (b) processing transactions and managing your account; (c) communicating with you about the Service, including service announcements, security alerts, and support messages; (d) sending marketing communications (with your consent, where required by law); (e) improving and developing new features and functionality; (f) analyzing usage patterns and trends to improve user experience; (g) preventing fraud, abuse, and security threats; (h) complying with legal obligations; and (i) enforcing our Terms of Service.
3.1 AI Features. The Service includes AI-powered features that process certain Customer Data to provide functionality such as smart search, contact scoring, email drafting, donor insights, deal forecasting, report generation, and predictive analytics.
3.2 AI Service Providers. We currently use the following third-party AI providers: (a) Anthropic (Claude API) for text generation, analysis, and natural language processing; and (b) OpenAI (GPT models) for scoring, forecasting, and content generation.
3.3 Data Shared with AI Providers. When processing AI requests, we may transmit the following categories of data to AI providers: organization name, contact names and email addresses (for context), deal and donation amounts, report aggregates, and user-provided prompts. We do NOT transmit: passwords, payment card information, Social Security numbers, health information, or full mailing addresses to AI providers.
3.4 AI Provider Data Retention. Third-party AI providers may temporarily retain data in accordance with their own privacy policies. We contractually require AI providers to not use Customer Data for training their models without separate consent.
3.5 AI Transparency. The Service provides an AI Transparency dashboard where users can review all AI-initiated actions, including the data processed, outputs generated, confidence scores, and the ability to undo AI actions.
3.6 Opt-Out. You may disable AI Features at the organization level through Settings. Disabling AI Features may reduce the functionality available.
We do not sell personal information. We may share information in the following circumstances: (a) Service Providers: with vendors, consultants, and other service providers who need access to perform services on our behalf, subject to contractual confidentiality obligations; (b) Third-Party Integrations: with third-party services you choose to connect, based on the permissions you grant; (c) Legal Requirements: when required by law, regulation, legal process, or governmental request; (d) Protection of Rights: to enforce our agreements, protect our rights, privacy, safety, or property, and that of our users and the public; (e) Business Transfers: in connection with a merger, acquisition, reorganization, or sale of assets, with notice to affected users; and (f) With Consent: with your explicit consent or at your direction.
We use the following categories of sub-processors to deliver the Service: Infrastructure and Hosting: Hetzner Cloud (Germany/US, server hosting), Docker (containerization). Payment Processing: Stripe (PCI DSS Level 1 compliant). Email Delivery: SendGrid (SOC 2 Type II, transactional and campaign email), Amazon Web Services SES (SOC 2 Type II, fallback email). SMS and Voice: Twilio (SOC 2 Type II, HIPAA eligible). Artificial Intelligence: Anthropic (SOC 2 Type II, GDPR compliant), OpenAI (SOC 2 Type II, GDPR compliant). File Storage and Backups: Backblaze B2 (SOC 2 Type II). Monitoring: Sentry (SOC 2 Type II, GDPR compliant), UptimeRobot (SOC 2 Type II). Accounting Integration: Intuit QuickBooks, Xero (customer-initiated).
We will notify you of any new sub-processors at least 30 days before they begin processing personal data.
We implement appropriate technical and organizational measures to protect personal information, including: (a) encryption in transit via TLS 1.2/1.3 (HTTPS enforced on all endpoints); (b) password hashing using Argon2; (c) JWT-based authentication with RSA-256 signed tokens; (d) CSRF protection using double-submit cookie pattern; (e) rate limiting on authentication endpoints; (f) role-based access control (RBAC) with per-module permissions; (g) audit logging of all data modifications; (h) XSS prevention through HTML sanitization; (i) security headers (HSTS, X-Frame-Options, X-Content-Type-Options, CSP, Referrer-Policy, Permissions-Policy); (j) regular security audits and vulnerability assessments; (k) fail2ban intrusion prevention; and (l) automated daily database backups with offsite storage. No method of transmission or storage is 100% secure. While we strive to protect personal information, we cannot guarantee absolute security.
We retain personal information for as long as your account is active or as needed to provide the Service. Specific retention periods include: (a) Customer Data: retained during the Subscription Term and for 30 days after termination; (b) Audit Logs: retained for 7 years by default (configurable by administrator); (c) Account Information: retained as long as your account exists; (d) Billing Records: retained for 7 years for tax and legal compliance; and (e) Aggregated/Anonymized Data: retained indefinitely. You may configure custom retention periods through the Service's Data Retention settings.
If you are located in the European Economic Area or United Kingdom, you have the following rights under the GDPR and UK GDPR: (a) Right of Access; (b) Right to Rectification; (c) Right to Erasure; (d) Right to Restriction; (e) Right to Data Portability; (f) Right to Object; (g) Right to Withdraw Consent; and (h) Right to Lodge a Complaint with your local data protection authority.
How to Exercise Your GDPR Rights. Submit requests to privacy@tormano.com. We will respond to your request without undue delay and in any event within 30 days of receipt, as required by Article 12(3) of the GDPR. This period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within 30 days of receipt of the request, together with the reasons for the delay. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
Legal Bases for Processing: (a) performance of a contract; (b) legitimate interests; (c) consent; and (d) legal obligations.
International Data Transfers: Personal data may be transferred to and processed in the United States. We rely on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs) approved by the European Commission, and supplementary measures.
If you are a California resident, you have: (a) Right to Know; (b) Right to Delete; (c) Right to Correct; (d) Right to Opt-Out of Sale/Sharing (we do not sell personal information); (e) Right to Limit Use of Sensitive Personal Information; and (f) Right to Non-Discrimination.
Categories of Personal Information Collected (preceding 12 months): Identifiers, commercial information, internet activity, professional information, and inferences.
To exercise rights, contact privacy@tormano.com.
If you are a Virginia resident, you have the following rights under the Virginia Consumer Data Protection Act (VCDPA): (a) Right to Access your personal data; (b) Right to Correct inaccuracies in your personal data; (c) Right to Delete your personal data; (d) Right to Data Portability (obtain a copy of your personal data in a portable, readily usable format); and (e) Right to Opt Out of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not sell personal data or engage in targeted advertising based on personal data.
How to Exercise Your Rights. Submit requests to privacy@tormano.com. We will respond within 45 days. You may designate an authorized agent to submit a request on your behalf.
Right to Appeal. If we decline to take action on your request, you have the right to appeal our decision. To appeal, email privacy@tormano.com with the subject line “VCDPA Appeal” and include a description of the original request and the basis for your appeal. We will respond to appeals within 60 days. If your appeal is denied, you may file a complaint with the Virginia Attorney General at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.
Sensitive Data. We do not process sensitive personal data (as defined under VCDPA) without your consent. If we need to process sensitive data in the future, we will obtain your opt-in consent before doing so.
Residents of Colorado (Colorado Privacy Act), Connecticut (Connecticut Data Privacy Act), Utah (Utah Consumer Privacy Act), Texas (Texas Data Privacy and Security Act), Oregon (Oregon Consumer Privacy Act), Montana (Montana Consumer Data Privacy Act), and other states with comprehensive privacy laws may have similar rights to those described in Sections 9 and 10 above, including the rights to access, correct, delete, and port personal data, and to opt out of the sale of personal data, targeted advertising, and certain profiling.
To exercise any rights available under your state's privacy law, contact privacy@tormano.com. We will verify your identity and respond within the time required by applicable law (typically 45 days, with extensions where permitted). We will not discriminate against you for exercising your rights. If we decline to act on your request, we will inform you of your right to appeal (where applicable under your state's law) and provide instructions for doing so.
Data Protection Assessments. Where required by applicable state law (including Colorado, Connecticut, and Virginia), we conduct and document data protection assessments before engaging in processing activities that present a heightened risk of harm to consumers, including targeted advertising, profiling, and processing of sensitive data.
We use minimal cookies and browser storage: (a) Authentication Tokens in localStorage (essential); (b) Theme Preference in localStorage (essential); (c) CSRF Token as httpOnly cookie (essential). We do not use third-party advertising cookies, tracking pixels from ad networks, or cross-site tracking. Email campaigns may include open-tracking pixels and click-tracking links, which you may disable by opting out of marketing communications.
Do Not Track Signals. Some web browsers transmit “Do Not Track” (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently alter our data collection and use practices in response to DNT browser signals. However, we do not engage in cross-site tracking, third-party advertising tracking, or behavioral advertising, and we do not sell personal information to third parties. You may use the privacy controls described in this Privacy Policy to manage your data preferences.
13.1 Transactional Communications cannot be opted out of while your account is active.
13.2 Marketing Communications can be opted out at any time via unsubscribe link, account settings, or contacting privacy@tormano.com. We honor requests within 10 business days.
13.3 SMS Communications comply with TCPA, A2P 10DLC. Opt-out via STOP keyword is honored immediately.
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 13 (or under 16 where required by applicable law, including the Virginia VCDPA). If we become aware that we have collected personal information from a child without appropriate parental or guardian consent, we will delete that information promptly. Contact privacy@tormano.com if you believe a child has provided personal information to us.
In the event of a confirmed data breach affecting personal information, we will: (a) notify affected users within 72 hours of becoming aware of the breach (as required by GDPR, and consistent with applicable U.S. state breach notification laws); (b) notify applicable data protection authorities and state attorneys general as required by law; (c) provide information about the nature of the breach, categories and approximate number of individuals affected, likely consequences, and remedial measures taken or proposed; and (d) take immediate steps to contain, investigate, and remediate the breach.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent notice within the Service at least 30 days in advance. Continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.
F&D Ventures LLC
8401 Mayland Dr #5368
Richmond, VA 23294, USA
Privacy Inquiries: privacy@tormano.com
General Inquiries: legal@tormano.com
Website: https://tormano.com
For Virginia residents: You may contact the Virginia Attorney General's office at https://www.oag.state.va.us for privacy-related complaints.
For California residents: You may contact the California Attorney General's office at https://oag.ca.gov/privacy for privacy-related complaints.
For EU/UK residents: You may contact your local supervisory authority regarding data protection matters.