This Privacy Policy explains how Calvin Group, Inc. (“Calvin Group,” “we,” “us”) collects, uses, and protects information when you visit www.calvingroupinc.com (the “Site”), when you contact us about used asphalt paving equipment, and when Calvin Group employees use the internal Calvin Group customer-relationship-management application (the “CRM App,” available on the web at app.calvingroupinc.com and as an iOS application distributed privately to Calvin Group).
Who we are
Calvin Group, Inc. is a Lorain County, Ohio-based dealer of used asphalt paving equipment, in business since 1996. You can reach us at:
- Email: sales@calvingroupinc.com
- Phone: (800) 478-5840
- Mail: PO Box 100, Grafton, OH 44044
Scope of this policy
Sections marked “Public Site” apply to visitors of www.calvingroupinc.com. Sections marked “CRM App” apply to Calvin Group employees who use the internal CRM application on the web or on iOS. The CRM App is restricted to accounts on the @calvingroupinc.com Microsoft 365 tenant and is not available to the general public.
What we collect — Public Site
On the Site, we collect only the information you choose to share with us through forms or in direct correspondence. This includes:
- Your name
- Email address
- Phone number (optional on most forms)
- Company name (optional)
- The equipment you’re asking about (or describing, if you’re selling to us)
- Any message text you write
- The equipment you save to your list, if you use the Save List feature, along with the email address you sign up with and the time you last opened your list
We do not require account creation to browse the Site or contact us. We do not collect government IDs, financial account numbers, or sensitive personal information through the Site.
What we collect — CRM App
The CRM App is our internal system of record for equipment inventory, sales, and customer relationships. When a Calvin Group employee signs in and uses the app, the following data is created or synchronized:
- Team-member identity— name and email address from Microsoft 365 sign-in (via Microsoft Graph OAuth).
- Contact records— buyer, seller, and prospect information entered by team members: name, company, email, phone, address, notes, and correspondence history.
- Equipment inventory— item specifications, pricing, photographs, and video attachments.
- Sales activity— leads, quotes, invoices, tasks, activity logs, and trip / route-planning data.
- Photos and files— images captured with the device camera or uploaded from the device’s file system, used for equipment listings and internal documents.
- Precise device location— only when the team member explicitly uses the map / route-planning feature and only for the duration of that use.
- Outlook contacts— only when a team member opts in to bidirectional synchronization with their personal Microsoft 365 Outlook contacts folder.
iOS App permissions
When the CRM App runs on iOS, the operating system will prompt for the following permissions the first time a feature requires them. You may revoke any permission at any time in iOS Settings › Calvin Group.
- Camera— to photograph equipment for inventory listings.
- Photo Library— to attach existing photos to equipment records.
- Files— to upload documents such as specification sheets or invoices.
- Location (While Using App)— only when opening the map / route-planning feature.
How we use it
We use information collected via the Public Site to respond to your inquiry, send equipment information or pricing, and follow up about possible sales conversations.
We use information created in the CRM App to operate the internal business functions of Calvin Group — managing inventory, tracking leads and customers, preparing quotes and invoices, and planning field trips.
We do not use your information for advertising, profiling, or automated decision-making. We do not sell your information.
Bot and abuse protection
Public forms on the Site are protected by Vercel BotID (an invisible bot-detection challenge) and per-IP rate limiting. These signals do not transmit the contents of your form and do not include personally identifiable information.
Cookies and session tokens
The Public Site uses only essential session cookies needed for the site to function. We do not use third-party advertising or tracking cookies on the Public Site.
The CRM App uses OAuth session tokens (PKCE flow) to authenticate Calvin Group employees. On iOS, these tokens are stored in the app’s sandboxed Preferences storage.
How we share information
We do not sell your information. Data is shared only with the service providers we rely on to operate Calvin Group, each bound by their own privacy policies:
- Supabase— database and file storage; U.S. data centers. supabase.com/privacy
- Microsoft (Microsoft 365 & Microsoft Graph) — team-member sign-in, email sending on behalf of a team member, and optional Outlook contact synchronization.
- Vercel— web application hosting and edge delivery.
- Resend— outbound transactional email delivery.
- Cloudflare Stream— video hosting for equipment listing videos.
- Sentry— application error monitoring; identifying details are redacted before transmission.
We may also disclose information where required by law, subpoena, or valid legal process.
Data security
We protect data using industry-standard measures:
- All connections use TLS 1.3 — there is no unencrypted access path to the Site or CRM App.
- Authentication for the CRM App uses Microsoft 365 identity and a Supabase-managed session token, both over PKCE OAuth 2.0.
- Authentication credentials and OAuth refresh tokens are stored encrypted at rest.
- Access to CRM data is restricted at the database layer via row-level security policies. Team members see only records their role permits.
- Automated backups run daily with point-in-time recovery within a 7-day window (via Supabase).
Retention
Public Site inquiries. We retain inquiry records for as long as needed to follow up on the conversation or as required by tax and business-records law.
CRM App records. Contact, equipment, and activity data are retained as long as they support ongoing business operations, and archived thereafter per tax and business-records law. When a team member deletes a record inside the CRM App, it is removed from the working dataset; audit-log entries recording the deletion may persist for up to 7 years for accounting purposes.
If you ask us to delete your personal information, we will do so within 30 days, subject to any legal retention obligation we can identify.
Your rights
Depending on where you live, you may have the right to access, correct, or delete the information we hold about you, and to opt out of certain uses. To exercise these rights, email sales@calvingroupinc.com from the address on file or contact us by phone or mail at the address above. We respond to verified requests within 30 days.
Children
Neither the Site nor the CRM App is directed to children. The Site is intended for business buyers and sellers of construction equipment; the CRM App is restricted to Calvin Group employees. We do not knowingly collect information from children under 13. If you believe a child has provided us with information, contact us and we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time. The effective date at the top of this page indicates the latest revision. Material changes will be posted at least 30 days before they take effect.
Contact
Questions about this Privacy Policy can be sent to sales@calvingroupinc.com or to PO Box 100, Grafton, OH 44044.