Capable — Privacy Policy
Effective date: 2026-06-17 · Version: 1.0
This Privacy Policy explains how Capable Agents AB ("Capable", "we", "us", "our") handles personal data in connection with our website and our AI-native CRM service (the "Services"). It applies to visitors to our website and to the people whose personal data we process in operating the Services.
Capitalised terms not defined here have the meaning given in our Terms of Service.
1. Who we are
Capable is a limited liability company (aktiebolag) incorporated in Sweden, with organisationsnummer 559504-0444 and VAT number SE559504044401, registered office at Bäckaskiftsvägen 68, 122 42 Enskede, Sweden.
- Privacy contact / data protection point of contact:
hello@capable.run. - UK GDPR Article 27 representative: Not applicable. Capable does not currently offer the Services to, or monitor the behaviour of, data subjects in the United Kingdom, and so is not required to designate a representative under Article 27 of the UK GDPR. A UK representative will be appointed before onboarding any UK customer.
We are established in the European Union. Accordingly, we are not required to designate an EU Article 27 representative. We do not currently target or monitor data subjects in the United Kingdom; if and when we do, we will appoint a UK Article 27 representative and update this Policy.
2. Scope and our two roles
We act in two distinct roles, and the legal framing differs by role:
- Controller. For personal data relating to our own relationship with you — account and identity data, billing and contact details, website-visitor and product-usage data, and support communications — we are the controller and this Privacy Policy is our notice to you under Articles 13 and 14 GDPR.
- Processor. For Customer Data that a customer's Authorized Users submit to or generate in the Services (CRM accounts, contacts, opportunities, notes, tasks, touches, transcripts, and the limited connected Google data described below), we act as a processor on the customer's behalf. The customer is the controller and decides why and how that data is processed. Our processing of Customer Data is governed by our Data Processing Agreement ("DPA"). If you are an individual whose data appears in a customer's CRM, please direct privacy requests to that customer (the controller); we will assist them as their processor.
3. Categories of personal data we process
As controller (our own relationship with you)
| Category | Examples | Source |
|---|---|---|
| Account & identity | Name, email, profile image, organisation, role | Google Sign-In (Google OAuth) when you create or join a Workspace |
| Billing | Plan, billing contact, VAT ID, payment status (card data is handled by Stripe, not stored by us) | You / Stripe |
| Product usage (metadata) | Cookieless, metadata-minimized usage signals — for example which MCP tool was called, latency, error class, page views | Generated as you use the Services |
| Support & communications | Messages you send us and our replies | You |
| Website visitors | Limited analytics and, on our marketing website only, cookies subject to consent | Website |
As processor (Customer Data we process on a customer's behalf)
| Category | Examples |
|---|---|
| CRM records | Accounts, contacts (names, emails, titles, roles), opportunities, subscriptions, tasks, signals, notes |
| Activity & touches | Calls, emails, meetings, and LinkedIn touches logged to records |
| Meeting transcripts & recordings | Transcripts and recording links from the meeting recorder (see Section 4.2) |
| Connected Google data (metadata only) | Email header metadata and calendar event metadata used to populate the CRM (see Section 4.1) |
| Company facts | Public, company-level firmographic facts looked up by domain (see Section 4.3) |
We do not intentionally process special categories of personal data as a controller, and customers must not place special-category data in the Services except in compliance with the Acceptable Use Policy and applicable law.
4. How specific data flows work
4.1 Connected Google data — metadata only, never message bodies or calendar descriptions
When an Authorized User signs in with Google, Capable requests scopes to (a) authenticate the user, (b) read Gmail metadata, and (c) read and write limited Calendar data. We use this connected data, on the customer's instruction, to populate the CRM with accounts, contacts, and touches, and to support meeting scheduling.
- Gmail: we request the
gmail.metadatascope only. We read message header metadata (such as From, To, Cc, Date, Subject, and List-Unsubscribe). We never read the body or content of any email — the metadata scope makes message bodies inaccessible. - Calendar: we request read access (and a narrow events scope for scheduling). We read event titles, attendees, and start/end times (duration), and — only to recover a meeting join link — we may scan an event for a join URL. We never persist calendar event descriptions, locations, or attachments.
Connected Google data is used to identify business relationships and file activity to the right records. We do not sell it or use it for advertising. Google OAuth refresh tokens are stored encrypted.
4.2 Meeting recorder
If a customer enables the meeting recorder, a bot provided by Recall.ai joins the relevant video calls (Zoom, Google Meet, Microsoft Teams, Webex), records them, and the recording is transcribed using Deepgram speech-to-text (routed through Recall). The resulting transcript and recording link are stored as a meeting touch on the relevant CRM record. Recording and transcription are processor activities performed on the customer's behalf and under the customer's control of who and what is recorded. Customers are responsible for obtaining any consents required for recording in the relevant jurisdictions.
4.3 Company facts (domain-level, not individuals)
To enrich an account, we look up public, company-level facts by domain — for example industry, headquarters, employee count, founding year, logo, and brand colour — using Brandfetch and Logo.dev, cached across workspaces in a domain-facts cache. This enrichment operates at the company/domain level only; we do not perform per-person or per-contact enrichment.
4.4 How AI processing works — no server-side model calls
This is important and applies throughout: we do not make server-side calls to any large language model, and we do not send Customer Data to a model. Capable is an AI-native CRM that runs through an MCP (Model Context Protocol) server. The AI assistant is Anthropic's Claude, connected by the Authorized User under that user's own agreement with Anthropic. When an Authorized User instructs Claude, our MCP server returns the requested Customer Data into that user's own Claude session, where Anthropic processes it under the user's own Anthropic terms. Because of this architecture:
- We never transmit Customer Data to a model server ourselves.
- Anthropic processes data the user pulls into their Claude session under the user's own relationship with Anthropic — not as our sub-processor.
- This is why Anthropic is not listed on our sub-processor list; the list explains this in a footnote.
4.5 Google API Services User Data Policy — Limited Use
Capable's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Use is limited to user-facing features. Google user data is used only to provide and improve the user-facing features Capable offers — namely signing the user in, and surfacing the user's own email and calendar metadata into their CRM (see Section 4.1). We do not use it for any other purpose.
- No advertising. Google user data is not used for advertising or for any advertising purpose.
- No selling or unrelated transfer. Google user data is not sold and is not transferred to others, except as necessary to provide or improve these user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets (with notice to affected users).
- No AI/ML model training. Google user data is not used to develop, improve, or train generalized or non-personalized artificial intelligence and/or machine learning models. This follows naturally from our architecture: as described in Section 4.4, Capable makes no server-side calls to any large language model and never sends Google user data to a model.
- No human reading. Humans do not read Google user data unless (a) the user gives affirmative consent to view specific data (for example, for support); (b) it is necessary for security purposes (such as investigating abuse), or to comply with applicable law; or (c) the data is aggregated and anonymized and used to improve the Services.
Consistent with the scope limits in Section 4.1, this Google user data is restricted to Gmail header metadata only — never message bodies (the gmail.metadata scope makes bodies inaccessible) and Calendar titles, attendees, duration, and a meeting join URL only — never event descriptions or attachments.
5. Purposes and legal bases (controller processing)
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Provide, operate, and support the Services; authenticate users; administer accounts and Workspaces | Performance of a contract (Art. 6(1)(b)) |
| Billing, invoicing, and collecting fees | Performance of a contract (Art. 6(1)(b)); compliance with legal obligation (Art. 6(1)(c)) for tax/accounting records |
| Cookieless product analytics to understand and improve how the Services are used | Legitimate interests (Art. 6(1)(f)) — see our Legitimate Interest Assessment summary in Section 6 |
| Securing the Services, preventing abuse, and maintaining audit logs | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
| Marketing communications to business contacts, and marketing-website cookies | Legitimate interests (Art. 6(1)(f)) and/or consent (Art. 6(1)(a)) where required |
| Complying with legal obligations and responding to lawful requests | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, you have the right to object (see Section 11).
6. Cookies and analytics
The logged-in app is cookieless by design. In-product analytics uses PostHog (EU-hosted) initialised with in-memory persistence — it sets no analytics cookie and uses no local storage. We process metadata-minimized usage signals on the basis of legitimate interests (a first-party, cookieless, metadata-only analysis of authenticated product use, with a one-click opt-out). Identity for analytics comes from your authenticated session, not from a cookie. Session-replay and autocapture are aggressively masked because the app renders Customer Data.
- Opt-out: every Authorized User can opt out of product analytics at Settings → You. The preference is stored server-side (cookieless) so it persists across sessions and devices.
- Consent record: we keep a durable, metadata-only consent record (a
consent_eventslog) of analytics decisions, stamped with our current consent policy version. This record never contains Customer Data. - Marketing website cookies: our separate marketing website uses essential cookies and, subject to a consent banner there, analytics cookies. Those are described in our Cookie Policy. There is no cookie banner inside the logged-in app because the app is cookieless.
7. Sharing and sub-processors
We share personal data only as needed to run the Services and our business:
- Sub-processors that process Customer Data on our behalf — for example our hosting, storage, email-delivery, error-monitoring, and analytics providers. The current list, with purpose and location, is at
legal/subprocessors.md. - Service providers that support our own operations as controller (e.g. payment processing via Stripe).
- Professional advisers, auditors, and authorities where required by law or to establish, exercise, or defend legal claims.
- Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality and this Privacy Policy.
We do not sell personal data and do not share it for cross-context behavioural advertising (see Section 11.3). Anthropic is not a sub-processor — see Section 4.4 and the sub-processor list footnote.
8. International transfers
We are established in the EU and store Customer Data primarily in the European Union (our primary data store and authentication run in the EU). Some sub-processors process data outside the European Economic Area. Where we transfer personal data to a country that has not received an EU adequacy decision, Capable acts as the data exporter and we rely on appropriate safeguards under Chapter V GDPR, in particular:
- the Standard Contractual Clauses (EU SCCs) adopted by the European Commission;
- the UK International Data Transfer Addendum to the EU SCCs for transfers subject to UK GDPR; and
- the Swiss addendum for transfers subject to the Swiss Federal Act on Data Protection,
together with supplementary technical and organisational measures where appropriate. You can ask us for more information about the safeguards in place using the contact details in Section 14.
9. Retention
- Customer Data is retained for as long as the customer's account is active and then handled in accordance with the Terms of Service and DPA: a 30-day post-termination export window, after which Customer Data is deleted or returned, subject to our soft-deletion model and backup cycles and to any retention required by law.
- We use soft deletion across the Services; soft-deleted records are removed from active use and purged on our normal cycles.
- Backups (including point-in-time recovery) are retained for a limited rolling window and then expire; data deleted from production is removed from backups as those backups age out.
- Account and billing records we hold as controller are retained for the life of the relationship and for the period required by applicable tax and accounting law (in Sweden, generally up to seven years for accounting records).
- Usage and consent logs are retained in metadata-minimized form for as long as needed for the purposes described, then deleted or aggregated.
We will delete or anonymise personal data when it is no longer needed for the purposes for which it was collected, unless a longer retention period is required or permitted by law.
10. Security
We build to SOC 2 principles (we are not yet SOC 2 certified) and apply technical and organisational measures appropriate to the risk, including: encryption in transit (HTTPS) and at rest; least-privilege access with required single sign-on; documented access controls; audit logging from day one; backups with point-in-time recovery and a disaster-recovery plan; an incident-response process; and vendor (sub-processor) management. More detail is in our Security overview and in Annex II of the DPA. Our error-monitoring is configured not to send personal data by default.
11. Your rights
11.1 GDPR and UK GDPR
Subject to the conditions in the GDPR and UK GDPR, you have the right to: access your personal data; rectify inaccurate data; erase data ("right to be forgotten"); restrict processing; data portability; object to processing based on legitimate interests (including direct marketing); and not be subject to solely automated decisions producing legal or similarly significant effects. Where we rely on consent, you may withdraw it at any time without affecting prior processing.
If your personal data appears in a customer's CRM, that customer is the controller; we will refer your request to them and assist as their processor.
How to exercise your rights: contact hello@capable.run. We respond within the timeframes required by law. You have the right to lodge a complaint with a supervisory authority — for Capable, the lead authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten / IMY, imy.se) — and you may also complain to the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.
11.2 California (CCPA/CPRA) and other US state privacy laws
Where the CCPA/CPRA applies, you have rights to know/access, delete, correct, and to opt out of the "sale" or "sharing" of personal information and of certain targeted advertising, and the right not to be discriminated against for exercising these rights. To exercise them, contact hello@capable.run.
11.3 We do not sell or share personal information
We do not "sell" personal information and we do not "share" it for cross-context behavioural advertising, as those terms are defined under the CCPA/CPRA. Our cookieless, first-party product analytics is not a sale or a share: it is metadata-minimized, runs on legitimate interest, sets no advertising identifiers, and is not disclosed to third parties for advertising. For Customer Data, we act as a service provider/processor and process it only on the customer's documented instructions.
12. Children
The Services are a business tool not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact hello@capable.run and we will take appropriate steps.
13. Changes to this Policy
We may update this Privacy Policy from time to time. We will post the updated version with a new effective date and version number and, for material changes, provide additional notice. Where a change materially affects analytics consent, we bump the consent policy version.
14. Contact
- Privacy & security:
hello@capable.run - Postal: Capable Agents AB, Bäckaskiftsvägen 68, 122 42 Enskede, Sweden
- UK GDPR representative: Not applicable (no UK Article 27 representative appointed — see "Who we are")
- Lead supervisory authority: Integritetsskyddsmyndigheten (IMY), Sweden