Privacy Policy
Product: BitCommissions24
Effective Date: May 5, 2026
Last Updated: May 5, 2026
1. Introduction
This Privacy Policy explains how BitCommissions24 (hereinafter "the Application," "we," or "the Developer") collects, stores, processes, and protects information in connection with your use of the Application within the Bitrix24 CRM platform.
By installing or using the Application, you ("Tenant," "User," or "You") acknowledge that you have read, understood, and agree to the data practices described in this Privacy Policy.
This Policy should be read alongside our Terms of Service.
2. Scope of This Policy
This Privacy Policy applies to:
- Data collected from Bitrix24 portal administrators who install and configure the Application;
- Data relating to sales representatives whose commission activity is tracked by the Application;
- Data generated by CRM events (e.g., deal closures, invoice updates) processed through the Application's backend services.
This Policy does not apply to:
- The Bitrix24 platform itself — refer to Bitrix24's own Privacy Policy for their data practices;
- Stripe's payment processing — governed by Stripe's Privacy Policy;
- Cloudflare's infrastructure services — governed by Cloudflare's Privacy Policy.
3. Information We Collect
3.1 Portal and Tenant Identification Data
When You install the Application, we collect and store the following identifying information about your Bitrix24 portal:
| Data Point | Purpose |
|---|---|
Portal Member ID (member_id) |
Unique identifier for your portal; used to partition all stored data exclusively to your tenant |
| Portal Domain | Your Bitrix24 portal URL (e.g., yourcompany.bitrix24.com); used for OAuth token management and webhook routing |
| Bitrix24 OAuth Tokens | Access and refresh tokens granted by your portal; used exclusively to call Bitrix24's REST API on your behalf |
| App Settings | Configuration values such as base currency, fiscal period type, commission entity references, and webhook registration state |
OAuth tokens are stored encrypted at rest using AES-256-GCM encryption with a per-tenant PBKDF2-derived key (100,000 iterations). They are never transmitted to third parties and are only used for authorized Bitrix24 API operations.
3.2 CRM Event Data (Webhook Events)
The Application listens for CRM events from your Bitrix24 portal via registered webhooks (e.g., deal created, deal updated, deal deleted). For each event received, we store:
| Data Point | Retention |
|---|---|
Event type (e.g., ONCRMDEALADD) |
90 days |
| Entity ID referenced by the event | 90 days |
| Entity type ID | 90 days |
| Processing status and outcome | 90 days |
| Rule match results (which rules were applied) | 90 days |
| Processing duration (milliseconds) | 90 days |
This event log is used for idempotency (preventing duplicate commission entries), debugging, and operational audit purposes. Logs are automatically purged after 90 days.
3.3 Commission Rule Data
Commission rules that You define within the Application — including rule names, trigger conditions, calculation formulas, and configuration parameters — are stored in our database and mirrored to your Bitrix24 portal's native Data Storage for CRM-level visibility.
3.4 Commission Journal Data
Commission journal entries generated by the Application — including calculated commission amounts, sales representative identifiers, deal references, status history, and approval records — are stored primarily within your Bitrix24 portal's Data Storage (cmn_journal entity). A synchronized operational record is maintained in our database to support real-time querying, reporting, and status management.
Commission journal data contains:
- Internal user IDs (Bitrix24 numeric user identifiers, not names or contact details);
- CRM entity references (deal IDs, invoice IDs);
- Monetary commission values;
- Status history and transition timestamps;
- Audit snapshots of the data state at the time of calculation.
3.5 Activity Log Data
The Application maintains an immutable activity log of significant events (commission status changes, manual adjustments, approvals, clawbacks) for audit and accountability purposes. Entries in the activity log include:
- Event type and timestamp;
- Actor ID (Bitrix24 user ID of the person who performed the action, or "System" for automated events);
- The commission record affected;
- Metadata relevant to the event.
3.6 Usage and Operational Data
We collect minimal technical and operational data to ensure the Application functions correctly:
- API request logs (request ID, endpoint called, response time, status code) — retained for operational debugging, not sold or shared;
- Queue processing metrics (batch size, retry counts, processing duration);
- License and subscription status as reported by our licensing partner.
We do not collect:
- Browser cookies or tracking pixels;
- Behavioral analytics or advertising identifiers;
- Personal contact details of your sales representatives (we only process Bitrix24 numeric user IDs).
4. How We Use Your Data
We use the data collected exclusively to:
- Deliver the core service — calculating commissions, generating journal entries, processing CRM events, and routing approval workflows;
- Maintain service integrity — ensuring idempotency of commission calculations, preventing duplicate entries, and reconciling data across Bitrix24 and our database;
- Provide reporting and analytics — generating period summaries, dashboards, and audit trails within the Application;
- Manage your subscription — verifying license status, enforcing plan limits, and communicating subscription events;
- Improve the Application — using aggregated, anonymized operational metrics to identify performance bottlenecks and improve reliability;
- Comply with legal obligations — retaining records as required by applicable law.
We do not:
- Sell, rent, or trade your data to any third party for marketing or advertising purposes;
- Use your commission or CRM data to train machine learning models accessible to third parties;
- Access your Bitrix24 CRM data for any purpose other than the commission-related functions you have configured within the Application.
5. Data Storage Architecture
5.1 Bitrix24 Data Storage (Primary Business Data)
Commission journal entries and commission rule configurations are stored within your Bitrix24 portal's native Data Storage (entity.item.* API). This means the data physically resides within Bitrix24's infrastructure, subject to your portal's own data residency and privacy settings.
Data stored here:
- Commission journal snapshots (formula inputs, calculation results, representative data, approval records)
- Commission rule metadata (when applicable)
5.2 Cloudflare D1 (Operational Data)
Operational and configuration data is stored in a Cloudflare D1 SQLite database, hosted within Cloudflare's global network:
Data stored here:
- Encrypted OAuth tokens
- Portal configuration (app settings)
- Webhook event logs (90-day retention)
- API queue state
- Activity log
- Daily commission snapshots (pre-aggregated)
- Commission journal index (D1-side copy for SQL querying)
All data is partitioned by portal Member ID — no data from one portal can be accessed by another.
Cloudflare D1 storage is located within Cloudflare's global infrastructure. For information on Cloudflare's data center locations, refer to Cloudflare's website.
5.3 Data Encryption
- In transit: All communication between your browser, the Application backend, and Bitrix24 uses TLS 1.2 or higher.
- At rest: OAuth tokens are encrypted using AES-256-GCM with a per-tenant derived key. Other operational data in Cloudflare D1 is protected by Cloudflare's platform-level encryption.
6. Data Sharing and Disclosure
We do not sell, trade, or disclose your data to third parties, except in the following limited circumstances:
6.1 Service Providers
We share minimal data with the following sub-processors solely to deliver the Application's functionality:
| Sub-Processor | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Infrastructure hosting, database, queue, CDN | Operational data (encrypted tokens, event logs, settings) |
| Bitrix24 | CRM platform integration | Commission data written back to your portal via REST API |
| Stripe / OIA | Subscription billing and licensing | Billing contact information; subscription status |
6.2 Legal Requirements
We may disclose data if required to do so by law, regulation, court order, or governmental authority, or if we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of the Developer, our users, or the public.
6.3 Business Transfer
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. You will be notified via a notice within the Application or by email before your data is transferred and becomes subject to a different privacy policy.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| OAuth tokens | Retained while your subscription is active; purged within 90 days of uninstallation or account deletion |
| App settings and configuration | Retained while your subscription is active; purged on full data deletion request |
| Commission journal entries (Bitrix24 Data Storage) | Retained within your Bitrix24 portal per Bitrix24's policies; removed on your request or portal deletion |
| Commission journal index (D1) | Retained while subscription is active; purged on data deletion request |
| Webhook event logs | 90 days from event date, automatically purged |
| API queue records | 90 days from queue entry date, automatically purged |
| Activity log | Retained while subscription is active; purged on data deletion request |
| Daily snapshots | Retained while subscription is active; purged on data deletion request |
8. Your Rights and Data Control
8.1 Access
You may access your commission journal data, rule configurations, and application settings at any time through the Application's interface within your Bitrix24 portal.
8.2 Export
Depending on your subscription plan, you may export commission data (CSV format) directly from the Application. Enterprise subscribers have access to full export capabilities.
8.3 Deletion
You may request deletion of your data through:
- The Application's Settings → Data Management panel (self-service deletion by period, representative, or full wipe);
- Uninstalling the Application from your Bitrix24 portal (triggers automated data purge);
- Contacting support directly.
Data within Bitrix24's own Data Storage (cmn_journal entity) is deleted via the Application's data management tools, which issue the appropriate Bitrix24 REST API calls to remove those records from your portal.
8.4 Correction
If you believe commission data processed by the Application is inaccurate, you may use the Application's manual adjustment and override features (available to portal administrators) to correct records.
8.5 GDPR and Applicable Data Protection Laws
If you are located in the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data protection laws (e.g., GDPR, UK GDPR, LGPD, POPIA), you may have additional rights including:
- The right to data portability;
- The right to restrict processing;
- The right to object to processing;
- The right to lodge a complaint with a supervisory authority.
To exercise any of these rights, contact us using the details in Section 11.
The legal basis for processing your data is:
- Contractual necessity — we must process data to deliver the service you have contracted with us;
- Legitimate interests — operational logging and security monitoring;
- Legal obligation — where required by law.
9. Security
We implement the following security measures to protect your data:
- Encryption at rest: AES-256-GCM for OAuth tokens; Cloudflare platform encryption for all D1 data;
- Encryption in transit: TLS 1.2+ for all API and browser communications;
- Tenant isolation: All stored data is strictly partitioned by portal Member ID; no cross-tenant queries are possible by design;
- Distributed locking: Mechanisms in place to prevent race conditions during token refresh and concurrent commission processing;
- Access controls: Administrative features within the Application require Bitrix24 administrator privileges; all API endpoints validate the requesting portal's identity before processing;
- No raw password storage: We do not collect or store Bitrix24 user passwords.
In the event of a security breach affecting your data, we will notify affected Tenants in accordance with applicable law.
10. Children's Privacy
The Application is designed for business use only and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor's data has been submitted to the Application, please contact us immediately so we can take appropriate action.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the Application's functionality. When changes are made, we will update the "Last Updated" date at the top of this document and, where appropriate, notify active Tenants through the Application's notification system.
Your continued use of the Application after any changes to this Policy constitutes your acceptance of the revised terms.
12. Contact Information
For privacy-related questions, data deletion requests, or to exercise your data protection rights, please contact us through:
- The built-in support channel within the Application's settings panel;
- The contact details listed on the Application's official Bitrix24 Marketplace listing page.
We aim to respond to all privacy inquiries within 5 business days.
© 2026 BitCommissions24. All rights reserved.