Privacy Policy

OneThing (“we”, “us”, “our”) is a real estate CRM and IDX website platform operated by Makra Inc., based in Ontario, Canada. Our platform is available at 1thing.ca.

This policy explains how we collect, use, and protect personal information from real estate professionals (“Users”) who sign up for our service, and from the leads and contacts that Users manage inside our platform (“Contacts”). It is written to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and equivalent privacy frameworks where applicable.

If you have any questions, contact us at privacy@1thing.ca.

From Users (account holders)

• Name, email address, phone number, brokerage name
• Account credentials (passwords are hashed with bcrypt and never stored in plain text)
• Billing information processed through Stripe. We never store card numbers.
• Usage data: pages visited, features used, actions performed, timestamps
• Device and browser information for security and troubleshooting
• OAuth access and refresh tokens for any third-party integration you choose to connect (Google, Microsoft, Zoom, Dialpad, RingCentral). Tokens are encrypted at rest.

From Contacts (leads and contacts Users add to the platform)

• Name, email, phone, mailing address
• Property interests, notes, communication history
• Custom fields configured by the User

Contact data is entered by our Users. Users are responsible for ensuring they have the legal right to collect and store information about their Contacts under PIPEDA, CASL, or any applicable privacy law in their jurisdiction.

Usage Data

Standard server logs (IP address, browser type, pages visited, timestamps) are collected for security and performance monitoring. We do not sell this data.

• To provide, operate, and improve the OneThing platform
• To authenticate Users and secure accounts (including two-factor authentication)
• To process payments and manage subscriptions through Stripe
• To sync and display your emails, calendar events, meetings, and call history inside the CRM
• To send emails on your behalf from your connected email account, when you initiate the send
• To create calendar events and Zoom / Google Meet meeting links on your behalf, when you initiate the creation
• To place outbound calls and handle inbound calls through your connected VoIP provider
• To transcribe voicemails via the OpenAI Whisper API and store the resulting transcript alongside the call activity
• To send you transactional emails (billing receipts, password resets, service notifications) and, with your opt-in, product updates
• To detect, investigate, and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We do not sell, rent, or trade your personal information or your third-party integration data. We do not use Contact data or integration data to train machine learning models outside of your own workspace. When we send data to OpenAI's API for voicemail transcription, the data is not used to train OpenAI's models, per OpenAI's API data-usage policy.

If you connect a Google account, we request the following permissions:

• gmail.readonly — read your Gmail inbox to display emails alongside CRM contacts and deals. Email metadata (sender, subject, date) and body content are stored in our database to power search and contact linking.
• gmail.send — send emails on your behalf using your Gmail account as the sender.
• calendar.events — create, read, and update calendar events for meetings and showings scheduled in the CRM, and generate Google Meet links attached to those events.

We do not use Google data to serve advertisements. We do not transfer Google user data to third parties except as necessary to provide the service (our database provider). Our use of Google API data complies with the Google API Services User Data Policy, including the Limited Use requirements.

If you connect a Microsoft account, we request equivalent permissions for Outlook email (read and send) and Outlook Calendar (create and update events). The same data handling rules as Google apply: no advertising use, no resale, no use for training machine learning models.

If you connect a Zoom account, OneThing uses both Zoom Meetings and Zoom Phone capabilities. We request the minimum scopes required and no more. A full list of the scopes we request and why is published at /docs/zoom.

Zoom Meetings

• We create scheduled Zoom meetings on your behalf when you generate a Zoom link from a CRM activity. We store the meeting id, join URL, start time, and duration alongside the CRM activity that created it.
• We do not join meetings, access meeting recordings created outside OneThing, access meeting transcripts, access meeting chat, or modify meetings that were not created through OneThing.

Zoom Phone

• Outbound calls use the zoomphonecall:// URI scheme to hand off the call to your Zoom desktop or mobile app. OneThing does not intermediate voice traffic — the call is placed entirely by the Zoom client.
• Call lifecycle events (ringing, answered, ended) arrive via Zoom webhook. We process these to update the CRM in real time and create Call Activity records.
• Call metadata (direction, from / to numbers, duration, timestamp) is stored as a Call Activity linked to the matched contact, lead, or deal.
• Call recordings — we store a Zoom-hosted reference URL so you can play recordings back inside the CRM. We do not copy recording audio to OneThing storage. Playback streams directly from Zoom using a short-lived URL.
• Voicemails — we download voicemail audio briefly in order to transcribe it via the OpenAI Whisper API. The audio file is discarded after transcription completes; only the resulting transcript is retained on the Call Activity. OpenAI's API does not retain data for training.

Revoking Zoom access

You can disconnect Zoom at any time from Settings → Calendar in the CRM, which deletes our stored tokens immediately and stops all webhook processing for your account. You can also revoke access directly in Zoom App Marketplace → Installed Apps.

If you connect a Dialpad or RingCentral account, OneThing receives call lifecycle webhooks (ringing, answered, ended) and voicemail and recording notifications the same way it does for Zoom Phone. Call metadata is stored as Call Activity records. Recordings are referenced by Dialpad- or RingCentral-hosted URL and not re-hosted by OneThing. Voicemails are transcribed via OpenAI Whisper in the same manner as Zoom.

OAuth tokens for Dialpad and RingCentral are encrypted at rest and revocable at any time from Settings → Integrations in the CRM.

• Data is hosted in Supabase’s AWS infrastructure, primary region us-east-1. File attachments are stored in Supabase Storage, encrypted at rest.
• Row-Level Security (RLS) ensures each tenant (brokerage) can only access its own data.
• Passwords are hashed with bcrypt.
• OAuth tokens are encrypted at rest.
• Two-factor authentication (2FA) is available to all users via authenticator apps or email / SMS codes.
• All data transmission uses TLS 1.2+.

We retain your account data for as long as your subscription is active. The following retention rules apply to specific data categories:

• Account and CRM data (contacts, deals, leads, notes, activities) — retained for the life of the account. On cancellation, retained for 30 days to allow account recovery, then deleted.
• OAuth tokens — deleted immediately on disconnect.
• Synced email content (from Gmail or Outlook) — retained while the account is active; deleted within 30 days of integration disconnect.
• Voicemail audio — not retained. Processed for transcription and discarded.
• Voicemail transcripts — retained as part of the Call Activity; deleted with the activity.
• Call recording references — retained as part of the Call Activity. The underlying recording lives on the VoIP provider (Zoom, Dialpad, RingCentral); retention there is governed by the provider's settings.
• Server logs — 30 days, for security and performance monitoring.
• Audit logs and billing records — retained as long as required by law, typically seven years for financial records.

You may request deletion of your account and all associated data at any time by emailing privacy@1thing.ca or using the delete account option in Settings.

OneThing uses the following third-party services to operate the platform. When you use these integrations, you are also subject to their respective privacy policies.

• Supabase — database, authentication, and file storage (AWS us-east-1)
• Vercel — application hosting, serverless function execution, and content delivery (global edge)
• Stripe — payment processing. We never store card numbers.
• Resend — transactional email delivery (billing receipts, password resets, notifications)
• Twilio — SMS delivery when enabled
• OpenAI — voicemail transcription via Whisper API, and AI summary features. Data sent to the OpenAI API is not used to train OpenAI models.
• Google LLC — Gmail and Google Calendar integration, with your explicit OAuth consent
• Microsoft Corporation — Outlook and Microsoft Calendar integration, with your explicit OAuth consent
• Zoom Video Communications — Meetings and Zoom Phone, with your explicit OAuth consent
• Dialpad — VoIP provider, with your explicit OAuth consent
• RingCentral — VoIP provider, with your explicit OAuth consent
• Pusher / Supabase Realtime — real-time notifications to your browser (call banners, message delivery)

We share only the minimum data necessary for each integration to function. OAuth tokens are stored encrypted and can be revoked from your account settings at any time.

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your account and data
• Export your data (contacts, deals, leads, activities) in a portable format
• Object to specific processing activities
• Revoke OAuth access to any integration at any time, either through the provider's account settings or from within OneThing Settings

To exercise any of these rights, email privacy@1thing.ca. We respond within 30 days as required by PIPEDA.

We use session cookies for authentication. We do not use advertising or tracking cookies. No third-party analytics cookies are set without your consent.

OneThing is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this policy from time to time. We will notify you of material changes by email or by a notice inside the platform at least 14 days before the change takes effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

Makra Inc.
Ontario, Canada
Privacy requests: privacy@1thing.ca
General support: support@1thing.ca