We're a bootstrapped team of 4 four and we've been building our personal crm app for over a year. As the original founder and CEO, I've been waiting for this day for a loooong time!
I finally love my own app and use it on a daily basis (hopefully you will too).
We've already launched a long time ago but today we're launching a new feature: Note taking, straight from your inbox.
We email you before every meeting with all the notes you've taken about the person you're going to meet and you simply have to reply to the email to log a note! Making it the easiest way to build your database of notes about your contacts.
I know that there are tons of people who tried to build a personal CRM and that everyone has his opinion on how the "right" personal crm should work.
Personally, we've decided that:
- it should be fully automated (sync with calendar and email)
- super simple to use (no complex and clunky interface)
- it should be magic (our app tells you who you're losing touch with based on your data)
And you? What are you looking for in a personal crm?
Landing Page seems interesting but just a word of advice as a constructive criticism hopefully. A Show HN must allow for us to be able to signup or use the app immediately and it looks like we cannot do that right now since it requires onboarding due to gmail limitations.
I read it as referring to unfinished products that doesn't yet exist. What if you're making a Google Calendar extension? Wouldn't that be allowed as a Show HN?
Hey! It is immediately accessible, sorry for this not being clear!
The note taking app within email is free and directly accessible, there are multiple calls to action on the page but here is a shortcut to get started: https://calendar.nat.app
Our paying/main app (the personal crm app that tells you who you're losing touch with) is on a request-only basis because it works with Gmail and we're limited in the number of users we can onboard for now.
I strongly disagree with your tag line. I think the only way such note taking should be is open source and completely private, otherwise a) you're locked in and b) you risk sensitive info leaking.
> Your Gmail data is only used by machines. Our team won't read or access any of your email data unless you explicitly ask for it (for support for ex.)
"Won't" means nothing. The word you're looking for is "can't"
> By default, we don't share any data with third parties. The only exception to this rule is Mixpanel, our analytics apps, which receives information about how you use our app only.
Yeeaaaaah your privacy policy directly states that if you're acquired or go out of business, user data will be transferred or sold.
> As required by Google, the authentification tokens we use to retrieve your Gmail data are safely encrypted in our database.
"We do what is required" isn't convincing me you take privacy seriously, and...encrypted how? A password in the database server's config file?
> Access to production environments is limited to authorized team members only.
And....who are authorized team members? "Authorized team members" could mean "the entire engineering and QA teams, plus the marketing intern collecting demographic data reports."
Your statement doesn't distinguish between user data and the production environment as a whole, it doesn't commit to strictly keeping access to production AND user data to the bare minimum required.
> We use the industry-standard 256-bit encryption with SSL.
...like everyone else? This does not inspire faith that your company has exemplary network security if you think this is worth mentioning.
> Key passwords are updated on a quarterly basis to reduce risks.
You think quarterly password rotation is a noteworthy, or even effective, security practice? You're using passwords as your sole authentication for employees? O_o
You make no mention of your policies with regards to law enforcement. Do you commit to only releasing data when served with a warrant or subpoena, or can Officer Bob call you up and explain how he's investigating a Really Bad Person and you'll hand over their data? Seems the answer is yes, you will:
> "Nat discloses potentially personally-identifying and personally-identifying information only in response to a subpoena, court order or other governmental request, or when Nat believes in good faith that disclosure is reasonably necessary to protect the property or rights of Nat, third parties or the public at large."
What country is your organization incorporated in? What country is user data kept in and thus what laws is it subject to? Is the data stored in the cloud? A server in your uncle's basement?
You make no mention of systems to assure only a minimum number of designated employees have the access they need when they need it. IE a support team member cannot access a customer's data unless there is an open case verified as initiated by the customer.
You make no mention of how data or whether data is encrypted; it seems only gmail auth tokens are?
You should be using hardware token 2FA for critical employee access and 2FA everywhere else...not rotating passwords quarterly. You should be using vaults for every password used in production. All access should be logged and audited by an outside party.
It's of course fine to make the case for privacy and security in a product like this, but please do it without snark and especially without being an internet asshole. Those things are destructive of the ecosystem here, and the ecosystem is more important than any particular thread or product.
I'm sure you wouldn't litter in a city park or dump motor oil into a lake, so please don't do the analogical things on HN.
I was already put off by the email-centric flow of this (I want to spend less time in my email inbox, not more), but it looks like from this comment that signing up requires me to auth nat.app to read my gmail?
Complete non-starter for me. So many reset flows go through email these days that your primary email is the keys to the kingdom.
I could set up a specific email account on my domain just for nat.app but the whole point of this CRM is that it's in the same flow as the rest of my email, isn't it?
They are using a 3rd party keylogging service on the front-page. Most of these services also use them in the app itself, which isn't what the keyloggers were designed for. I'm at the point now that when I see these tools being used on the front-page I won't even bother with a trial.
Thank you so much for sharing your thoughts on the way we describe our privacy policy. It seems like you created an account just for this, that's really nice! Thanks!
We'll review your comment with the team this week and update our pages accordingly.
But really, we're not trying to pretend something and actually use data is a bad way.
We want to build a long term business that is totally based on trust and we really appreciate comments like yours that show that we still have a long way to go in the way we explain the use of our data.
Thanks again, I'll update this post once we've improved our /privacy page based on your comments.
> we're not trying to pretend something and actually use data is a bad way
When it comes to privacy, people actually want to know that YOU can't be exploited to giving information. If you can access something, what prevents someone from hacking your system and getting our data? That's the point, not your intent. It's that you are an attack vector now. What are you doing to mitigate this?
Gotcha, makes sense. I just wanted to clarify this.
We're really doing everything we can to make sure the data you share with us is safe. Encrypting google access tokens, updating passwords regularly and using 2FA are a few examples.
But then, we're not un-hackable of course. Risk 0 does not exist and that's something every user is and should be aware of.
We don't have the same budget for security as big companies and even they get hacked.
I do not think that we host the kind of data that a hacker would like to acquire. Notes we take are usually pretty low-risk data. This is what protects us the most probably.
The notes I take sometimes contain PII (personally identifying information) about other people, sometimes notes about things I'm investigating for someone that they would be distressed to find had ended up "on the internet", and sometimes commercial secrets (about jobs, clients etc that they share with me under NDA). And I'm just a lowly programmer and dogsbody doing random client work.
Now consider a therapist finds your product useful for their personal notes, and doesn't realise what they are getting into.
> I do not think that we host the kind of data that a hacker would like to acquire
Hackers don't tend to go for data they would find valuable themselves.
They go for data the author of the data finds valuable for themselves (which notes may be by definition), or just as likely, specifically don't want anyone else to read. An example of the former is all those ransomware attacks. An example of the latter is the above link to the private notes blackmail incident.
> I do not think that we host the kind of data that a hacker would like to acquire
Please don't minimize this. You lose trust when you minimize a valid concern.
> Risk 0 does not exist
If someone is willing to educate you on the matter, they might already know such trivial things. Which is why I initially said 'what are you doing to minimize this'. You mentioned some above. I'd encourage you to look into more techniques to minimize it even further. This would build trust with whom you are asking to spend money with you.
Thanks for the feedback! We'll always work on making our app more secure! We can only succeed at building a long lasting business if we're able to build trust with our users.
seems like this user only created a HN account to pull apart the privacy policy statements...
Although good and constructive criticism, it is harsh on a team that is trying to launch something into this world, and scares off other users considering this service. I bet one could go through the privacy statement of a large co like youtube / facebook and nitpick similar issues. Of course it should be aligned, although i think it never is, a privacy statement is definitely not a reflection of how good a product’s security is.
This is a really awful place to show off a product if you don't want honest feedback. If I were launching something new, the post above yours is exactly the kind of potential customer's perspective I'd hope to get.
I am looking for something that integrates with the communication tools I actually use when so get in touch with them, and for me that is not email and calendars ... for me that is chat (WhatsApp)
I take notes on my iPad. I love it because I can type, record audio, sketch, include photos, annotate PDFs, etc... How would your service help someone like me?
What makes us special is that:
- you can write notes from your inbox without having to open a web app or so
- you get those notes in an email before your next meeting
If you care more about being able to draw/record, ... then evernote is a much better option.
We're a bootstrapped team of 4 four and we've been building our personal crm app for over a year. As the original founder and CEO, I've been waiting for this day for a loooong time! I finally love my own app and use it on a daily basis (hopefully you will too).
We've already launched a long time ago but today we're launching a new feature: Note taking, straight from your inbox.
We email you before every meeting with all the notes you've taken about the person you're going to meet and you simply have to reply to the email to log a note! Making it the easiest way to build your database of notes about your contacts.
I know that there are tons of people who tried to build a personal CRM and that everyone has his opinion on how the "right" personal crm should work.
Personally, we've decided that: - it should be fully automated (sync with calendar and email) - super simple to use (no complex and clunky interface) - it should be magic (our app tells you who you're losing touch with based on your data)
And you? What are you looking for in a personal crm?