Permissions & data
When you install Conversion Toolkit, the platform asks you to approve a small set of permissions (scopes). We request the minimum needed to do the job. Here’s exactly what each one is for.
The permissions we use
| Permission | Why we need it | Required? |
|---|---|---|
Write contacts (contacts.write) | To save a captured lead onto a contact — create/update the contact and add tags, a note, and result values | Yes — this is the core of the app |
Manage custom fields (locations/customFields.write + .readonly) | So a calculator can save its results into their own contact fields (CT · …), reusing existing fields instead of duplicating | Optional — only used by the “Save results to CRM” feature |
That’s it. If you never use the calculator’s “Save results to CRM” option, only the first permission ever does anything.
What we read vs. write
We write (into your sub-account, only when a lead is captured or you save a widget):
- A contact (email, and optionally name and phone)
- Tags on that contact
- A note summarizing the result or answers
- For calculators: custom-field definitions (created once) and their values
We read almost nothing: only your location’s existing custom-field names — and only so we can reuse a field instead of creating a duplicate.
Why the admin app is safe
Conversion Toolkit’s settings live inside the platform as a secured page. When you open it, the platform cryptographically tells the app who you are and which sub-account you’re in (using a shared secret only the platform and the app know). The app verifies that, confirms the app is actually installed for that sub-account, and only then lets you manage widgets. You can never see or touch another business’s widgets or leads.
How your leads stay protected
- Lead writes happen on our server using your sub-account’s own authorization — a visitor’s browser is never trusted to write to your CRM.
- Everything is scoped to your sub-account. One location’s data is never visible to another.
- Submissions are treated as untrusted. We re-derive things like prize codes and quiz tags from your saved settings, not from whatever the browser sends — so a tampered submission can’t inject fake tags or values. Spam guards (a honeypot, rate limiting) run server-side.
- If a permission is missing, capture still works where it can — for example, without the custom fields permission, a calculator’s results simply land in the contact note instead of dedicated fields. Nothing breaks.
Questions about data?
Email support@jtkapps.com and we’ll answer plainly. For the technical version of how all this fits together, see How it works.