Skip to content

Permissions & data

When you install Conversion Toolkit, the platform asks you to approve a small set of permissions (scopes). We request the minimum needed to do the job. Here’s exactly what each one is for.

The permissions we use

PermissionWhy we need itRequired?
Write contacts (contacts.write)To save a captured lead onto a contact — create/update the contact and add tags, a note, and result valuesYes — this is the core of the app
Manage custom fields (locations/customFields.write + .readonly)So a calculator can save its results into their own contact fields (CT · …), reusing existing fields instead of duplicatingOptional — only used by the “Save results to CRM” feature

That’s it. If you never use the calculator’s “Save results to CRM” option, only the first permission ever does anything.

What we read vs. write

We write (into your sub-account, only when a lead is captured or you save a widget):

  • A contact (email, and optionally name and phone)
  • Tags on that contact
  • A note summarizing the result or answers
  • For calculators: custom-field definitions (created once) and their values

We read almost nothing: only your location’s existing custom-field names — and only so we can reuse a field instead of creating a duplicate.

Why the admin app is safe

Conversion Toolkit’s settings live inside the platform as a secured page. When you open it, the platform cryptographically tells the app who you are and which sub-account you’re in (using a shared secret only the platform and the app know). The app verifies that, confirms the app is actually installed for that sub-account, and only then lets you manage widgets. You can never see or touch another business’s widgets or leads.

How your leads stay protected

  • Lead writes happen on our server using your sub-account’s own authorization — a visitor’s browser is never trusted to write to your CRM.
  • Everything is scoped to your sub-account. One location’s data is never visible to another.
  • Submissions are treated as untrusted. We re-derive things like prize codes and quiz tags from your saved settings, not from whatever the browser sends — so a tampered submission can’t inject fake tags or values. Spam guards (a honeypot, rate limiting) run server-side.
  • If a permission is missing, capture still works where it can — for example, without the custom fields permission, a calculator’s results simply land in the contact note instead of dedicated fields. Nothing breaks.

Questions about data?

Email support@jtkapps.com and we’ll answer plainly. For the technical version of how all this fits together, see How it works.