Privacy Policy
Last updated: July 16, 2026
SFRM (Student Founder Relation Management) is a personal CRM for student founders. This policy explains what the hosted version at sfrm.network stores, who else can see it, and how to get rid of it. It is short because the app does not do much with your data: there is no analytics, no tracking, no advertising, and nothing is sold.
What we store
- Your account. Your name, email address, and a hashed password. If you sign in, we keep a session cookie so you stay signed in.
- Your profile. Anything you choose to add in Settings — bio, school, country, timezone, avatar, and a resume file if you upload one.
- Everything you put in the app. Your connections and their details (name, role, company, email, phone, location, LinkedIn, birthday, tags, notes, and logged interactions), your projects, tasks, stages, outreach records, and events — including names of people you note meeting at an event.
- A Google connection, if you make one. If you link a Google account, we store your Google account ID, the email on it, and your access and refresh tokens (encrypted at rest). See below.
We do not use cookies for tracking. The only cookies SFRM sets are the ones needed to keep you signed in and to complete a Google connection.
Data about other people
Most of what SFRM holds is information about people who are not SFRM users and never signed up — that is what a rolodex is. You are responsible for what you record about them and for having a legitimate reason to keep it. Only you can see your records; we do not build a shared or cross-user directory out of them, and one user’s data is never shown to another.
Who we share it with
SFRM sends data to three outside services, and no others.
- Supabase hosts the whole thing — accounts, database, and uploaded resumes — and sends account emails such as password resets. All of your data lives here.
- OpenRouterpowers Quick Add, the box that turns a typed sentence into records. When you use it, we send what you typed and today’s date to a language model through OpenRouter. To let the model find the right record, it may also receive names, companies, roles, and titles of matching connections, events, and outreach entries already in your account. If you would rather no contact data reach a model provider, do not use Quick Add — the rest of the app never calls it.
- Google, only if you connect a Google account. We send Google your email as a sign-in hint during the connection and exchange tokens with it.
We do not sell your data, share it with advertisers, or hand it to anyone else except where the law requires it.
About the Google connection
Connecting Google currently asks for permission to read your Gmail. To be straightforward about it: SFRM does not read your mail today. The permission is requested and the token stored for a mail-matching feature that is not built yet. Nothing in the app reads, imports, or analyzes your messages. If that changes, this policy will change first. You can disconnect Google at any time from Settings, which deletes the stored tokens, and you can also revoke access from your Google account settings.
How it is protected
Every record is tied to your account and enforced at the database level, so another user cannot read your rows even in the event of a bug in the app. Resume uploads live in a private storage bucket scoped to your account. Google tokens are encrypted before being stored. No system is perfect, and SFRM is a small open-source project run by a student — please do not store anything you could not stand to lose or leak.
Getting, keeping, and deleting your data
We keep your data for as long as your account exists. You can edit or delete individual records in the app at any time, and Settings → Export will download everything you have — people, projects, tasks, events, and notes — as a JSON file, whenever you want and without asking us. To have your account and everything in it deleted, open an issue and ask — we will remove it. Backups may take a short while longer to age out.
Changes and contact
If this policy changes in a way that matters, the date above changes and the update will be visible in the public repository. Questions or requests: open an issue on GitHub.