OpenFPGA CRM

Privacy Policy

Effective Date: March 14, 2026

This Privacy Policy describes how OpenFPGA, Inc. ("OpenFPGA," "we," "us," or "our") collects, uses, and handles information in connection with the OpenFPGA CRM application ("Service"). The Service is a private, internal tool available to OpenFPGA team members and authorized partners only.

1. Information We Collect

We collect the following categories of information when you use the Service:

Account Information

• Name and email address provided at registration;
• Encrypted password credentials managed via Supabase Auth.

Google OAuth Data (collected only when you connect your Google account)

• OAuth access and refresh tokens, stored securely to maintain your Google integration;
• Gmail metadata: sender and recipient email addresses, subject lines, and message timestamps — used to log communication interactions. Email body content is not stored;
• Google Calendar event metadata: event title, attendees, date, and time — used to log meeting records.

CRM Data You Enter

• Company names and contact information (names, email addresses, phone numbers, titles);
• Interaction logs, meeting notes, and relationship records;
• Documents and files you upload to the Service.

Usage and Technical Data

• Log data such as IP address, browser type, and pages accessed;
• Session information for authentication and security purposes.

2. How We Use Your Information

We use the information described above exclusively to:

• Provide, operate, and maintain the CRM functionality of the Service;
• Authenticate your identity and manage your account session;
• Sync and display your Gmail and Calendar data within the CRM for interaction logging;
• Respond to your inquiries and provide support;
• Detect and prevent unauthorized access or abuse of the Service.

We do not use your data for advertising or marketing purposes. We do not sell, rent, or share your personal data with third parties for their own commercial purposes. We do not use Google user data to train machine learning models or for any purpose beyond the CRM functionality described herein.

3. Google API Disclosure

The Service accesses Google APIs solely to read Gmail metadata and Google Calendar events for the purpose of logging interactions within the CRM. Specifically:

• The Service requests only the minimum OAuth scopes necessary;
• Google user data is not transferred to third parties except as necessary to provide the Service (i.e., storage in Supabase as described below);
• Google user data is not used for purposes other than those described in this Privacy Policy;
• The Service does not send emails, create or modify calendar events, or delete any Google data on your behalf.

OpenFPGA CRM's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

You may revoke the Service's access to your Google account at any time by visiting your Google Account permissions page.

4. Third-Party Services

We use the following third-party services to operate the Service:

• Supabase (hosted on Amazon Web Services): All CRM data, account credentials, and OAuth tokens are stored in a Supabase database hosted on AWS infrastructure. Supabase acts as a data processor on our behalf. Data is stored in the United States.
• Google APIs: Gmail and Google Calendar access as described in Section 3 above.

We do not integrate any advertising networks, analytics resellers, or data brokers.

5. Data Retention

We retain your personal data and CRM records for as long as your account remains active or as necessary to provide the Service. If your account is terminated or deactivated, we will delete or anonymize your personal data within 90 days, unless we are required to retain it for longer by applicable law.

Google OAuth tokens are deleted promptly upon disconnection of your Google integration or account termination.

6. Your Rights

You have the following rights with respect to your personal data:

• Access: You may request a copy of the personal data we hold about you.
• Correction: You may request correction of inaccurate or incomplete personal data.
• Deletion: You may request deletion of your personal data. We will fulfill such requests within 30 days, subject to any legal obligations requiring retention.
• Portability: You may request an export of your CRM data in a structured, machine-readable format.
• Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at orion@openfpga.ai. We will respond within 30 days of receiving a verifiable request.

7. Security

We implement reasonable and appropriate technical and organizational measures to protect your information against unauthorized access, loss, alteration, or disclosure. These measures include encrypted data transmission (TLS), encrypted storage of credentials and OAuth tokens, and access controls limiting data access to authorized personnel only.

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date at the top of this page and, where appropriate, notify you directly. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

10. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

OpenFPGA, Inc.
orion@openfpga.ai
openfpga.ai

---