Privacy Statement

Information we collect

• Account information — name, work email, role, and the institution you belong to, used to authenticate you and scope your access.
• Institutional / education records — the student, academic, and operational data your institution chooses to manage in ApolloSRM. We process this on the institution’s instructions.
• Usage and device data — log data, IP address, and basic device/browser information used to operate, secure, and improve the service.
• Integration data — tokens and identifiers needed to connect optional third-party services you authorize (see Google User Data below).

How we use information

We use information to provide and secure the platform, authenticate users, deliver features you enable, communicate with you about the service, meet legal and compliance obligations, and improve reliability and performance. We do not sell personal information.

Google user data (Gmail)

ApolloSRM offers an optional integration that lets authorized institutional users connect their Google account so the platform can send outbound email (such as notifications and communications to students and staff) on their behalf.

• What we access: With your explicit consent, we request thegmail.send scope (to send email on your behalf) and your basic Google account email address (userinfo.email /openid) to identify the connected account.
• What we do NOT access: We do not read, search, download, or store the contents of your inbox or existing messages. We only send emails that you or the platform initiate.
• How we use it: Solely to send the outbound emails described above from your connected account.
• Storage: We store only the tokens required to maintain the connection and your account email address. You can revoke access at any time by disconnecting the integration or through your Google Account security settings.
• Sharing: We do not sell or share Google user data with any third party.

ApolloSRM’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Microsoft account data (Outlook / Microsoft 365)

ApolloSRM offers an optional integration that lets authorized institutional users connect their Microsoft work or school account so the platform can send outbound email on their behalf.

• What we access: With your explicit consent, we request the Microsoft Graph Mail.Send permission (to send email on your behalf) and your basic profile and email address (User.Read / OpenIDemail) to identify the connected account.
• What we do NOT access: We do not read, search, download, or store the contents of your mailbox or existing messages. We only send emails that you or the platform initiate.
• How we use it: Solely to send the outbound emails described above from your connected account.
• Storage: We store only the tokens required to maintain the connection and your account email address. You can revoke access at any time by disconnecting the integration in ApolloSRM or through your Microsoft account / Azure AD security settings.
• Sharing: We do not sell or share Microsoft account data with any third party.

Our use of Microsoft APIs adheres to the applicable Microsoft APIs Terms of Use, and we request the least privilege required to provide the feature.

CRM integrations (Salesforce, HubSpot, and others)

ApolloSRM offers optional integrations with customer-relationship and engagement platforms — including Salesforce, HubSpot, Pipedrive, Microsoft Dynamics, Attio, Close, Outreach, and Zoho — so an institution that already runs one of these can keep it in sync with ApolloSRM instead of migrating away from it.

• What we access: With your explicit authorization (via the provider’s OAuth consent or an API key you supply), we access only the CRM objects you choose to connect — typically accounts/companies, contacts/leads, opportunities/deals, and related activities or notes — to mirror them into ApolloSRM and to write back updates you initiate.
• What we do NOT access: We request only the scopes needed for the sync you enable; we do not access unrelated objects, and we do not use CRM data for advertising.
• Storage: Connection credentials and tokens are encrypted at rest. Synced records are treated as institutional data under your agreement and this statement.
• Revocation: You can disconnect a CRM integration at any time within ApolloSRM, or revoke ApolloSRM’s access from the provider’s own admin or security settings.
• Sharing: We do not sell CRM data or share it except with the sub-processors needed to operate the service, under appropriate safeguards.

Your use of any connected CRM remains subject to that provider’s own terms and API policies. ApolloSRM accesses third-party data on a least-privilege basis and uses it only to provide the integration you enabled.

Other connected services

ApolloSRM supports additional optional integrations — for example, calendaring (Google Calendar, Microsoft 365), meetings (Zoom, Microsoft Teams), messaging (Slack, Twilio), e-signature, payments (Stripe), and accounting. For every such connection we follow the same principles: we request the minimum scopes required, we access only the data needed to deliver the feature you enabled, we store connection tokens encrypted, we never sell your data, and you can disconnect at any time. Each provider’s own terms continue to govern your use of that service.

Storage and security

Data is stored with reputable cloud infrastructure providers and protected with encryption in transit and at rest, least-privilege access controls, tenant isolation, and an audit trail on administrative changes. ApolloSRM maintains a SOC 2-aligned security program. No method of transmission or storage is perfectly secure, but we work to protect your information using industry-standard safeguards.

Sharing

We do not sell personal information or Google user data. We share information only with sub-processors that help us operate the service (for example, cloud hosting and email delivery), under contracts that require appropriate safeguards; with your institution as the data controller; or when required by law. A current list of sub-processors is available to institutional customers on request.

FERPA and education records

Where ApolloSRM processes student education records, it does so on behalf of the institution and consistent with FERPA. Access is scoped to a legitimate educational interest, draft/unreleased decisions are gated from students and families until released, and record access is logged. Requests to access, correct, or delete education records are directed to the institution that controls them.

Your choices and rights

You can disconnect an optional integration (including Google) at any time from within ApolloSRM or through the provider’s own security settings. Depending on your jurisdiction and your institution’s policies, you may have rights to access, correct, or delete personal information; we will honor verified requests as required by applicable law and route education-record requests to the controlling institution.

Cookies

We use strictly necessary cookies to keep you signed in and to operate the application, plus limited analytics to understand and improve performance. We do not use advertising cookies.

Changes to this statement

We may update this Privacy Statement from time to time. Material changes will be reflected by the “Last updated” date above and, where appropriate, communicated to institutional customers.

Contact

Questions about this Privacy Statement or our data practices can be sent to privacy@apollosrm.com.