SF Studio

Privacy Policy

Last Updated: January 23, 2026
Effective Date: January 23, 2026

SF Studio ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Salesforce administration and metadata intelligence platform (the "Service").

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Identity Information: Name, email address, and profile picture (if provided via OAuth)
  • Authentication Data: Hashed passwords (for email/password accounts) or OAuth tokens (for social sign-in)
  • Organization Information: Company name, team name, and tenant identifiers
  • Role and Permissions: Your role within your organization's SF Studio account

1.2 Salesforce Organization Data

When you connect a Salesforce organization, we collect and store:

  • OAuth Credentials: Access tokens and refresh tokens required to connect to your Salesforce org (encrypted at rest)
  • Organization Metadata: Salesforce org ID, instance URL, organization name, and type (Production, Sandbox, etc.)
  • Metadata Snapshots: Copies of your Salesforce metadata including but not limited to:
    • Apex classes, triggers, and test classes
    • Lightning Web Components and Aura components
    • Flows, Process Builders, and Workflow Rules
    • Custom objects, fields, and relationships
    • Profiles, Permission Sets, and Permission Set Groups
    • Validation Rules and Triggers
    • Page Layouts, Record Types, and Custom Tabs
    • Reports, Dashboards, and List Views
    • Custom Settings and Custom Metadata Types
  • User Information from Salesforce: We may retrieve Salesforce user lists for features like permission analysis, but we do not store Salesforce user passwords or personal data beyond what is necessary for the Service

1.3 Usage Data

We automatically collect certain information when you use the Service:

  • Log Data: IP address, browser type, operating system, referring URLs, pages visited, and timestamps
  • Feature Usage: Which features you use, frequency of use, and interaction patterns
  • Chat Interactions: Questions and queries you submit to our AI assistant, and the responses generated
  • Error Data: Error messages, stack traces, and diagnostic information to help us improve the Service

1.4 Third-Party Integration Data

If you connect third-party integrations, we collect:

  • Slack: OAuth tokens, workspace ID, channel mappings, and message delivery confirmations
  • Jira: OAuth tokens, cloud ID, project mappings, and issue references
  • Microsoft Teams: OAuth tokens, tenant ID, channel mappings, and message delivery confirmations
  • GitHub/GitLab: OAuth tokens, repository references, and commit/PR metadata (if configured)

1.5 Payment Information

If you subscribe to a paid plan, payment processing is handled by our third-party payment processor (Stripe). We do not directly collect or store credit card numbers. We receive from Stripe: transaction IDs, subscription status, billing address, and the last four digits of your card for display purposes.

2. How We Use Your Information

We use the information we collect to:

2.1 Provide and Maintain the Service

  • Authenticate your access and manage your account
  • Connect to and retrieve metadata from your Salesforce organizations
  • Generate metadata snapshots and perform comparison analysis
  • Power AI-assisted features including natural language queries about your org
  • Deliver notifications via connected integrations (Slack, Teams, etc.)
  • Process payments and manage subscriptions

2.2 Improve and Develop the Service

  • Analyze usage patterns to improve user experience
  • Identify and fix bugs, errors, and performance issues
  • Develop new features based on user needs
  • Train and improve our AI models (see Section 3 for details)

2.3 Communicate With You

  • Send transactional emails (account verification, password resets, etc.)
  • Notify you of security issues affecting your connected orgs
  • Provide customer support
  • Send product updates and announcements (with opt-out option)

2.4 Ensure Security and Compliance

  • Detect and prevent fraud, abuse, and unauthorized access
  • Maintain audit logs for compliance purposes
  • Enforce our Terms of Service
  • Comply with legal obligations

3. AI Processing and Model Training

3.1 How AI Features Work

SF Studio uses artificial intelligence, powered by Anthropic's Claude, to provide intelligent assistance with your Salesforce metadata. When you use AI features:

  • Your queries and relevant metadata context are sent to Anthropic's API for processing
  • Responses are generated based on your specific org context
  • Conversation history within a session is maintained to provide contextual responses

3.2 Data Sent to AI Providers

When using AI features, we may send to Anthropic:

  • Your natural language queries and follow-up questions
  • Relevant metadata snippets (e.g., Apex code, Flow definitions, field configurations)
  • Search results from your metadata to provide context
  • Component names and relationships relevant to your query

3.3 AI Training and Data Use

We do not use your Salesforce metadata or queries to train AI models. Our agreement with Anthropic ensures that data sent through their API is not used to train their models. Your proprietary code, configurations, and business logic remain private.

3.4 AI Data Retention

Anthropic may retain API inputs and outputs for up to 30 days for abuse monitoring and safety purposes, after which they are deleted. See Anthropic's privacy policy for details.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers

We share data with third-party vendors who help us operate the Service:

ProviderPurposeData Shared
AnthropicAI processingQueries, metadata context
VercelHosting, edge functionsRequest logs, IP addresses
Neon / PostgreSQLDatabase hostingAll application data (encrypted)
StripePayment processingBilling information
Resend / SendGridEmail deliveryEmail addresses, message content

4.2 Connected Integrations

When you connect integrations, data is shared as necessary to provide the integration functionality:

  • Slack/Teams: Messages you choose to send, notification content
  • Jira: Issue details you create or update
  • GitHub/GitLab: Metadata comparison results, PR comments (if configured)

4.3 Within Your Organization

If you are part of a team or organization account, other authorized users within your organization may have access to shared resources, audit logs, and activity data based on their role and permissions.

4.4 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal process (subpoenas, court orders, warrants)
  • Government requests that meet legal requirements
  • Enforcement of our Terms of Service
  • Protection of our rights, privacy, safety, or property
  • Emergency situations involving potential threats to safety

4.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service of any change in ownership or uses of your information.

5. Data Security

5.1 Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in Transit: All data transmitted to and from the Service uses TLS 1.2 or higher
  • Encryption at Rest: Sensitive data including OAuth tokens and credentials are encrypted using AES-256
  • Access Controls: Role-based access control (RBAC) limits data access to authorized personnel
  • Infrastructure Security: Hosted on SOC 2 compliant infrastructure with regular security audits
  • Audit Logging: All administrative actions are logged with tamper-evident hash chains
  • Secure Development: Code reviews, dependency scanning, and security testing

5.2 Incident Response

In the event of a security breach affecting your data, we will notify you within 72 hours of becoming aware of the breach, in accordance with applicable law.

5.3 Your Responsibilities

You are responsible for:

  • Maintaining the confidentiality of your account credentials
  • Ensuring appropriate access controls within your organization
  • Promptly notifying us of any unauthorized access to your account
  • Complying with Salesforce's terms of service when connecting orgs

6. Data Retention

6.1 Account Data

We retain your account information for as long as your account is active. If you delete your account, we will delete your personal information within 30 days, except where retention is required by law.

6.2 Salesforce Metadata

Metadata snapshots are retained according to your subscription plan and settings. You can delete snapshots at any time. When you disconnect a Salesforce org, associated metadata and credentials are deleted within 24 hours.

6.3 Chat and Query History

Chat conversations and AI query history are retained for 90 days by default to enable conversation continuity and feature improvement. You can request deletion of chat history at any time.

6.4 Audit Logs

Audit logs are retained for the period required by applicable law or your organization's compliance requirements, typically 1-7 years depending on the type of event.

7. Your Rights and Choices

7.1 All Users

Regardless of your location, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Data Portability: Request your data in a structured, machine-readable format
  • Disconnect Integrations: Remove connected Salesforce orgs and third-party integrations at any time
  • Communication Preferences: Opt out of marketing communications

7.2 European Economic Area (EEA) Residents - GDPR

If you are located in the EEA, you have additional rights under GDPR:

  • Legal Basis: We process your data based on:
    • Contract performance (providing the Service)
    • Legitimate interests (improving the Service, security)
    • Consent (marketing communications, optional features)
    • Legal obligations (tax, compliance)
  • Restriction: Request restriction of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Supervisory Authority: Lodge a complaint with your local data protection authority

7.3 California Residents - CCPA/CPRA

If you are a California resident, you have additional rights:

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: We do not sell personal information, but you may opt out of sharing for targeted advertising
  • Non-Discrimination: We will not discriminate against you for exercising your rights

Categories of Personal Information Collected: Identifiers, commercial information, internet activity, professional information, and inferences drawn from the above.

7.4 How to Exercise Your Rights

To exercise any of these rights, contact us at:

  • Email: info@sfstudio.ai
  • Settings: Use the account settings in the Service to manage data and integrations

We will respond to requests within 30 days (or sooner if required by law). We may need to verify your identity before processing requests.

8. International Data Transfers

SF Studio is operated from the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Your explicit consent where appropriate

Our service providers who process data on our behalf are bound by data processing agreements that require them to protect your data in accordance with this Privacy Policy.

9. Cookies and Tracking Technologies

9.1 Cookies We Use

TypePurposeDuration
EssentialAuthentication, session management, securitySession / 30 days
FunctionalUser preferences, UI state1 year
AnalyticsUsage statistics, performance monitoring2 years

9.2 Your Cookie Choices

You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of the Service. We respect Do Not Track (DNT) browser signals.

10. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe we have collected information from a child under 16, please contact us.

11. Third-Party Links and Services

The Service may contain links to third-party websites, including Salesforce, Slack, Jira, and other integrated services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through the Service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated Privacy Policy on this page with a new "Last Updated" date
  • Sending an email to the address associated with your account (for material changes)
  • Displaying a prominent notice within the Service

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

SF Studio
Email: info@sfstudio.ai

For GDPR-related inquiries, you may also contact us at info@sfstudio.ai.

14. Additional Disclosures

14.1 Salesforce AppExchange

If you access SF Studio through the Salesforce AppExchange, additional terms from Salesforce may apply. Our use of Salesforce APIs complies with Salesforce's API Terms of Service and Partner Program Agreement.

14.2 Enterprise Customers

Enterprise customers may have additional data processing agreements (DPAs) that supersede portions of this Privacy Policy. Contact your account representative for details.

14.3 Government and Regulated Industries

For customers in government or regulated industries (healthcare, financial services), please contact us to discuss specific compliance requirements and available configurations.