Privacy Policy

1. What Information Do We Collect?

We collect minimal personal information needed to authenticate you with Salesforce and provide app functionality.

Account Data

We store minimal account information in our secure cloud infrastructure (Google Cloud Platform / Firebase) to enable app functionality:

• Salesforce username, user ID, and organization ID
• Name, email address, phone number, job title (if available from your Salesforce profile)
• Authentication and subscription status
• Usage counters (for usage limits)
• App telemetry (app version, build number, platform, OS version, last active timestamp)
• Organization metadata (organization name, Salesforce edition, sandbox status, active user count)

We also create an Account and Contact record about each customer organization and end user in our own internal Salesforce CRM (containing the same identity fields above). We use this to manage our customer relationships, support, and billing.

Retention: Until you request account deletion

Unauthorized Access Attempts

When someone authenticates successfully with Salesforce but is not on our authorized list (for example, their organization or user has not been added to our authorized list yet), we record the attempted Salesforce username, email address, organization ID, organization name, and Salesforce instance URL. We retain this information for security and abuse-prevention purposes.

Retention: Up to 6 months from the rejected attempt, after which records are deleted as part of routine maintenance. You may request earlier deletion of records relating to you by emailing privacy@seamless.ly.

Customer Support Data

When you contact support or submit feedback, we collect:

• Contact information (name, email, phone if provided)
• Support ticket descriptions and feedback
• Screenshots, recordings, or error logs (only if you provide them)

Where this data is stored: in-app feedback and support tickets are stored as Cases (with any attachments) in our internal Salesforce CRM. Submissions made through forms on our website (e.g. trial requests, contact form) are delivered to our team by email via Resend; we may then record the submission in our internal Salesforce CRM as well.

Retention: support tickets remain in our internal Salesforce CRM and may be retained beyond two years for compliance, audit, and historical-context purposes; you can request deletion at any time by emailing privacy@seamless.ly.

Device-Only Data

Your business data stays on your device only. The following is stored exclusively on your device in encrypted storage and never transmitted to our servers:

• All Salesforce Records (Contacts, Leads, Accounts, Opportunities, Tasks)
• App Preferences (display settings, default values, customizations)

Retention: Deleted immediately when you log out or uninstall the app

AI Processing Data

When you use AI features (image scanning, voice notes), the following data is processed temporarily by our AI service provider via our backend:

• Images (sent to our AI service provider for text extraction)
• Voice recordings (sent to our AI service provider for transcription and field extraction)
• Metadata (necessary technical information to enable accurate data extraction)

This data passes through our servers in memory only and is immediately forwarded to our AI service provider. Only extracted field values are returned to your device.

We do not send your existing Customer Data (Contacts, Leads, Accounts, Opportunities, or Tasks) to our AI service provider. Only the audio or image you capture and the field metadata necessary to map extracted values into the correct Salesforce fields are sent.

API Keys: During your initial trial period, AI processing uses a Seamless.ly-managed API key on the Seamless.ly-managed OpenAI account, which is configured to disable training, evaluation sharing, and API request logging. After the trial, your organization can either continue using our managed environment (the same privacy settings remain in effect; Seamless.ly bears the OpenAI cost) or provide your own OpenAI API key (you maintain a direct billing relationship with OpenAI and control your own account settings, including data sharing and privacy controls). We encourage organizations to provide their own key for direct cost visibility and granular control, but it is optional. If you provide your own key, it is stored securely in our infrastructure and is only used server-side to process your Scan and Speak requests; you may revoke it at any time.

Retention on our infrastructure: none. Audio and images pass through our servers in memory only and are never written to disk. Retention by the AI service provider depends on which OpenAI account is in use: trial customers and post-trial customers using our managed environment have requests handled by the Seamless.ly OpenAI account (configured with training, evaluation sharing, and request logging disabled); post-trial customers who provide their own OpenAI API key have retention governed by their own account settings, controlled by their administrator.

Opt Out: Don't use AI features. You can manually enter all data.

Automatically Collected Data

We automatically collect device information and anonymized usage data through Firebase Analytics (a Google service) to improve the service:

• Device type, operating system, app version, build number, locale
• Per-install identifier generated by Firebase Analytics
• Product-usage events (e.g. onboarding completed, scan completed, voice note completed, record created, search performed, campaign associated, scan-location saved, usage-limit reached) with non-PII parameters such as Salesforce object type or error code

We do not attach your name, email, Salesforce username, or record contents to these events. See Section 5 for details and opt-out.

2. How Do We Process Your Information?

We process minimal personal information to authenticate you and enable core features, for these specific purposes:

• To authenticate you with Salesforce (we facilitate direct connection between your device and Salesforce)
• To manage your account (we store basic account information to enable app functionality and subscription management)
• To enable AI extraction (temporary processing of images/audio with immediate deletion)
• To provide customer support (only when you contact us)
• To ensure security (preventing unauthorized access)
• To comply with legal obligations (when required by law)

Important: Your Salesforce records (Contacts, Leads, Accounts, Opportunities, Tasks) remain on your device and sync directly with your Salesforce instance. We do not store them on our servers and we do not send them to our AI service provider.

3. What Legal Bases Do We Rely On to Process Your Information?

We only process your personal information when we have a valid legal reason to do so.

If you are located in the EU or UK

Under GDPR, we rely on the following legal bases:

• Performance of a Contract (to provide the service you requested)
• Legitimate Interests (for support, security, and service improvement)
• Legal Obligations (to comply with applicable laws)
• Consent (for any optional features, you can withdraw anytime)

If you are located in Canada

We process your information with your express or implied consent, which you can withdraw at any time.

If you are located in the United States

We process your information in accordance with our Terms of Service and this Privacy Notice.

4. When and With Whom Do We Share Your Personal Information?

We share information only with essential service providers.

Service Providers

We use trusted service providers for:

• Google Cloud Platform / Firebase (USA): cloud infrastructure, database hosting, authentication, server-side logs, and Firebase Analytics for in-app product-usage events
• OpenAI (USA): AI processing for image scanning and voice transcription. Trial customers and post-trial customers using our managed environment have requests routed through the Seamless.ly-managed OpenAI account; post-trial customers may optionally provide their own OpenAI API key for direct billing.
• Resend (USA): transactional email delivery for our website forms (e.g., trial requests, contact submissions). When you submit a form on seamless.ly, your name, email, company, phone (if provided), Salesforce ID (if provided), and message are delivered to our team via Resend.
• Salesforce (USA / EU, depending on your edition): in addition to your direct authentication with your own Salesforce instance (see “Other Sharing” below), we maintain our own internal Salesforce org used as our CRM. We create an Account and Contact record in our internal CRM for each customer organization and end user (containing your name, email, organization name, and contact details), and we record support tickets and feedback you submit as Cases (with attachments if provided).

Other Sharing

We may share your information in these situations:

• Salesforce (direct authentication with your Salesforce instance)
• Legal Requirements (when required by law or to protect rights)
• Business Transfers (in connection with merger, sale, or acquisition)

Limits on Sharing

We do not:

• Sell your personal information
• Share your Salesforce records
• Allow third parties to use your information for their own purposes

Sub-Processor Changes

Our current list of sub-processors is maintained in our Data Processing Addendum (Schedule 3). Customers may subscribe to notifications of sub-processor changes by emailing privacy@seamless.ly with subject “Sub-Processor Notifications”. Full security documentation is available under NDA.

5. Do We Use Cookies and Other Tracking Technologies?

Our website does not use advertising or cross-site tracking cookies. We do not run Google Analytics, Meta Pixel, Hotjar, or similar trackers on our marketing site. The site may use essential cookies for basic functionality only.

In-App Analytics

Our mobile application uses Firebase Analytics (a Google service) to record anonymized product-usage events that help us understand which features are used and where users encounter errors. The events recorded include: onboarding completion, scan completed, voice note completed, record created, search performed, campaign associated, scan-location saved, and usage-limit reached. Each event may include non-PII parameters such as the Salesforce object type (e.g., Lead, Contact), an error code, or a result count. Firebase Analytics generates a per-install identifier and sends standard device metadata (model, OS version, locale) to Google. We do not attach your name, email, Salesforce username, or record contents to these events.

Firebase Analytics is on by default. Today there is no in-app opt-out toggle; if you would like to opt out, contact privacy@seamless.ly.

6. Do We Offer Artificial Intelligence-Based Products?

We use AI for temporary processing only — your data is never stored or used for training.

How We Use AI

Our AI features enable you to:

• Extract text from images
• Transcribe voice recordings to create tasks
• Process natural language for data extraction

For information about how AI features work and acceptable use, see our Terms of Service Section 5.

What Data is Sent to Our AI Service Provider

When you use AI features, the following data is temporarily sent to our AI service provider via our backend:

• Images or voice recordings (for text extraction and transcription)
• Metadata (technical information necessary for accurate data extraction)

See Section 1 for complete details.

Privacy Guarantee

Your images and recordings pass through our servers in memory only, are never persisted to disk, and are immediately forwarded to our AI service provider for extraction. Only extracted field values return to your device and Salesforce.

Whether the AI service provider itself retains your request depends on which OpenAI account is in use. Trial customers, and post-trial customers who continue on our managed environment, have requests handled by the Seamless.ly-managed OpenAI account, configured with training, evaluation sharing, and API request logging disabled. Post-trial customers who provide their own OpenAI API key have requests handled by their organization's OpenAI account, where their administrator controls these settings directly.

For OpenAI's own public statements about API data handling — including their default no-training-on-API-data commitment, security framework, and compliance certifications — see OpenAI's Enterprise Privacy page. Audit reports (SOC 2 Type II, ISO 27001 family) are available via the OpenAI Trust Portal. Note: certain customer-controlled retention features described on the Enterprise Privacy page apply specifically to ChatGPT Enterprise products; the API Platform retention model — which is what Seamless.ly uses — is described separately in OpenAI's API Platform documentation.

We do not send your existing Customer Data (Contacts, Leads, Accounts, Opportunities, Tasks) to our AI service provider. Only the audio or image you capture and the field metadata necessary to map extracted values into the correct Salesforce fields are sent.

7. Is Your Information Transferred Internationally?

Our backend services are hosted in the United States. If you are located outside the United States, your authentication tokens and account data will be transferred to and processed in the US.

Audio and image data passes through our US-based infrastructure during AI processing and is forwarded to our AI service provider (US-based) but is not stored. Only extracted field values are returned to your device.

Your Salesforce records stay on your device: All Contacts, Leads, Accounts, Opportunities, and Tasks remain on your device and sync directly with your Salesforce instance.

International Transfer Safeguards: We use EU Standard Contractual Clauses (SCCs) to ensure appropriate safeguards for data transfers from the EU/UK/EEA to the United States. Our service providers are certified under industry-standard security frameworks including ISO 27001, SOC 2, and are GDPR compliant.

8. How Long Do We Keep Your Information?

We keep minimal account data until you delete your account. Device data is deleted instantly when you log out or delete the app.

Retention Periods

• Device Data (Salesforce records) — Deleted immediately when you log out or uninstall the app
• Account Data — Retained until you request account deletion
• Usage Counters — Reset monthly, retained for app functionality
• AI Processing (images and audio) — Deleted immediately after processing
• Support Tickets — Retained in our internal Salesforce CRM until you request deletion (subject to lawful retention periods)

9. How Do We Keep Your Information Safe?

We use industry-standard security with encryption at rest and in transit.

Security Measures

• Device storage uses platform-level encryption
• All data transmission uses TLS/HTTPS encryption
• Authentication tokens stored in secure device keychain
• No server-side storage of Salesforce records

Compliance and Certification

We have successfully passed Salesforce's AppExchange Security Review (September 2025), demonstrating our commitment to security best practices and data protection standards.

Incident Notification

In the event of a security incident affecting your personal data, we will notify affected users without undue delay and, where feasible, not later than 72 hours after becoming aware of the incident. Notifications will include details of the incident, affected data, and remediation steps.

10. Do We Collect Information From Minors?

No. Our service is for business use only. We do not knowingly collect data from anyone under 18 years of age. This is a business application designed for professional use. If we learn that we have collected information from a minor, we will delete that information immediately. Please contact us if you believe we have inadvertently collected information from a minor.

11. What Are Your Privacy Rights?

You have full control over your data. Depending on your location, you have the following rights:

Your Rights

• Access (request a copy of your personal information)
• Delete (request deletion of your account and data)
• Correct (update inaccurate information)
• Export (receive your data in a portable format)
• Object (opt out of certain processing)
• Restrict (limit how we use your information)
• Withdraw Consent (remove permission for optional features)

Immediate Control

Log out or delete the app at any time to instantly remove all local data including all Salesforce records. Your data in Salesforce remains under your control through Salesforce.

12. Controls for Do-Not-Track Features

Our mobile application does not track users across websites. We do not engage in cross-site tracking or behavioral advertising.

13. Do United States Residents Have Specific Privacy Rights?

Yes, US residents have specific rights under state privacy laws.

Your Rights Under State Laws

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you have the right to:

• Know what personal information we collect
• Access your personal data
• Correct inaccuracies
• Delete your personal data
• Opt out of sale (we do not sell personal data)
• Non-discrimination for exercising rights

California Residents

Under CCPA/CPRA, you have additional rights including the right to know if we sell or share personal information (we don't), limit use of sensitive personal information (we don't collect any), and request information about our data practices.

14. Do Other Regions Have Specific Privacy Rights?

Australia and New Zealand

We comply with the Australian Privacy Act 1988 and New Zealand Privacy Act 2020. You have rights to access and correct your information, and to complain to the respective privacy commissioners.

Republic of South Africa

Under POPIA, you have rights to access, correct, and delete your information. Complaints can be lodged with the Information Regulator.

15. Do We Make Updates to This Notice?

We may update this Privacy Notice from time to time. We will indicate changes by updating the "Last updated" date at the top of this notice. We encourage you to review this notice periodically. Your continued use of the Services after changes are posted constitutes acceptance of the updated notice.

17. How Can You Review, Update, or Delete Your Data?

You have several options to manage your data:

Your Options

• Immediate Deletion — Delete the app to instantly remove all local data including all Salesforce records (Contacts, Leads, Accounts, Opportunities, Tasks)
• Account Deletion — Email privacy@seamless.ly to request account deletion. We will use commercially reasonable efforts to delete your account data within 30 days of your request; certain residual data (e.g., system logs and automated backup snapshots) may persist for the duration of standard retention cycles, after which it is deleted.
• Data Access — Contact us for a copy of your personal information
• Salesforce Data — Manage your Contacts, Leads, Accounts, Opportunities, and Tasks through your Salesforce instance directly