Effective July 10, 2026

Privacy at Org360

Org360 is a Salesforce metadata intelligence service. This policy explains the information Org360 processes, why it is needed, and the controls available to you.

Information we process

  • Account, team, role, and authentication information.
  • Connected Salesforce org identifiers and encrypted OAuth credentials.
  • Salesforce setup metadata, dependency edges, findings, and change history.
  • Operational logs needed for security, reliability, quotas, and support.
  • Billing and integration identifiers when Stripe or Slack is enabled.

Org360 is metadata-first. Normal collection does not request or store Salesforce business record values such as Account, Contact, Opportunity, or Case data.

How we use information

We use this information to authenticate users, connect authorized Salesforce orgs, run metadata scans, provide findings and dependency context, operate integrations, secure the service, and respond to support requests. We do not sell personal data or use customer metadata for advertising.

Org360 for Chrome

When you explicitly open the extension on a Salesforce Setup page, it processes the current URL, page title, and a bounded set of visible headings and breadcrumbs to match that page to Org360's cached metadata. It does not read form values, page body content, Salesforce records, cookies, browsing history, or keystrokes.

The extension sends that bounded Setup context to www.org360.io and receives only data already available to your Org360 team. It stores an opaque, revocable Org360 session token and your local Salesforce-domain-to-org choice in trusted extension storage. The server stores only a SHA-256 hash of the token. Authorization codes expire after five minutes; extension sessions expire after 30 days and can be revoked at any time by disconnecting.

The extension never receives Salesforce OAuth credentials or the Memory Collector token, never calls Salesforce APIs, and cannot modify Salesforce.

Service providers and transfers

Org360 uses service providers to operate the product, including Vercel for web hosting, Supabase for authentication and Postgres, Salesforce for authorized API access, Stripe for billing, and optional Slack or AI providers when those features are enabled. Providers process data under their own contractual and security terms only for the services Org360 configures.

Retention and security

Metadata and operational history are retained according to the workspace plan and product settings. Disconnected org data may be retained for continuity until an authorized admin requests deletion. Secrets are kept server-side, sensitive tokens are encrypted or one-way hashed, tenant access is scoped by team and org, and public database tables use explicit grants and row-level security.

Your choices and rights

Workspace admins can disconnect Salesforce and integrations and request deletion of an org's stored data. You can revoke the current browser session from the extension. You may also request access, correction, export, or deletion of personal information, subject to applicable law and legitimate security or legal retention needs.

Contact

Privacy and security questions can be sent to fabian@org360.io. Material changes to this policy will be posted on this page with a new effective date.