Back to Home

Privacy Policy

Last updated: January 2026

Introduction

This Privacy Policy describes how Inforge ("we," "us," or "our") collects, uses, and protects information when you use the Salesforce Readiness Scanner ("the Service"). We are committed to protecting your privacy and ensuring transparency about our data practices.

By using the Service, you agree to the collection and use of information in accordance with this policy.

Information We Access

When you connect your Salesforce org, our scanner accesses certain data for analysis purposes. The scanner operates in read-only mode and never modifies your Salesforce data.

User Information

For security and user activity analysis, we access:

  • User email addresses, full names, and usernames
  • Last login dates to identify inactive accounts
  • User permissions and profile assignments

Contact and Account Data

For data quality analysis, we access:

  • Email addresses and phone numbers from Contacts and Accounts (for duplicate detection)
  • Country and State field values (for geographic validation)
  • Field values like Industry or StageName (for data concentration analysis)
  • Record IDs to help you fix problems directly in Salesforce

Configuration and Metadata

We also access:

  • Report and Dashboard names and their owners
  • Permission sets, profiles, sharing rules, and field-level security settings
  • Apex class/trigger names and Flow names (not the actual code content)
  • Named Credential endpoint URLs and authentication types (not passwords or API keys)
  • Custom object and field definitions
  • API call limits, storage consumption, and license allocation

Information We Do NOT Access

The scanner is designed to analyze your org's health without accessing sensitive business data:

  • Account, Contact, or Opportunity names, descriptions, or addresses (beyond what's needed for validation)
  • Opportunity amounts, deal details, or financial data
  • Case contents, notes, or support data
  • Custom object record values (only counts and statistics)
  • Actual Apex or Flow source code (only names, sizes, and dependencies)
  • Passwords, API credentials, authentication tokens, or security secrets

How We Use Your Information

Analysis and Reports

Most data accessed from your Salesforce org is processed in-memory for statistical analysis and then discarded. For example, we read email addresses to count duplicates, but only the count is stored, not the actual email addresses. Analysis results, scores, and sample record IDs are stored to generate reports and track improvements over time.

Analytics and Service Improvement

We store aggregated data in our database to improve our service and understand usage patterns. This includes scan results, scores, and metrics that help us enhance the scanner's capabilities.

Marketing Communications

We may use your contact information to send you relevant communications about our services, updates, and offerings.

Our Commitment

  • We will NOT use your customer data for commercial purposes
  • We will NOT sell your data to third parties
  • We will NOT share your Salesforce data with external parties

Authentication and Security

OAuth 2.0 Authentication

We use Salesforce's standard OAuth 2.0 authentication with PKCE (Proof Key for Code Exchange) for secure authorization. When you connect your org, you log into Salesforce directly and grant the scanner permission to read data. We never see or store your Salesforce password.

Connected App

Our scanner uses an external Connected App that is registered outside your Salesforce org. This means:

  • The scanner will appear in "Connected Apps OAuth Usage" in your Salesforce Setup
  • The scanner will NOT appear in "Manage Connected Apps" or App Manager
  • You can revoke access at any time through "Connected Apps OAuth Usage"

Token Security

Access tokens are encrypted using AES encryption before being stored in our database. Tokens are automatically refreshed as needed. If a token becomes invalid (e.g., password changed, token revoked), the system detects this and prompts you to reconnect.

Additional Security Measures

  • CSRF protection via unique state tokens during authentication
  • Automatic token lifecycle management including revocation on disconnect
  • Encrypted connections (HTTPS) for all data transmission
  • Read-only API access, we never modify your Salesforce data

Data Retention and Deletion

We retain scan results and analysis history to help you track improvements over time. You can request deletion of your data at any time by contacting us or disconnecting your org.

When you disconnect your Salesforce org from the scanner:

  • Your OAuth tokens are revoked at Salesforce
  • Encrypted tokens are removed from our database
  • You can request complete deletion of your scan history