This policy explains what the service ("the Service", "we", "us"), operated by β¦COMPANY LEGAL NAME β to be inserted at incorporationβ§, collects, why, and what we deliberately never touch. Questions or data subject requests: hello@rootcase.io.
The Service detects errors that Salesforce shows to your users, explains them in plain language, and files developer-ready tickets in your ticketing tool. To do that it processes your Salesforce org's configuration metadata β not your business records.
When an administrator connects a Salesforce org, we receive an OAuth grant with the
api and refresh_token scopes. We use it exclusively to
read configuration metadata: validation rules, flows, page layouts,
required fields, permission metadata, and object/field labels.
The Chrome extension runs only on Salesforce domains and requests the minimum browser
permissions (storage, activeTab, scripting β no
tabs, no cookies, no webRequest). Any change to that
permission surface fails our CI so it gets a conscious review.
To help reproduce an error, the extension keeps a rolling trail of the user's last 20 actions in per-tab session storage (cleared when the tab closes). The trail records labels only:
:id (e.g. /lightning/r/Opportunity/:id/view). Raw URLs are never
kept.
The contents of any field the user types or selects are never read, stored, or sent. This is enforced three ways: structurally (a step has no value slot), by a static lint rule that fails the build if the recorder reads a control's value, and by a release-blocking sentinel test that types a known value into a form and asserts it never appears anywhere in the trail.
We do process the text of the error message Salesforce displays β that is the thing being explained. Note that error text is authored by Salesforce or by your org's configuration and can occasionally echo a value a user entered; we process it as displayed and it appears in the diagnosis and any ticket your user files.
If a user attaches a screenshot to a ticket, every input region is masked with opaque rectangles in the user's browser, before the image is stored or sent. Masking is on by default. If capture is unavailable, the ticket is created without a screenshot β never with an unmasked one.
On our side, a screenshot exists only in a transient delivery buffer with a hard 24-hour expiry while the ticket is being created β it is never written to our database or file storage. After delivery, the image lives in your ticketing tool, not with us.
To generate the plain-language explanation we send a structured prompt to our AI provider (Anthropic): the error type, the matched configuration component and a short excerpt of its definition, related component labels, and the error banner text. No business records and no field values are included. Our AI provider processes this under a data processing agreement and does not train on it.
When a user files a ticket, its content (title, description, step labels, and the masked screenshot if attached) is delivered to the ticketing tool you connected β Jira Cloud, Linear, or a Salesforce Case in your own org. Those providers process that data under your agreements with them; we list them as customer-elected subprocessors.
| Data | Kept |
|---|---|
| Salesforce configuration metadata + diagnosis history | Until your admin disconnects the org and runs "delete data" (immediate cascade), or your account is deleted. |
| OAuth tokens | Cleared immediately on disconnect. |
| Screenshots | β€ 24 hours in a transient delivery buffer; never persisted. |
| Step trail | Stays in the browser tab's session storage (cleared on tab close); only the steps a user includes in a ticket ever leave the machine, as part of that ticket. |
| Audit log | Life of the account. |
| Account + waitlist data | Until deletion is requested. |
On termination we export your data on request and delete it within 30 days, per our Terms.
The infrastructure and tooling providers that process data on our behalf are listed, with their roles, at /legal/subprocessors. Ticketing providers (Atlassian, Linear) act as subprocessors only if you connect them.
For access, correction, export, or deletion requests β for yourself or on behalf of your organization β email hello@rootcase.io. We respond within 30 days. If you are in the EU/EEA or UK, you may also lodge a complaint with your supervisory authority. β¦EU representative / DPO designation β counsel to completeβ§
We will post any material change here and, for connected customers, notify your admins by email at least 14 days before it takes effect.