Privacy Policy

Working draft Β· Last updated 6 July 2026

Working draft. This policy is under legal review and will be finalized before any paid subscription begins. It is published now so early users can see exactly what the product does β€” every statement here maps to a specific implementation and test in our codebase.

This policy explains what the service ("the Service", "we", "us"), operated by ⟦COMPANY LEGAL NAME β€” to be inserted at incorporation⟧, collects, why, and what we deliberately never touch. Questions or data subject requests: hello@rootcase.io.

1. What the Service does

The Service detects errors that Salesforce shows to your users, explains them in plain language, and files developer-ready tickets in your ticketing tool. To do that it processes your Salesforce org's configuration metadata β€” not your business records.

2. Salesforce data: metadata only, read-only

When an administrator connects a Salesforce org, we receive an OAuth grant with the api and refresh_token scopes. We use it exclusively to read configuration metadata: validation rules, flows, page layouts, required fields, permission metadata, and object/field labels.

3. The browser extension: labels, never values

The Chrome extension runs only on Salesforce domains and requests the minimum browser permissions (storage, activeTab, scripting β€” no tabs, no cookies, no webRequest). Any change to that permission surface fails our CI so it gets a conscious review.

To help reproduce an error, the extension keeps a rolling trail of the user's last 20 actions in per-tab session storage (cleared when the tab closes). The trail records labels only:

The contents of any field the user types or selects are never read, stored, or sent. This is enforced three ways: structurally (a step has no value slot), by a static lint rule that fails the build if the recorder reads a control's value, and by a release-blocking sentinel test that types a known value into a form and asserts it never appears anywhere in the trail.

We do process the text of the error message Salesforce displays β€” that is the thing being explained. Note that error text is authored by Salesforce or by your org's configuration and can occasionally echo a value a user entered; we process it as displayed and it appears in the diagnosis and any ticket your user files.

4. Screenshots: masked on the user's machine, held ≀ 24 hours

If a user attaches a screenshot to a ticket, every input region is masked with opaque rectangles in the user's browser, before the image is stored or sent. Masking is on by default. If capture is unavailable, the ticket is created without a screenshot β€” never with an unmasked one.

On our side, a screenshot exists only in a transient delivery buffer with a hard 24-hour expiry while the ticket is being created β€” it is never written to our database or file storage. After delivery, the image lives in your ticketing tool, not with us.

5. AI processing

To generate the plain-language explanation we send a structured prompt to our AI provider (Anthropic): the error type, the matched configuration component and a short excerpt of its definition, related component labels, and the error banner text. No business records and no field values are included. Our AI provider processes this under a data processing agreement and does not train on it.

6. Account and usage data

7. Where ticket content goes

When a user files a ticket, its content (title, description, step labels, and the masked screenshot if attached) is delivered to the ticketing tool you connected β€” Jira Cloud, Linear, or a Salesforce Case in your own org. Those providers process that data under your agreements with them; we list them as customer-elected subprocessors.

8. Retention and deletion

Data Kept
Salesforce configuration metadata + diagnosis history Until your admin disconnects the org and runs "delete data" (immediate cascade), or your account is deleted.
OAuth tokens Cleared immediately on disconnect.
Screenshots ≀ 24 hours in a transient delivery buffer; never persisted.
Step trail Stays in the browser tab's session storage (cleared on tab close); only the steps a user includes in a ticket ever leave the machine, as part of that ticket.
Audit log Life of the account.
Account + waitlist data Until deletion is requested.

On termination we export your data on request and delete it within 30 days, per our Terms.

9. Subprocessors

The infrastructure and tooling providers that process data on our behalf are listed, with their roles, at /legal/subprocessors. Ticketing providers (Atlassian, Linear) act as subprocessors only if you connect them.

10. Your rights and contact

For access, correction, export, or deletion requests β€” for yourself or on behalf of your organization β€” email hello@rootcase.io. We respond within 30 days. If you are in the EU/EEA or UK, you may also lodge a complaint with your supervisory authority. ⟦EU representative / DPO designation β€” counsel to complete⟧

11. Changes

We will post any material change here and, for connected customers, notify your admins by email at least 14 days before it takes effect.