Privacy Policy

Last updated: March 11, 2026

Sales Copilot ("the Extension") is a Chrome extension that enhances your Salesforce workflow with duplicate detection, autofill suggestions, meeting and email sync, transcript management, and AI-powered field hints. This Privacy Policy explains what data we collect, how we use it, and your rights.

1. Information We Collect

Salesforce Session Data

• Your Salesforce domain and session identifiers are captured to authenticate API requests. Session IDs are hashed (SHA-256) before storage and are never stored in plain text.

Salesforce Record Data

• The Extension reads Salesforce records (opportunities, accounts, contacts) in your browser to provide duplicate detection and autofill suggestions. This data is processed locally in your browser and is not sent to our servers unless you explicitly use an AI-powered feature.

Google Account Data

• If you connect your Google account, the Extension accesses your Google Calendar (read-only) and Gmail (read-only) to match meetings and emails to Salesforce opportunities. This data is cached locally in your browser's IndexedDB and is not stored on our servers.

Meeting Transcripts

• If you connect Zoom or Fireflies, the Extension syncs meeting transcripts to match them with Salesforce opportunities. Transcript metadata is stored on our servers; full transcript content is fetched on demand.

AI Request Data

• When you use AI-powered features (field hints, opportunity summaries), the relevant context is sent to our backend, which proxies requests to OpenAI or Anthropic. We log token usage and cost per request for budget tracking. We do not store the content of your prompts or AI responses.

2. How We Use Your Information

• Authentication: To verify your identity and authorize access to the Extension's features.
• Core Features: To provide duplicate detection, autofill suggestions, meeting/email sync, and transcript management.
• AI Features: To process your requests through LLM providers and enforce usage budgets.
• Rate Limiting & Budget Enforcement: To track API usage and enforce per-user monthly budgets.

3. Data Storage & Security

• Session identifiers are hashed with SHA-256 before storage.
• JWT tokens are used for authentication with short-lived access tokens (15 minutes) and refresh tokens (7 days).
• Salesforce record data and Google data are processed locally in your browser and cached in IndexedDB.
• Backend data is stored in MongoDB with access restricted to authenticated users only.
• All communication between the Extension and our servers uses HTTPS.

4. Third-Party Services

The Extension integrates with the following third-party services:

• Salesforce: To read and interact with your CRM data.
• Google (Calendar & Gmail): To sync meetings and emails (read-only access).
• Zoom: To fetch meeting recordings and transcripts (via OAuth).
• Fireflies.ai: To fetch meeting transcripts (via API key).
• OpenAI / Anthropic: To process AI-powered feature requests. Data sent to these providers is subject to their respective privacy policies.

5. Data Sharing

We do not sell, trade, or rent your personal data. Data is shared only with the third-party services listed above, solely to provide the Extension's features. We do not share your data with advertisers or analytics providers.

6. Data Retention

• Authentication tokens expire automatically (access: 15 minutes, refresh: 7 days).
• Usage tracking data (request counts, costs) is retained for billing and budget enforcement.
• Transcript metadata is retained while your account is active.
• Locally cached data (IndexedDB) can be cleared by uninstalling the Extension or clearing browser data.

7. Your Rights

• Disconnect Services: You can disconnect Zoom, Fireflies, or Google integrations at any time from the Extension settings.
• Delete Data: You can request deletion of your account and associated data by contacting us.
• Access Data: You can request a copy of the data we store about you.

8. Chrome Extension Permissions

The Extension requests the following Chrome permissions:

• cookies, activeTab, tabs: To detect Salesforce pages and capture session tokens.
• storage: To persist authentication state and user preferences.
• scripting: To inject UI components into Salesforce pages.
• identity: To authenticate with Google OAuth for Calendar and Gmail access.
• alarms: To schedule periodic token refresh.
• notifications: To alert you about sync status or errors.
• declarativeNetRequest: To intercept and monitor Salesforce network requests for authentication.

Host permissions are limited to Salesforce domains (*.salesforce.com, *.force.com), Google APIs (googleapis.com), and OpenAI API (api.openai.com).

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated "Last updated" date. Continued use of the Extension after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at chiragshetty98@gmail.com.