True Record
Back to Home

Privacy Policy

Last updated: December 12, 2025

Note: We're an early-stage company and will keep this document updated as our policies mature.

1. Introduction

True Record ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Salesforce duplicate detection service.

By using True Record, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

2. Data Controller

True Record is the data controller for the personal information we collect through our service. You can contact us at privacy@truerecord.app for any privacy-related inquiries.

3. Information We Collect

3.1 Account Information

When you connect your Salesforce org to True Record, we collect:

  • Salesforce Organization ID: Unique identifier for your Salesforce instance
  • Instance URL: Your Salesforce instance URL
  • User Email: Email address of the user connecting the org
  • Display Name: Name associated with your Salesforce account
  • OAuth Tokens: Encrypted access and refresh tokens (AES-256-GCM) for API access

3.2 Salesforce Data

To perform duplicate detection, we temporarily store:

  • Record Snapshots: Copies of fields you configure for matching (e.g., name, email, phone, company) from Lead and Contact records
  • Record IDs: Salesforce record identifiers for match tracking
  • Object Metadata: Field configurations and matching rules

We DO NOT store your full Salesforce database. We only store the specific fields you configure for duplicate detection and only for records identified as potential duplicates.

3.3 Team Member Information

For organizations with multiple members:

  • Email addresses of invited team members
  • Role assignments (admin or member)
  • Invitation tokens (temporary, deleted after use)
  • Join/invitation timestamps

3.4 Usage Information

We collect information about how you use our service:

  • Audit Logs: Actions performed (merges, dismissals, configuration changes) with timestamps and user identifiers
  • Usage Metrics: Number of scans performed, records processed (for billing purposes)
  • Technical Logs: Hashed IP addresses, user agent hashes (for security monitoring)

Note: We hash IP addresses before storage using SHA-256 (one-way encryption). We do not store raw IP addresses or session identifiers.

3.5 AI Embeddings & Token Usage

To power AI duplicate detection, we process:

  • Configured Field Text: Only the fields you include in matching rules (e.g., name, email, phone) are sent to OpenAI to generate embeddings.
  • Embedding Vectors: We store the resulting vectors and a hash of the source text for caching; unchanged records are not re-processed.
  • Token Counts & Cost: Token usage totals and estimated costs for billing/usage dashboards.

OpenAI does not use your data to train their models. You can avoid new AI processing by disconnecting your org or switching to non-AI matching modes.

3.6 Billing Information

For paid plans, we collect:

  • Billing email address
  • Stripe customer ID and subscription ID

Payment card information is handled entirely by Stripe and never touches our servers. See Stripe's Privacy Policy.

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Legitimate Interest: Duplicate detection and data quality services
  • Contract: Billing, subscription management, and service delivery
  • Consent: Optional marketing communications (if you opt-in)
  • Legal Obligation: Compliance with applicable laws and regulations

5. How We Use Your Information

We use the collected information for:

  • Service Delivery: Identifying and managing duplicate records in your Salesforce org
  • Authentication: Managing OAuth connections and user sessions
  • Billing: Processing payments and managing subscriptions
  • Product Improvement: Analyzing usage patterns to improve our service
  • Security: Detecting and preventing fraud, abuse, and security incidents
  • Support: Responding to your inquiries and providing customer support
  • Compliance: Meeting legal and regulatory obligations

6. Data Retention

We retain your data for the following periods:

  • AI Embeddings: Cached until the underlying record changes or the org is disconnected/purged.
  • Resolved Matches: 90 days after resolution (configurable by admin)
  • Pending Matches: 180 days after creation (configurable by admin)
  • Audit Logs: 90 days (configurable by admin)
  • Account Data: Retained while your account is active, deleted within 30 days of account closure
  • OAuth Tokens: Deleted immediately upon disconnection

Administrators can configure retention periods in the settings page. Automated cleanup runs daily to enforce retention policies.

7. Data Sharing and Third-Party Services

We share data with third-party service providers (subprocessors) to deliver our service. See our Subprocessor List for details on:

  • Salesforce (core integration)
  • OpenAI (embedding generation for AI duplicate detection; receives only configured matching fields; no training use)
  • Neon PostgreSQL (database hosting)
  • Vercel (application hosting)
  • Stripe (payment processing)
  • Resend (transactional emails)

We DO NOT sell, rent, or trade your personal information to third parties for marketing purposes.

8. International Data Transfers

Our primary data infrastructure is located in the United States (AWS us-east-1 for Neon database). If you are accessing our service from outside the US, your data will be transferred to and processed in the United States.

We rely on Standard Contractual Clauses (SCCs) and our subprocessors' data processing agreements to ensure adequate protection for international transfers.

9. Your Rights (GDPR, CCPA)

You have the following rights regarding your personal data:

9.1 Right to Access

You can request a copy of all personal data we hold about you. Visit the Privacy Settings page in your dashboard to download your data in JSON format.

9.2 Right to Rectification

You can update your account information and matching configurations at any time through the Settings page.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated data. Visit the Privacy Settings page to submit a deletion request. Admin approval is required before permanent deletion to prevent accidental data loss.

9.4 Right to Data Portability

You can export your data in a machine-readable format (JSON) from the Privacy Settings page.

9.5 Right to Restriction of Processing

You can pause duplicate detection by disabling your org in the Settings page or disconnecting your Salesforce integration.

9.6 Right to Object

You can object to data processing at any time by disconnecting your Salesforce org or requesting account deletion.

9.7 Right to Lodge a Complaint

If you are in the EU, you have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@truerecord.app or use the self-service tools in your dashboard.

10. Security

We implement industry-standard security measures to protect your data:

  • Encryption in Transit: All data transmission uses TLS 1.2+
  • Encryption at Rest: Salesforce tokens encrypted with AES-256-GCM, database encryption enabled
  • Access Controls: Role-based access control (RBAC) for org members
  • Audit Logging: All data access and modifications are logged
  • Data Minimization: We only collect and store data necessary for our service
  • Regular Updates: Security patches applied promptly

For more details, see our Security & FAQ page.

11. Cookies and Tracking

We use essential cookies for session management and authentication. See our Cookie Policy for full details.

We do not use third-party advertising or tracking cookies.

12. Children's Privacy

Our service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to your registered email address
  • Notice in your dashboard upon login
  • Updating the "Last Updated" date at the top of this page

Your continued use of the service after changes indicates acceptance of the updated policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

Related Documents

Terms of ServiceCookie PolicyData Processing AgreementSubprocessor ListSecurity & FAQ