Privacy Policy for OrgFlow Software and Services

1. Introduction

Personal data (hereinafter: Data) will only be processed by us to the extent necessary for, and for the purpose of, providing functional and user-friendly websites, products and services.

Per Art. 4 No. 1 of Regulation (EU) 2016/679, i.e. the General Data Protection Regulation (hereinafter: GDPR), "processing" refers to any operation or set of operations such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction performed on personal data, whether by automated means or not.

The following privacy policy is intended to inform you in particular about the type, scope, purpose, duration, and legal basis for the processing of such data either under our own control or in conjunction with others. We also inform you below about the third-party services we use to optimize our products and services and improve the user experience which may result in said third parties also processing data they collect and control.

2. Information About Us as Controllers of Your Data

The party responsible for this website and the products and services offered here (hereinafter: Controller, OrgFlow, We or Us) for purposes of data protection law compliance is:

with seat in Landsberg am Lech, GERMANY.

3. Rights of Users and Data Subjects

With regard to the data processing to be described in more detail below, users and data subjects have the right to:

• confirmation of whether data concerning them is being processed, information about the data being processed, further information about the nature of the data processing, and copies of the data (cf. also Art. 15 GDPR);
• correct or complete incorrect or incomplete data (cf. also Art. 16 GDPR);
• the immediate deletion of data concerning them (cf. also Art. 17 DSGVO), or, alternatively, if further processing is necessary as stipulated in Art. 17 Para. 3 GDPR, to restrict said processing per Art. 18 GDPR;
• receive copies of the data concerning them and/or provided by them and to have the same transmitted to other providers/controllers (cf. also Art. 20 GDPR);
• file complaints with the supervisory authority if they believe that data concerning them is being processed by the controller in breach of data protection provisions (cf. also Art. 77 GDPR).

In addition, the controller is obliged to inform all recipients to whom it discloses data of any such corrections, deletions, or restrictions placed on processing the same per Art. 16, 17 Para. 1, 18 GDPR. However, this obligation does not apply if such notification is impossible or involves a disproportionate effort. Nevertheless, users have a right to information about these recipients.

Likewise, under Art. 21 GDPR, users and data subjects have the right to object to the controller's future processing of their data pursuant to Art. 6 Para. 1 lit. f) GDPR. In particular, an objection to data processing for the purpose of direct advertising is permissible.

4. Data Storage and Processing

Your data, as collected and processed when using our products and services, will be deleted or blocked as soon as the purpose for its storage ceases to apply, provided the deletion of the same is not in breach of any statutory storage obligations or unless otherwise stipulated below.

For your license key, this means that all your data will be stored in our cloud services as long as your license is active. Once your license expires you will no longer have access to your account. Your data is retained and can be reactivated for a period of two months (e.g. by reactivating your paid subscription) unless you do not request an earlier deletion. If you do not reactivate your license within this two month period, your data will be marked for deletion and will physically and irrevocably be deleted from our systems within one more month.

4.1 Personal Data Collected Directly from You

If you express an interest in obtaining additional information about our services, request customer support, register to use our websites or download certain content, we may require you to provide us with your email address

If you request a trial license to evaluate our products and services, we will require and store your email address.

If you purchase a subscription via our website, we also require you to provide us with your first and last name, company name, phone number and financial information and billing information, such as billing name and address, payment method (e.g. credit card number) and your company’s tax ID (where applicable). Our billing provider Stripe stores the provided information and creates customer and subscription records (see item 4.5 below). The same information will also be stored in our licensing service, which is our cloud-based service responsible for issuing, verifying and managing a customer’s license.

Whether using a trial license or a paid license, in the course of using OrgFlow to interact with your Salesforce account, information about your Salesforce environment and the metadata contained therein will be stored in our stack service, which is our cloud-based service responsible for storing runtime state about a customer’s Salesforce environment and deployment operations. This information includes:

• Optionally: your default Salesforce login information (URL, username and password) in encrypted form; this information cannot be decrypted or read by anyone except you (not even by us)
• Optionally: your Git repository login information (URL, username and password or access token) in encrypted form; this information cannot be decrypted or read by anyone except you (not even by us)
• Commit hashes from your Git repository
• Salesforce-specific information about metadata components in your Salesforce orgs, including component IDs, package names, metadata types and component names
• Error information about components that failed to deploy to your Salesforce orgs, including error descriptions, line and column numbers (referencing lines in the component XML) and relative paths to files in your Git repository

Whenever you perform an operation in OrgFlow that requires reading or writing data governed by the stack service, personal data regarding your account and your subscription will be stored in the stack service, including the email address given during checkout, Stripe-specific ID/reference values, company name, first and last name and phone number.

To monitor the performance of our products and services, log entries will be stored in Azure Application Insights (a Microsoft-provided cloud-based service for storing runtime system logs, analyzing performance and troubleshooting issues). This includes the following customer or customer-owned information:

• Operating system and IP address of the computer where you are running OrgFlow
• The name of the computer that is running OrgFlow
• Relative and absolute paths to files on the local computer which are relevant to OrgFlow
• Relative and absolute paths to files in the customer’s Git repository which are relevant to OrgFlow
• Types, names, IDs, paths and contents of metadata components in customer’s Salesforce orgs (only those which are managed in OrgFlow)
• Org IDs and sign-in URLs of customer’s Salesforce orgs (only those which are managed in OrgFlow)
• User names and IDs of users in customer’s Salesforce orgs (only those which are managed in OrgFlow)

If you register for an online community that we host (such as our community Slack workspace) then we may ask you to provide a username, photo and/or biographical information, such as your occupation, social media profiles, company name, and areas of expertise. You can find further information with regards to Slack's data protection practices at https://slack.com/trust/privacy/privacy-policy.

If you use and interact with our websites, we automatically collect log files and other information about your device and your usage of our websites through cookies, web beacons or similar technologies, such as IP addresses or other identifiers, which may qualify as Personal Data (see item 4.2 and 4.3 below).

4.2 Web Server Logs

For technical reasons, the following data sent by your internet browser to us or to our web server provider will be collected, specifically to ensure a secure and stable website experience: type and version of your internet browser, operating system, the website from which you came (referrer URL), the pages visited on our website, the date and time of your visit, as well as the IP address from which you visited our website.

The data thus collected will be temporarily stored, but not in association with any other of your data.

The basis for this storage is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the improvement, stability, functionality, and security of our website.

The data will be deleted within no more than seven days, unless continued storage is required for evidentiary purposes, in which case all or part of the data will be excluded from deletion until the investigation of the relevant incident is finally resolved.

4.3 Cookies

We use cookies on our website. Cookies are small text files stored on your computer by your internet browser.

4.3.1 Session Cookies

Session cookies are stored only for the duration of a single browsing session. Our use of session cookies makes our website more user-friendly, efficient, and secure, allowing us, for example, to display our website in different languages or to offer a shopping cart function.

The legal basis for such processing is Art. 6 Para. 1 lit. b) GDPR, insofar as these cookies are used to collect data to initiate or process contractual relationships. If the processing does not serve to initiate or process a contract, our legitimate interest lies in improving the functionality of our website. The legal basis is then Art. 6 Para. 1 lit. f) GDPR.

When you close your internet browser, these session cookies are deleted.

4.3.2 Third-Party Cookies

If necessary, our website may also use cookies from companies with whom we cooperate for the purpose of advertising, analyzing, or improving the features of our website. Please refer to the following information for details, in particular for the legal basis and purpose of such third-party collection and processing of data collected through cookies.

4.3.3 Disabling Cookies

You can refuse the use of cookies by changing the settings in your internet browser. Likewise, you can use the internet browser to delete cookies that have already been stored. However, the steps and measures required vary, depending on the internet browser you use. If you have any questions, please use the help function or consult the documentation for your internet browser or contact your internet browser's manufacturer for support.

If you prevent or restrict the storage of cookies, not all of the functions on our website may be fully usable.

4.4 Google Analytics

We use the Google Analytics web analytics service provided by

(hereinafter: Google) on our website.

The Google Analytics service is used to analyze how our website is used. The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the analysis, optimization, and economic operation of our site.

Usage and user-related information, such as IP address, place, time, or frequency of your visits to our website will be transmitted to a Google server in the United States and stored there. However, we use Google Analytics with the so-called anonymization function, whereby Google truncates the IP address within the EU or the EEA before it is transmitted to the US.

The data collected in this way is in turn used by Google to provide us with an evaluation of visits to our website and what visitors do once there. This data can also be used to provide other services related to the use of our website and of the internet in general.

Google states that it will not connect your IP address to other data. In addition, Google provides further information with regard to its data protection practices at https://www.google.com/intl/de/policies/privacy/partners, including options you can exercise to prevent such use of your data.

In addition, Google offers an opt-out add-on at https://tools.google.com/dlpage/gaoptout?hl=en as well as further information. This add-on can be installed in most popular internet browsers and offers you further control over the data that Google collects when you visit our website. The add-on informs Google Analytics' JavaScript that no information about the website visit should be transmitted to Google Analytics. Please note, however, that this does not prevent information from being transmitted directly to us or to other third-party services we may use as detailed herein.

4.5 Stripe

To process orders through our website, accept online payments, and manage customers and subscription, we use the checkout, billing and payment services of:

(hereinafter: Stripe) integrated within our website and in our products and services.

The legal basis is the fulfilment of the contract according to Art. 6 Para. 1 lit. b.) EU General Data Protection Regulation (hereinafter: GDPR). In addition, we have a legitimate interest in offering effective and secure payment options, so that another legal basis ensues from Art. 6 para. 1 lit f.) GDPR.

As a result of our integration with Stripe, your internet browser visits checkout and subscription management pages on Stripe-owned web servers. This means that the operating system you are using, type and version of your internet browser, date and time of the call and the IP address are sent to Stripe, even without any deliberate interaction with Stripe's website on your part.

As soon as you initiate a purchase of a subscription through our website, the data you have entered in any input fields of our pricing page will be processed by Stripe at your responsibility in order to collect payment from you and provision your subscription.

All data is transmitted in encrypted form. You can revoke your consent at any time with effect for the future via the contact details on our support page. Your data will only be passed on for the purposes of payment processing, billing and subscription management. You can find more information about Stripe's data protection and privacy policies at https://stripe.com/en-de/privacy.