Saltbox MGMT, Inc.
Privacy Policy
- Effective Date
- May 1, 2026
- Last Updated
- May 1, 2026
- Contact
- privacy@saltboxmgmt.com
- Website
- www.saltboxmgmt.com
- Sub-Processor List
- www.saltbox.one/sub-processors
Introduction
Saltbox MGMT, Inc. (“Saltbox MGMT,” “we,” “us,” or “our”) provides an AI-powered Salesforce configuration assistance platform (the “Service”) to business customers (“Customers”). This Privacy Policy describes how we collect, use, store, and protect information when Customers and their authorized end users (“Users”) access or use the Service. By using the Service, you agree to the practices described in this Policy. Where a Customer has executed a Master Service Agreement (“MSA”) or other written agreement with Saltbox MGMT, the terms of that agreement govern in the event of any conflict with this Policy.
The Service uses artificial intelligence and proprietary methodology to assist Customers with configuring their Salesforce platforms. In doing so, the Service may process data from a Customer's Salesforce environment solely to generate configuration assistance outputs. This data is processed in-session only and is not retained by Saltbox MGMT after the session concludes.
Important — Scope of This Policy.This Policy covers personal information that Saltbox MGMT collects directly from Users (such as account and contact information). This Policy does not cover Customer Data — meaning data that Customers upload to or process through the Service, including Salesforce environment data. Saltbox MGMT processes Customer Data as a data processor on behalf of the Customer, and that processing is governed by the Data Processing Agreement (DPA) between Saltbox MGMT and the Customer. The Customer's own privacy obligations to its end users are governed by the Customer's own privacy practices.
Data Processing Agreement (DPA). Business Customers are subject to a separate DPA governing the processing of Salesforce environment data. The DPA is available at www.saltbox.one/dpa.
1. Scope and Applicability
This Policy applies to authorized Users of the Service, visitors to our public website at www.saltboxmgmt.com, and personal information that may appear incidentally within Customer Salesforce environments processed through the Service. The Service is a business-to-business (B2B) platform only and is not directed to consumers or individuals acting in a personal capacity.
By accessing or using the Service, you represent that you are at least 18 years of age and are authorized to act on behalf of the Customer organization. This Policy does not apply to the internal employment or HR data of Saltbox MGMT employees or contractors.
2. Information We Collect
2.1 Account and User Information (Controller Role)
When a Customer provisions accounts for Users, or when a User registers directly, we collect only the personal information necessary to provide the Service:
- Full name and email address
- Job title
- Organization name, membership status, and assigned role within the organization
User authentication:
- Internal and administrative users: Google Single Sign-On (SSO) via Google OAuth
- All other Customer users: Direct email address and password registration
Session management is handled through a custom session management system. Session tokens do not contain Salesforce environment data.
2.2 Salesforce Environment Data (Processor Role — Governed by DPA)
When a User connects a Salesforce environment and asks data related questions to the Service, data from that environment is transmitted to the Service only as necessary to generate configuration assistance outputs. This data is processed in real time and is not stored or retained by Saltbox MGMT after the session concludes. Saltbox MGMT does not retain prompts or Salesforce environment data submitted during a session.
To reduce the risk of processing unnecessary personal information, the Service is designed to filter certain Salesforce field types, including fields of type email, address, and encrypted fields. However, standard text fields may contain personal information entered by Customer's own users, and Saltbox MGMT cannot fully control what data appears in such fields. Customers are solely responsible for ensuring that Salesforce data submitted to the Service complies with applicable privacy laws and the DPA.
Important Limitation. Saltbox MGMT does not intentionally process sensitive personal information categories. Customers should not submit data constituting sensitive personal information, data from regulated industries such as healthcare or financial services, or data subject to heightened legal protection, without first contacting privacy@saltboxmgmt.com.
2.3 Usage and Technical Data
We collect data generated through use of the Service only as necessary for service reliability and improvement, including log data, timestamps, feature usage patterns, error reports, IP addresses, and browser and device information.
We use Google Analytics on both our public website and within the Service application. See Section 6 for details and opt-out options.
2.4 Marketing and Communications Data
If you interact with our marketing activities, we collect only the information necessary for that purpose: name, business email address, job title, and company name. Marketing communications are managed through Salesforce CRM. You may opt out at any time as described in Section 7.
3. How We Use Your Information
We use the personal information we collect only as necessary for the following purposes:
3.1 Providing and Operating the Service
- To authenticate Users and manage account access
- To process Salesforce environment data in-session only to generate AI-assisted configuration outputs on behalf of the Customer
- To deliver configuration outputs to the Customer — all outputs are owned solely by the Customer and are not retained, benchmarked, or reused by Saltbox MGMT
- To send transactional notifications related to your account (via SendGrid)
- To surface relevant configuration guidance within the Service
3.2 Service Improvement and Operations
- To monitor service performance, diagnose errors, and maintain platform reliability
- To analyze aggregated and anonymized usage patterns to improve the Service — this does not involve analysis of Salesforce environment data content
3.3 Marketing Communications
- To send product updates or other marketing communications to Users who have not opted out — managed through Salesforce CRM; opt out at any time as described in Section 7
3.4 Legal and Compliance
- To comply with applicable legal obligations, enforce our Terms of Service and DPA, and respond to lawful government requests
We do not use your information for advertising, profiling for decisions with legal or significant effects, or any purpose beyond those described in this Policy.
4. How We Store and Protect Your Information
4.1 Data We Do Not Retain
Saltbox MGMT does not retain Customer Salesforce environment data after an in-session interaction concludes. Prompts sent to AI providers — including any Salesforce data included in those prompts — are not logged or stored by Saltbox MGMT. All AI provider agreements expressly prohibit the use of submitted data for model training purposes. AI-generated configuration outputs are delivered to the Customer and are not retained or reused by Saltbox MGMT.
4.2 Data We Do Retain
We retain the following categories of data only for the periods necessary to fulfill the purposes for which they were collected, then dispose of them on a regular schedule:
- User account data (name, email, job title, organization name, membership status, and role): retained while the account is active and deleted within 30 days of account closure or upon written request
- Service logs and usage data: retained for 90 days for operational and debugging purposes
- Marketing and CRM data: retained while the Customer relationship is active or until opt-out is received
- Anonymized and aggregated usage statistics: may be retained indefinitely as they do not constitute personal information
4.3 Security Measures
Saltbox MGMT employs industry-standard technical and organizational safeguards to protect your information, including:
- All data stored in encrypted databases at rest
- Integration credentials, API keys, and authentication tokens encrypted at rest using AES-256-GCM encryption
- OAuth tokens stored encrypted and refreshed automatically upon expiry
- All data in transit protected using HTTPS/TLS
- Strict multi-tenant data isolation — Customer data is scoped to the Customer’s organization and is not accessible by other organizations
- Access controls based on least-privilege principles — personnel access is restricted to the data necessary to perform their role
- Annual security and privacy awareness training for all personnel with access to personal data
- Regular security assessments to identify and address vulnerabilities
Security Certifications. We periodically pursue third-party security certifications and audits. Current certifications, if any, are listed at www.saltbox.one/security.
4.4 Infrastructure
The Service is hosted across the following infrastructure providers:
- Google Cloud Platform — primary storage
- Heroku — application hosting
- Vercel — front-end delivery and AI inference routing
- Redis — session and cache data
- Elasticsearch — search indexing
A current list of our sub-processors is maintained at www.saltbox.one/sub-processors. All infrastructure providers are contractually required to maintain security standards consistent with applicable data protection law.
5. Third-Party Service Providers (Sub-Processors)
We engage third-party service providers (sub-processors) to operate the Service. Each provider receives only the data necessary to perform its specific function and is contractually bound to data protection obligations no less protective than those in our DPA. A current list of sub-processors is maintained at www.saltbox.one/sub-processors. Customers may also request the list by contacting privacy@saltboxmgmt.com.
5.1 AI Processing Providers
Customer Salesforce environment data may be transmitted to AI providers for in-session inference processing only. Data sent to AI providers is used solely to generate outputs within the User's active session. Our agreements with all AI providers expressly prohibit the use of submitted data for training their models. No Salesforce environment data is retained by AI providers beyond the processing of a single request.
| Provider | Purpose | Data Received |
|---|---|---|
| Vercel AI Gateway | Routes AI inference requests to underlying LLM providers | Prompts containing in-session Salesforce data (not retained after response) |
| OpenAI (Chat GPT), Anthropic (Claude), XAI (Grok) | Large language model inference (via Vercel AI Gateway) | Prompts containing in-session Salesforce data (not retained after response) |
5.2 Infrastructure and Operations
| Provider | Purpose | Data Received |
|---|---|---|
| Google Cloud Platform | Primary storage infrastructure | All application data at rest and in transit |
| Heroku | Application hosting and compute | All application data in transit and at rest |
| Vercel | Front-end delivery | Web traffic and IP addresses |
| SendGrid (via Heroku add-on) | Transactional email delivery | Recipient name and email address |
| Google Analytics | Website and application usage analytics | User behavioral data, IP address, device information |
| Redis | Primary short term queue based system for tracking ephemeral transactions | Event data between systems |
| Elastic Search | Index storage for fast retrieval of information across the platform | Application data |
| Langfuse | Tracing of AI tool usage, responses, and metadata | AI interaction data |
5.3 Authentication
| Provider | Purpose | Data Received |
|---|---|---|
| Google OAuth | Single Sign-On for internal/administrative users only | Internal user identity information |
5.4 Marketing and CRM
| Provider | Purpose | Data Received |
|---|---|---|
| Salesforce | CRM, marketing communications, and email delivery | Customer and User contact data: name, email, job title, company name |
6. Cookies and Tracking Technologies
6.1 Types of Cookies We Use
We use the following types of cookies and similar tracking technologies:
- Strictly Necessary Cookies. Session management cookies required for authentication and core platform functionality. These cannot be disabled without impairing the Service.
- Analytics Cookies (Google Analytics).We use Google Analytics on our public website and within the Service application to understand how Users interact with our platform. Google Analytics may collect IP addresses, device information, and behavioral data. Under applicable state privacy laws, including California law, this may constitute “sharing” of personal information for cross-context behavioral advertising purposes. You have the right to opt out — see Section 7.5.
6.2 Managing Your Cookie Preferences
You may control cookies and analytics tracking through the following mechanisms:
- Browser settings: You may configure your browser to block or delete cookies at any time.
- Google Analytics Opt-Out: Install the Google Analytics Opt-Out Browser Add-on at https://tools.google.com/dlpage/gaoptout.
- Global Privacy Control (GPC): We honor GPC browser signals as opt-out requests from the sale or sharing of personal information, as required by applicable law.
- Direct request: Email privacy@saltboxmgmt.comwith the subject line “Opt-Out of Sharing.”
7. Your Privacy Rights
We will acknowledge receipt of all verifiable rights requests within 10 business days and respond within 45 days. Where necessary due to complexity or volume, we may extend this period by an additional 45 days and will notify you within the initial 45-day period. We will not charge a fee for responding unless requests are manifestly unfounded or excessive.
How to Submit a Request. Contact us at privacy@saltboxmgmt.comwith the subject line “Privacy Rights Request”. We may need to verify your identity before processing your request. We will not require you to create an account solely to submit a request.
7.1 Right to Know and Access
You may request disclosure of the categories of personal information we have collected about you, the specific pieces of personal information we hold, the purposes for which it was collected, and the categories of third parties with whom we have shared it.
7.2 Right to Deletion
You may request deletion of your personal information. Upon a verified request, we will delete your personal information and direct our sub-processors to do the same, subject to exceptions permitted by law. We will process deletion requests within 45 days.
7.3 Right to Correction
You may request correction of inaccurate personal information. You may also update your account information directly within the Service at any time.
7.4 Right to Data Portability
You may request a copy of your personal information in a structured, machine-readable format by using the export function within the Service or by contacting privacy@saltboxmgmt.com.
7.5 Right to Opt Out of Sale or Sharing
We do not sell your personal information. However, our use of Google Analytics may constitute “sharing” of personal information for cross-context behavioral advertising under applicable law. You have the right to opt out by using the Google Analytics Opt-Out Browser Add-on, enabling a GPC signal in your browser, or emailing privacy@saltboxmgmt.comwith the subject line “Opt-Out of Sharing.” We will act on opt-out requests within 15 business days of receipt.
7.6 Right to Limit Use of Sensitive Personal Information
We do not intentionally collect or process sensitive personal information as defined under applicable state privacy laws. If you believe we have inadvertently received sensitive personal information, please contact privacy@saltboxmgmt.com immediately.
7.7 Right to Opt Out of Automated Profiling
We do not use personal information for automated decision-making that produces legal or similarly significant effects on individuals.
7.8 Right to Non-Discrimination
We will not discriminate against you for exercising any privacy right. Exercising your rights will not result in denial of the Service, different pricing, or reduced quality of service.
7.9 Opt Out of Marketing Communications
You may opt out of marketing communications at any time by clicking the “Unsubscribe” link in any marketing email, or by emailing privacy@saltboxmgmt.comwith the subject line “Marketing Opt-Out.” Opting out of marketing does not affect transactional account notifications.
7.10 Supplemental Notice for California Residents
This supplemental notice applies to California residents and supplements the rights described in Sections 7.1 through 7.9 above.
(a) Your Rights Under the CCPA/CPRA. California residents have the right to know, access, delete, correct, and port their personal information; to opt out of the sale or sharing of personal information; to limit use of sensitive personal information; and to non-discrimination for exercising these rights. The rights described in Sections 7.1 through 7.8 of this Policy encompass and satisfy all rights afforded under the CCPA as amended by the CPRA.
(b) Our Role — Service Provider and Business.For CCPA/CPRA purposes, Saltbox MGMT acts as a “service provider” with respect to Customer Salesforce environment data — that data is governed by our DPA, not this Policy. Saltbox MGMT acts as a “business” with respect to User account data it collects directly (name, email, job title, organizational information). We do not sell or share personal information except as described in Section 7.5 regarding Google Analytics.
(c) Categories of Personal Information Collected. The following table summarizes the categories of personal information we collect, consistent with the categories defined under the CCPA:
| Category | Examples | Business Purpose |
|---|---|---|
| Identifiers | Name, email address | Account creation, authentication, communications |
| Professional or employment information | Job title, organization name, role | Account provisioning and access management |
| Internet or other electronic network activity | IP address, browser type, usage data, log data | Service reliability, security, analytics |
| Commercial information | Marketing preferences and communication history | Marketing communications |
| Inferences drawn from above | Aggregated, anonymized usage statistics | Service improvement (anonymized only) |
We do not collect sensitive personal information as defined under the CPRA, and we do not sell personal information.
(d) Authorized Agent Requests. California residents may designate an authorized agent to submit privacy rights requests on their behalf. We will require written proof of the agent's authority to act on your behalf and may verify your identity directly before processing the request. Authorized agent requests should be submitted to privacy@saltboxmgmt.comwith the subject line “Authorized Agent Request.”
(e) Shine the Light Disclosure. Under California Civil Code Section 1798.83, California residents may request, once per calendar year and free of charge, a list of the categories of personal information (if any) that Saltbox MGMT disclosed to third parties for their direct marketing purposes during the preceding calendar year. We do not currently disclose personal information to third parties for their own direct marketing purposes. To submit a Shine the Light request, contact privacy@saltboxmgmt.comwith the subject line “Shine the Light Request.”
7.11 Supplemental Notice for Nevada Residents
Nevada residents have the right under Nevada Revised Statutes Chapter 603A to opt out of the sale of certain personal information to third parties who intend to license or sell that personal information. Saltbox MGMT does not currently sell personal information as defined under Nevada law. Nevada residents may submit an opt-out request by emailing privacy@saltboxmgmt.comwith the subject line “Nevada Do Not Sell Request” along with their name and account email address.
8. Data Sharing and Disclosure
We do not sell your personal information. The table below summarizes the categories of personal information we share, with whom, and for what purpose. We share data only in the following limited circumstances:
| Category of Personal Information | Recipients | Purpose |
|---|---|---|
| Identifiers (name, email, IP address) | AI and infrastructure sub-processors (see Section 5) | Providing and operating the Service |
| Internet activity (behavioral data, IP) | Google Analytics | Usage analytics; may constitute “sharing” under CCPA — opt out available (Section 7.5) |
| Identifiers (name, email) | SendGrid | Transactional email delivery |
| Identifiers and professional info (name, email, job title) | Salesforce | Marketing CRM and email communications |
| All categories held at time of transaction | Acquirer in merger or asset sale | Business transfer — only with agreement to honor this Policy and DPAs |
| Any category, as required | Government or law enforcement | Response to valid legal process, where required by law |
We do not share personal information with third parties for their own marketing, advertising, or purposes unrelated to providing the Service.
9. Data Retention
| Data Category | Retention Period | Notes |
|---|---|---|
| Salesforce environment data (prompts and in-session data) | Not retained — deleted at session end | No logs or storage after session closes |
| AI-generated configuration outputs | Not retained — owned by Customer only | Saltbox MGMT does not retain any generated outputs |
| User account data (name, email, job title, org, role) | Duration of account + 30 days post-closure | Deleted upon request or within 30 days of closure |
| Service logs and usage data | 90 days | Deleted after retention period expires |
| Marketing and CRM data | Duration of Customer relationship, or until opt-out | Deleted upon request or opt-out |
| Anonymized and aggregated usage statistics | Indefinite | Does not constitute personal information |
To request early deletion of your data, contact privacy@saltboxmgmt.com.
10. International Data Transfers
Saltbox MGMT is based in the United States and this Policy is intended for use within the United States only. If you access the Service from outside the United States, your data may be transferred to and processed in the United States. By using the Service, you acknowledge and consent to such transfers. Saltbox MGMT does not actively market or direct the Service to users outside the United States.
11. Children’s Privacy
The Service is a business-to-business platform not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact privacy@saltboxmgmt.com and we will delete such information promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or sub-processors. We will notify Customers of material changes by posting the revised Policy with an updated Last Updated date and by sending an email notification to the address associated with your account. Your continued use of the Service after the effective date of any update constitutes acceptance of the revised Policy. Prior versions are available upon request by contacting privacy@saltboxmgmt.com.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Company
- Saltbox MGMT, Inc.
- Attn
- Privacy Compliance
- Mailing Address
- 305 N 5th Ave, Suite #590, Minneapolis, MN 55401
- Website
- www.saltbox.one
- Sub-Processor List
- www.saltbox.one/sub-processors
- Security
- www.saltbox.one/security
- DPA Inquiries
- privacy@saltboxmgmt.com — subject: “DPA Inquiry”
- Rights Requests
- privacy@saltboxmgmt.com — subject: “Privacy Rights Request”
- Opt-Out / Marketing
- privacy@saltboxmgmt.com — subject: “Opt-Out of Sharing” or “Marketing Opt-Out”
- CA Shine the Light
- privacy@saltboxmgmt.com — subject: “Shine the Light Request”
- Nevada Do Not Sell
- privacy@saltboxmgmt.com — subject: “Nevada Do Not Sell Request”