Privacy Policy
Last updated: January 16, 2026
Overview
CommitFlow (“we”, “our”, or “the Service”) is a voice-first AI sales assistant that integrates with Salesforce. We are committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information, including voice data, CRM data, and account information.
Information We Collect
Account Information
- Email address
- Name (if provided)
- Profile picture (if provided via authentication)
- Organization membership (if applicable)
Voice & Audio Data
- Voice input when using voice features (processed in real-time)
- Transcriptions of voice interactions (temporarily stored during sessions)
- Voice commands and queries you make to the AI assistant
Salesforce Integration Data
- OAuth tokens (encrypted and securely stored)
- Your Salesforce instance URL
- CRM data accessed through your Salesforce connection (opportunities, contacts, accounts, tasks, events)
Note: Salesforce CRM data is fetched in real-time and is NOT stored on our servers. We only temporarily process this data to provide the Service.
Usage Data
- Features you use and actions you take
- Dashboard views and interactions
- Device information and browser type
- IP address and general location
User Preferences & Settings
- Dashboard preferences and view settings
- Notification preferences
- AI assistant preferences
Payment Information
Payment processing is handled by our payment provider (Clerk Billing). We do not store complete credit card numbers or payment details on our servers.
Voice AI & Audio Processing
Our voice AI features are powered by OpenAI's Realtime API. When you use voice features:
- Your voice is streamed in real-time to OpenAI's servers for processing
- Audio is converted to text (transcribed) to understand your requests
- The AI generates responses based on your voice input and your CRM context
- Transcriptions may be temporarily stored during your session to maintain conversation context
- We do not permanently store audio recordings of your voice
- OpenAI processes your voice data according to their privacy policy and API terms
You can use the Service without voice features by interacting through the visual dashboard interface.
Salesforce Data Handling
When you connect your Salesforce account:
- Authentication: We use OAuth 2.0 with PKCE for secure authentication. Your Salesforce credentials are never shared with us.
- Token Storage: OAuth tokens are encrypted using industry-standard encryption before being stored in our database.
- Data Access: CRM data (opportunities, contacts, accounts, tasks, events) is fetched directly from Salesforce in real-time when you use the Service.
- No Local Storage: We do NOT store copies of your Salesforce data. All CRM data remains in your Salesforce organization.
- Data Modification: When you update records through the Service, changes are made directly to your Salesforce organization via their API.
- Disconnection: You can disconnect your Salesforce integration at any time. When disconnected, your encrypted tokens are deleted from our servers.
How We Use Your Information
- Provide voice AI assistance and respond to your queries
- Display and interact with your Salesforce CRM data
- Generate AI-powered insights, deal health scores, and recommendations
- Process transactions and manage your subscription
- Send service-related communications and updates
- Respond to your comments, questions, and support requests
- Monitor and analyze usage to improve the Service
- Detect, investigate, and prevent security incidents
Data Storage & Security
- Account data is stored securely in MongoDB Atlas cloud infrastructure
- All data transmission uses HTTPS/TLS encryption
- Salesforce OAuth tokens are encrypted at rest using AES-256 encryption
- Authentication is handled by Clerk, a trusted identity provider
- API endpoints are protected by authentication and rate limiting
- We implement industry-standard security practices
- Regular security reviews and updates
Third-Party Services & Data Sharing
We do not sell your personal information. We share data with the following third parties as necessary to provide the Service:
- OpenAI: Voice input and CRM context for AI processing. Subject toOpenAI's Privacy Policy.
- Salesforce: Your CRM data via their API. Subject toSalesforce's Privacy Policy.
- Clerk: Authentication and billing. Subject toClerk's Privacy Policy.
- MongoDB Atlas: Cloud database hosting for account data.
- Vercel: Application hosting and deployment.
We may also share data when required by law or to protect rights and safety.
AI Training & Model Improvement
We do NOT use your voice data, Salesforce data, or personal information to train AI models. The AI features are powered by OpenAI's pre-trained models. OpenAI's API data usage is governed by their enterprise API terms, which do not use customer data for training.
Your Rights
You have the following rights regarding your data:
- Access: Request a copy of your personal data stored by CommitFlow
- Correction: Update or correct your account information
- Deletion: Request deletion of your account and associated data
- Disconnect: Revoke Salesforce integration at any time
- Export: Download your account data in a portable format
- Opt-out: Unsubscribe from marketing communications
To exercise these rights, visit your account settings or contact us at hello@commitflow.ai.
Note: Deleting your account does not delete data in your Salesforce organization. Salesforce data remains under your control in Salesforce.
Cookies & Tracking
We use essential cookies for authentication and session management. We may use analytics tools to understand how the Service is used. You can control cookie preferences through your browser settings.
Data Retention
- Account Data: Retained as long as your account is active
- Voice Transcriptions: Session-only; not permanently stored
- Salesforce Tokens: Retained while integration is active; deleted upon disconnection
- Usage Logs: Retained for up to 90 days for security and debugging
When you delete your account, we will delete your personal data within 30 days, except where retention is required for legal purposes.
International Transfers
Your data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place to protect your information in accordance with this privacy policy.
California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the CCPA:
- Right to know what personal information is collected and how it is used
- Right to request deletion of personal information
- Right to opt-out of the sale of personal information (we do not sell your data)
- Right to non-discrimination for exercising your privacy rights
Children's Privacy
The Service is intended for business professionals and is not directed at users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn we have collected such information, we will delete it promptly.
Changes to This Policy
We may update this privacy policy from time to time. We will notify you of significant changes via the Service or email. Continued use of the Service after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this privacy policy, your data, or want to exercise your privacy rights, please contact us at hello@commitflow.ai.
CommitFlow
commitflow.ai
By using CommitFlow, you acknowledge that you have read and agree to this Privacy Policy.
Terms of Service →