What we collect. And what we don't.

SFMagic is operated by Tim Cox, a sole-proprietor independent developer based in New York. The service runs at sfmagic.co. If you have privacy questions, email tim@timcox.co.

When you sign up:

• Your email address (used as your login).
• A bcrypt hash of your password (we never see the plaintext).
• Your organization name and a slug for your tenant URL.
• EIN, if you self-identified as a 501c3 for nonprofit pricing.

When you connect Salesforce:

• An OAuth refresh token, encrypted at rest with AES-256-GCM.
• A snapshot of your Salesforce schema metadata — object names, field names, picklist values. Not records.

When you use the product:

• Per-tool usage events: which tool was called, when, did it succeed, how many records came back, latency. No record content, no question text.
• Standard server logs (IP address, user-agent, timestamp) kept for 30 days for abuse mitigation.

When you subscribe:

• Your Stripe customer ID and subscription ID.
• We never see your card. Stripe handles payment collection on their domain.

• Salesforce record content. Records are queried fresh per question and never cached or copied.
• Question text or Claude's replies — those live in your Anthropic account, not ours.
• Your Salesforce credentials. We use OAuth — your password never touches our system.
• Your card number or CVC. Stripe holds those.
• Cookies for advertising or third-party tracking. We use one cookie: the NextAuth session cookie, signed with our auth secret.

SFMagic uses the following processors. None of them get more than the data described:

• Salesforce — for OAuth and querying your data. Your tokens authorize SFMagic to read on your behalf.
• Anthropic — Claude is the model that powers tool selection. When the onboarding agent runs, your schema metadata goes to Anthropic under their commercial DPA. No record content.
• Stripe— payment processing and subscription management. They hold card data; we don't.
• Vercel — application hosting (US-East-1).
• Neon — Postgres database (US-East-1).

We do not sell your data. We do not share it with advertisers or data brokers.

• Account records (email, org, tokens) — until you delete the account.
• Schema snapshots — replaced each time onboarding re-runs; otherwise kept while the account is active.
• Usage events — 90 days, then aggregated and the row deleted.
• Server logs — 30 days, then deleted.
• Stripe data — Stripe's own retention rules apply (typically 7 years for financial records).

Whether you're in California, the EU, or anywhere else, the same rules apply for everyone:

• Access — email tim@timcox.co and we'll send you everything we have on your account in JSON.
• Deletion — same email. We delete the tenant row, user records, and tokens within 7 days. Stripe and Salesforce-side records persist per their own policies.
• Correction— fix it yourself in /app, or email us if you can't.
• Portability — same as access; you get JSON.
• Objection — you can revoke the Salesforce OAuth connection from inside Salesforce at any time. The MCP endpoint for your tenant stops working immediately.

For a longer technical writeup, see the security page. Short version: tokens encrypted at rest with AES-256-GCM, transport encrypted with TLS, passwords stored as bcrypt hashes with cost factor 12, no record content ever touches our database.

SFMagic is a B2B product for organizations using Salesforce. We don't market to or knowingly collect data from anyone under 18.

When we materially change this policy we'll email tenant admins before the change takes effect. Smaller corrections (typos, clarifications) we just push and bump the "last updated" date above.