Privacy Policy — ForceVault for Salesforce

Version 1.1.0 · Last updated: June 14, 2026

ForceVault for Salesforce ("ForceVault", "the extension", "we") is a browser extension that lets you explore your Salesforce org's metadata — objects, fields, profiles, permission sets, users, and dependencies — directly in a side panel, using your existing Salesforce login session.

    In one sentence: ForceVault runs entirely in your browser,
    talks only to the Salesforce org you are already logged into, and never sends
    your data to us or to any third party.
  

What data ForceVault accesses

Your Salesforce session cookie (sid). The extension reads the session cookie that your browser already holds for the Salesforce org you are viewing. This is used solely to authenticate API requests to your own org on your behalf.
Salesforce org metadata and data you request. When you open a view, the extension calls the standard Salesforce REST and Tooling APIs of your org to retrieve information such as object and field definitions, profiles, permission sets, user records, org information, API-usage limits, debug logs, and the records you query (SOQL/SOSL). This information is shown to you in the side panel.
Debug logs you analyze. Logs you paste, upload, or load from your org are parsed entirely in your browser by the Log Analyzer. They are processed in memory and never transmitted anywhere.
The active tab's URL/domain. Used only to detect which Salesforce org you are currently viewing so the extension can connect to the correct org and show the right content.

How the data is used

To authenticate and make API calls to your Salesforce org.
To display Salesforce metadata, records, and settings inside the side panel.
To detect the active Salesforce org and switch context between orgs.

The data is used exclusively to provide the extension's features to you. It is not used for advertising, profiling, or any unrelated purpose.

Where data is stored

A reference to your current session (org instance URL, session token, hostname, and a timestamp) is stored locally on your device using the browser's chrome.storage.local API.
This storage is local only. It is never synced to your Google account and never transmitted to the developer or any external server.
Your own preferences — saved SOQL/SOSL queries and the optional per-org favicon color settings — are also stored locally with chrome.storage.local. These never leave your device.
Metadata retrieved from Salesforce is held in memory while the panel is open and is not persisted beyond your session.

What we do NOT do

We do not collect, transmit, or store your data on any server we control.
We do not sell or share your data with third parties.
We do not use analytics, tracking, advertising, or fingerprinting.
We do not load or execute any remote code.
We do not use your data to determine creditworthiness or for lending purposes.

Network connections

The extension makes authenticated network requests only to the Salesforce domains of the org you are logged into (for example *.my.salesforce.com, *.salesforce.com, *.force.com, *.salesforce-setup.com, *.visualforce.com, *.cloudforce.com, and the corresponding Government Cloud and regional domains).

One additional request is made to Salesforce's own public Trust status service (api.status.salesforce.com) to show upcoming maintenance windows in the Org Info view. This request is unauthenticated — it carries no session token and no personal data, only your org's public instance name (for example "USA252"). The extension makes no requests to the developer or to any non-Salesforce third party.

Data retention and deletion

The locally stored session reference is removed when you disconnect within the extension or when your Salesforce session expires.
Uninstalling the extension removes all of its locally stored data.
You can also clear it at any time via your browser's extension storage controls.

Permissions and why they are needed

cookies — to read your existing Salesforce session cookie so API calls can be authenticated as you.
host access to Salesforce domains — to call your org's REST/Tooling APIs.
scripting — to re-inject the extension's content script into already-open Salesforce tabs after the extension is installed or updated, so login/logout is detected without a page refresh. No remote code is ever executed.
tabs / activeTab — to detect the active Salesforce org and switch context.
storage — to remember your current session reference and your local preferences (saved queries, favicon settings).
sidePanel — to display the extension's interface in the browser side panel.

Children's privacy

ForceVault is a developer/administrator tool and is not directed to children under 13.

Changes to this policy

If this policy changes, the "Last updated" date above will be revised and the updated policy will be published at this URL.

Contact

Questions about this policy? Contact: forcevaultsfdc@zohomail.in