Privacy policy

1. Information we collect

When you use aprity, we may collect the following categories of information:

• Account information: name, professional email address, company name, and role when you register or request a demo.
• Salesforce metadata: object definitions, field schemas, automation configurations (triggers, flows, validation rules), and related structural metadata extracted during scans. This may incidentally include the names of Salesforce users appearing in the metadata (record owners, report authors). We do not access or store your Salesforce business data records.
• Usage data: scan history, feature usage patterns, connection timestamps, IP addresses, and technical logs necessary for service operation and security.
• Communication data: information you provide when contacting our support or sales teams.

2. How we use your data

We use the information we collect to:

• Provide, operate, and maintain the aprity platform.
• Produce specifications from your Salesforce metadata as part of the core service.
• Improve and optimize service performance, reliability, and security.
• Communicate with you about your account, service updates, and support requests.
• Comply with legal obligations and enforce our terms of service.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Data storage, location & security

Your data is hosted exclusively on Microsoft Azure infrastructure. The data residency region is selected by each customer at subscription: France Central (EU) or East US. Customers in the financial or insurance sector, or those subject to strict EU-residency requirements, typically select France Central (EU-only).

• Database: Salesforce metadata and the specifications produced from it are stored in Azure Cosmos DB with strict multi-tenant isolation. Each tenant's data is logically separated using dedicated partition keys enforced at the database level.
• Encryption: all data is encrypted at rest using strong encryption (Azure-managed keys) and in transit via TLS.
• Access controls: we apply role-based access control, audit logging, and the principle of least privilege across all infrastructure components. Administrative access requires multi-factor authentication.
• Secrets management: authentication credentials (including Salesforce OAuth tokens) are stored in Azure Key Vault. They are never stored in plain text in the database.
• Incident notification: in the event of a personal data breach, affected customers are notified without undue delay, and we assist customers with their own notification obligations.

4. Data retention

We distinguish three categories of data, each with its own retention rule:

• Raw extracted metadata: purged after each scan completes. We do not keep the raw Salesforce metadata once the documentation has been derived from it.
• Derived documentation & specifications: the outputs generated from your metadata are retained for the duration of your active subscription so the living portal stays available.
• Operational logs: retained for up to 90 days. Billing data: retained for 10 years as required by accounting law.

Upon termination of your account, we delete your data within 30 days unless a longer retention period is required by law or requested by you.

5. Your rights (GDPR)

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your personal data, subject to legal retention requirements.
• Right to restrict processing: request that we limit the processing of your data in certain circumstances.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to the processing of your data for specific purposes.

To exercise any of these rights, contact us at dpo@aprity.ai. We respond within 30 days of receiving your request.

6. Cookies

The aprity website uses strictly necessary cookies required for the proper functioning of the site (session management, security tokens), and Google Analytics for anonymous audience measurement (with IP anonymisation). Google Analytics is loaded only after you accept analytics cookies in the cookie-consent banner shown on your first visit; Google LLC acts as a processor for this measurement. You can withdraw your consent at any time via the "Cookie settings" button in the site footer. We do not use advertising cookies or cross-site behavioural tracking. See our Cookie Policy for details.

7. Sub-processors & third parties

We rely on the following sub-processors to operate the platform. The up-to-date list is available on request.

• Microsoft Azure (Microsoft Ireland Operations Ltd) — cloud infrastructure: compute, database, search, storage, and secrets management, in the customer-selected region.
• Microsoft Azure OpenAI Service — large language models (GPT family) hosted and operated by Microsoft, processed within the customer-selected Azure region.
• Microsoft Azure AI Foundry — Anthropic Claude models hosted and operated by Microsoft within the customer-selected Azure region.
• Microsoft Azure Communication Services — transactional emails (account notifications, alerts).
• GitHub, Inc. (Microsoft) — source repository and CI/CD for the Salesforce managed package only. No customer personal data is hosted there.
• Salesforce — API integration for metadata extraction (read-only access via JWT Bearer authentication). This is the customer's own org, accessed under the customer's authorization.
• Google LLC — Google Analytics 4 for anonymous audience measurement on the public website only, loaded after consent. No customer personal data or Salesforce metadata is shared with Google.

Language models — exclusive Azure routing. aprity does not call any large language model provider directly. All AI inference passes exclusively through Microsoft Azure (Azure OpenAI Service and Azure AI Foundry). Anthropic, PBC is the provider of the Claude model but has no access to customer data — the model is hosted and operated by Microsoft. Under the Microsoft Product Terms and Microsoft's data protection terms, your prompts and outputs are never used to train or improve foundation models, are processed and stored within the selected Azure region, and benefit from the Microsoft EU Data Boundary commitment for EU-region deployments.

8. Contact

For any questions or concerns about this Privacy Policy or your personal data, please contact us at:

aprity SASU
Data protection: dpo@aprity.ai
General: contact@aprity.ai

See also our Legal Notice, Terms of Service and Trust & Security page.