1. Introduction
DXDeploy ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our cloud-based CI/CD platform for Salesforce deployments ("the Service").
This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data Controller
DXDeploy is the data controller responsible for your personal data. If you have questions about this policy or your data, contact us at:
Email: privacy@dxdeploy.com
3. Data We Collect
3.1 Account Information
When you register, we collect:
- Name
- Email address
- Password (stored as a one-way hash — we never store plain-text passwords)
- Team and organization information
3.2 Billing Information
Payment processing is handled by our payment provider, Paddle. We do not store your credit card details. Paddle collects and processes:
- Payment method details
- Billing address
- Transaction history
Please refer to Paddle's Privacy Policy for more information.
3.3 Third-Party Service Credentials
To provide the Service, we store credentials for your connected accounts:
- Version Control Systems (GitHub, Bitbucket) — access tokens, usernames, repository URLs
- Salesforce — OAuth tokens, refresh tokens, consumer keys, private keys, usernames, instance URLs
- Notification Services (Slack, Microsoft Teams, JIRA, Confluence) — webhook URLs, API tokens
All sensitive credentials are encrypted at rest using industry-standard AES-256-CBC encryption via Laravel's encrypted casting.
3.4 Deployment Data
When you use the Service, we collect:
- Deployment configurations (repository, branch, Salesforce environment, triggers, steps)
- Deployment logs (status, timestamps, results, error messages)
- RunBook configurations and execution history
- Webhook payloads (encrypted at rest)
3.5 Source Code
Your source code is accessed temporarily during the deployment process. It is cloned to a workspace directory, used for deployment, and deleted immediately after the deployment completes or fails. We do not retain copies of your source code.
3.6 Usage Data
We may collect technical data about how you use the Service, including:
- IP address
- Browser type and version
- Pages visited and features used
- Timestamps of actions
4. How We Use Your Data
We use your data for the following purposes:
- Providing the Service — Authenticating with your VCS and Salesforce accounts, executing deployments, sending notifications
- Account management — Managing your subscription, processing payments, enforcing plan limits
- Communication — Sending deployment notifications, account-related emails, and service updates
- Security — Detecting and preventing unauthorized access, abuse, or fraud
- Improvement — Analyzing usage patterns to improve the Service (using aggregated, non-identifiable data)
- Legal compliance — Meeting our obligations under applicable laws and regulations
5. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Contract performance (Article 6(1)(b)) — Processing necessary to provide the Service you have subscribed to
- Legitimate interests (Article 6(1)(f)) — Improving the Service, ensuring security, preventing fraud
- Legal obligation (Article 6(1)(c)) — Compliance with tax, accounting, and other legal requirements
- Consent (Article 6(1)(a)) — Where you have given explicit consent (e.g., marketing communications). You may withdraw consent at any time.
6. Data Sharing
We do not sell your personal data. We share data only with the following categories of recipients:
- Payment processor — Paddle (for subscription billing and invoicing)
- Infrastructure providers — Cloud hosting and server providers (for running the Service)
- Third-party services you connect — GitHub, Bitbucket, Salesforce, Slack, Microsoft Teams, JIRA, Confluence (only the data necessary to perform the actions you configure)
- Legal authorities — When required by law, regulation, or legal process
All third-party service providers are bound by data processing agreements where required by GDPR.
7. Data Storage and Security
- Location: Your data is stored on servers within the European Union
- Encryption at rest: All sensitive credentials (tokens, keys, secrets, webhook payloads) are encrypted using AES-256-CBC
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS
- Password security: Passwords are hashed using bcrypt with automatic salting
- Access controls: Access to production systems is restricted to authorized personnel only
- Two-factor authentication: Available for all user accounts
8. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: Retained until you delete your account
- Deployment logs: Retained for the duration of your subscription
- Source code: Not retained — deleted immediately after each deployment
- Billing records: Retained as required by tax and accounting laws (typically 7 years)
Upon account deletion, we will delete your personal data within 30 days, except where retention is required by law.
9. Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — Request a copy of the personal data we hold about you
- Right to rectification — Request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — Request deletion of your personal data
- Right to restrict processing — Request that we limit how we use your data
- Right to data portability — Request your data in a structured, machine-readable format
- Right to object — Object to processing based on legitimate interests
- Right to withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at privacy@dxdeploy.com. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.
10. Cookies
We use cookies and similar technologies for the following purposes:
Essential Cookies
Required for the Service to function. These cannot be disabled.
- Session cookie — Maintains your authenticated session
- CSRF token — Protects against cross-site request forgery attacks
Functional Cookies
Used to remember your preferences and improve your experience.
- Theme preference — Remembers your light/dark mode choice
- Panel state — Remembers sidebar and navigation preferences
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not track you across other websites.
11. International Data Transfers
Your data is primarily stored and processed within the European Union. If data is transferred outside the EU (e.g., when interacting with third-party services like GitHub or Salesforce at your request), such transfers are protected by:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- The EU-US Data Privacy Framework (where applicable)
12. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you via email or an in-app notification
We encourage you to review this page periodically for the latest information on our privacy practices.
© 2026 DXDeploy. All rights reserved.