Privacy

Privacy policy.

The short version: the Flexible Team Share Salesforce app runs 100% inside your Salesforce org and never sends any of your data to us. The marketing site collects only the minimum needed to reply to you. We never sell your data, never use advertising trackers, and we name every company that touches your data by its real name in the sub-processor list below.

Last updated: April 2026

1. Who we are

Flexible Team Share (FTS) is a product of CloudInfinity, a sole proprietorship (jednoosobowa działalność gospodarcza) registered in Poland and trading under the brand Tucario (we, us).

For the purposes of the GDPR, CloudInfinity is the data controller of the personal data collected through this marketing website. For the FTS managed package installed in your Salesforce org, Salesforce is the processor and you, the org owner, are the controller — we are neither, because we never receive the data (see Section 2.1).

For privacy questions, data access requests, or to exercise any of the rights listed below, write to hello@tucario.com.

2. What we collect, and where

FTS has two components. They collect different things, for very different reasons.

2.1 The FTS Salesforce app

Flexible Team Share is a 100% Salesforce-native managed package. Every line of code runs inside your own Salesforce org. The package has no external HTTP callouts, no Named Credentials, no Remote Site Settings, and no analytics or telemetry of any kind. Your files and records never leave your Salesforce boundary, because the app has no way to send them out.

The objects FTS creates in your org store only the sharing configuration and audit trail you set up — which record was shared with which external user, when, by whom, and for how long. You control retention and you can wipe everything by uninstalling the package. None of this data is ever transmitted to us.

2.2 This marketing website

The site you are reading is a static Astro build served from Cloudflare Pages. We offer a single first-party product-analytics tool — PostHog (EU Cloud) — and it only runs after you click "I agree" in the consent banner. If you click "Reject", PostHog is never loaded and no analytics cookies are set. You can change your mind any time from the "Cookie preferences" section at the bottom of this page.

When enabled, PostHog is configured to the most privacy-friendly defaults it offers: pageviews and clicks are captured, IP addresses are masked, session recordings are disabled, anonymous visitors do not get a persistent person profile (person_profiles: 'identified_only'), and the "Do Not Track" browser signal is respected as an additional safeguard.

The site has no advertising tracker, no session replay, and no third-party tag manager. Besides the PostHog ph_* cookie (set only after you accept), the site stores a single fts-analytics-consent value in your browser's localStorage to remember your consent choice, plus whatever Cloudflare Turnstile needs to prove you are not a bot on the forms below.

The site actively collects personal data in three places:

  • Contact form. Your name, email, subject, and message are posted to a Cloudflare Pages Function and forwarded to our own Salesforce CRM via Web-to-Case. We use this to reply to you.
  • Report a bug. The bug report form goes to the same Salesforce Web-to-Case endpoint with an FTS product tag. We use it to investigate the issue and reply to you.
  • Book a call. When you click "Book a Call" you are redirected to a Google Calendar appointment scheduling page. Anything you submit there is processed by Google under its own privacy policy; we only receive the resulting calendar invite.

Cloudflare keeps standard edge access logs (IP address, user agent, requested URL, timestamp) as part of delivering the site to you. Those logs are retained per Cloudflare's own policy and used by us only to investigate abuse and operational issues.

3. Why we process this data (legal basis)

  • Contract / pre-contract (Art. 6(1)(b) GDPR) — contact form messages and bug reports. We need this data to reply to you and, if you go on to install FTS, to support the app.
  • Legitimate interest (Art. 6(1)(f) GDPR) — Cloudflare edge access logs and Turnstile anti-bot checks, used solely for operational troubleshooting and abuse prevention.
  • Consent (Art. 6(1)(a) GDPR and ePrivacy Art. 5(3)) — PostHog product analytics. We only load PostHog after you click "I agree" in the consent banner, and we stop capturing the moment you withdraw consent.
  • Legal obligation (Art. 6(1)(c) GDPR) — if we ever issue an invoice relating to FTS, that invoice data is retained for 5 years to meet Polish accounting law (Ustawa o rachunkowości, Art. 74).

4. Who else touches your data (sub-processors)

A sub-processor is a third party that processes your personal data on our behalf. Naming them here is a legal requirement under GDPR Art. 28 and also how we think it should work — if you want to trust us, you should know exactly who we trust.

Important: the list below applies to the marketing website only. The FTS Salesforce app has zero sub-processors, because it has no way to transmit data outside your Salesforce org (see Section 2.1).

Sub-processor Purpose Location Transfer mechanism
Cloudflare, Inc. Marketing website hosting (Cloudflare Pages), DNS, edge TLS, Turnstile anti-bot challenges, Pages Functions runtime Global anycast Standard Contractual Clauses (SCCs)
PostHog Inc. (EU Cloud) Product analytics — pageviews, clicks, and form submission events. IPs are masked, no session recording, no advertising cookies. EU (Frankfurt) Intra-EEA (EU Cloud instance)
Salesforce.com EMEA Limited Our own CRM org (Web-to-Case endpoint) — receives contact form submissions and bug reports EU (Hyperforce) Intra-EEA
Google LLC Google Calendar appointment scheduling — only when you click "Book a Call" and submit the Google form EU / US multi-region SCCs

This list is kept current. When we add a new sub-processor we update this page before they start processing your data.

5. International transfers

Some of the sub-processors above are located outside the European Economic Area. Where that is the case, we rely on the European Commission's Standard Contractual Clauses (SCCs) — Decision (EU) 2021/914 — as the transfer mechanism. The fourth column of the table above says which mechanism applies to each provider.

6. How long we keep your data (retention)

  • Contact form messages and bug reports — stored as Case records in our Salesforce CRM for as long as needed to support the conversation, then archived. You can ask us to delete them at any time.
  • Invoice / accounting data — retained for 5 years after the transaction, as required by Polish accounting law.
  • Cloudflare access logs — retained per Cloudflare's default retention policy and never exported by us for profiling.
  • PostHog product analytics events — retained for up to 12 months then rolled up or deleted. The PostHog distinct_id cookie (ph_*) has a default lifetime of 365 days and you can clear it from your browser storage at any time.
  • FTS app data in your Salesforce org — retained according to the retention settings you configure inside FTS, and fully removed if you uninstall the package. We cannot delete this for you because we cannot see it.

7. Your rights under the GDPR

You have, at any time, the right to:

  • Access (Art. 15) — ask for a copy of the personal data we hold on you.
  • Rectification (Art. 16) — ask us to correct inaccurate data.
  • Erasure (Art. 17, "right to be forgotten") — ask us to delete your data. Email hello@tucario.com and we will action the request within 30 days.
  • Restriction (Art. 18) — ask us to pause processing pending a dispute.
  • Data portability (Art. 20) — ask us to export your full footprint on this website as a machine-readable file.
  • Objection (Art. 21) — object to processing based on legitimate interest.
  • Complaint — lodge a complaint with your local supervisory authority. In Poland that is the President of the Personal Data Protection Office (UODO).

8. Security

We take appropriate technical and organisational measures to protect your data:

  • All external traffic to this site and our Pages Functions is over TLS 1.2+.
  • The FTS Salesforce app enforces Salesforce platform security: CRUD/FLS checks, SOQL injection protection, permission-set gates on admin operations, and deletion validation.
  • The FTS package is reviewed by the Salesforce Code Analyzer on every release, and passes the Salesforce AppExchange security review as part of distribution.
  • The marketing website's forms are rate-limited and gated by Cloudflare Turnstile to block automated abuse. No analytics SDK, session replay, or third-party tag manager runs on any part of the site without your consent.

9. Data breach notification

If a personal data breach occurs and it is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours of becoming aware of it, as required by Art. 33 GDPR. Where the breach is likely to result in a high risk, we will also notify you directly without undue delay.

10. Children

Flexible Team Share is a professional B2B tool for Salesforce administrators and data teams. It is not directed at anyone under 16 and we do not knowingly process data from children.

11. Changes to this policy

If we change how we process your data in a material way, we update this page and the "Last updated" date above.

Cookie preferences

You can change your analytics choice at any time. Opting out stops PostHog from capturing new events and clears the PostHog ph_* cookie from this browser.

12. Contact

Privacy questions, data access, correction, erasure, or portability requests:

hello@tucario.com
CloudInfinity (sole proprietorship)
Poland