The short version

We collect what we need to run the product and nothing else. Your sales activity, account list, prospect notes, and AI conversations are yours. We store them so the app works across your devices, but we don't sell them, share them with advertisers, or use them to train models outside your account.

Who this covers

salesascode.com and the product sites gtmcron.com, salescron.com, leadercron.com, and secronjob.com are operated by the same company. Whichever site you arrive from, your account and data live on salesascode.com and are handled exactly as described in this policy — the product sites are marketing front doors and don't hold separate copies of your data.

What we collect

What we do with it

Cowork plugins: telemetry and brain sync

The Sales as Code plugins run in Claude Cowork, on your machine and with your own connected tools. When you connect the Sales as Code MCP with your account API key, those plugins send two kinds of data up to your account so the dashboard can show you what they did:

Metadata-first, never raw contact data by default. The plugins do not send raw third-party contact information (lead lists, prospect emails, message bodies) to your account by default. If you ever opt in to a richer sync, it is explicit and scoped, and you can turn it off. Everything is scoped to your authenticated account and never mixed with another account's data.

This telemetry and brain state is yours. You can export it and delete it from your dashboard, and deleting your account removes it on the schedule in "Your rights" below.

Subprocessors

We rely on the following third parties to operate. Each has its own privacy practices linked.

For our full security posture, compliance status, and data handling, see Trust & security.

Your rights

Cookies

One HttpOnly session cookie (si_session) and a short-lived state cookie during OAuth handshakes. No third-party tracking cookies, no advertising cookies, no fingerprinting scripts. We don't use Google Analytics or equivalent.

Where your data lives

Primary database: Neon (Postgres) in their default U.S. region. Application servers: Vercel, distributed globally. AI inference: Anthropic, U.S. region. If you're outside the U.S., your data is processed in the U.S.

Security

OAuth tokens are encrypted at rest with AES-256-GCM. Sessions are HttpOnly, SameSite=Lax, and Secure in production. The API key you provide for direct AI access (Settings → API) is stored only in your browser's localStorage — it never reaches our servers.

Enterprise controls. Teams can enable SAML single sign-on (Settings → Team) and route sign-in through their own identity provider at /login/sso. Every admin-relevant action is written to an immutable audit log that admins can review and export to CSV. You can export all of your data at any time (Settings → Data) and request deletion, which we hard-delete within 7 days (Stripe billing records are retained per Stripe's policy for tax and accounting).

Changes

If we materially change this policy, we'll surface a notice inside the product the next time you sign in. The "Last updated" date at the top always reflects the current version.

Contact

Questions, requests, or concerns: admin@salesascode.com.