Privacy Policy
Last Updated: May 20, 2026
Cirra AI, Inc. ("Cirra AI," "we," "us") provides a software-as-a-service platform for Salesforce administration, including the Cirra AI MCP Server and skills library (the "Services"), and operates the website at cirra.ai and its subdomains (the "Website"). This Policy explains how we handle personal information through the Website and the Services.
If you use the Services through an organization that subscribes to Cirra AI, that organization controls the data you submit; please direct privacy requests to them and we will assist them in responding.
1. Who We Are
Cirra AI, Inc. is a Delaware corporation with offices at 2261 Market Street STE 10421, San Francisco, CA 94114. For privacy questions, requests, or complaints, contact [email protected].
For data we collect from the Website and about prospects, customers, and partners, we are the controller. For data our customers process through the Services, we are a processor (and a "service provider" under CCPA/CPRA).
2. Information We Collect
You give us: business contact details when you fill out a form, request a demo, sign up, or contact support — name, business email, company, role, and anything else you choose to share.
Collected automatically on the Website and in the Services: usage information (such as pages and features viewed, clicks, referrers, and error diagnostics), and device and browser information (such as IP address, browser type, operating system, and device and session identifiers). In the authenticated Services we use cookies and similar technologies for account access and security, to provide in-product messaging and support, and to understand onboarding and usability patterns, including session-replay technology configured with masking so that form inputs and other sensitive content are not captured.
Through the Services: account information for administrators and authorized users, authentication credentials, OAuth tokens for connected systems (stored encrypted), product telemetry (logins, feature usage, errors), and the Customer Data your organization sends through the platform.
3. How the Services Handle Customer Data
Two characteristics matter:
- By default, AI prompts and responses pass directly between your AI client and the AI provider. When you use an AI client (such as Claude, ChatGPT, or Cursor) to interact with our MCP Server, the prompts you send to the AI model and the responses it returns are exchanged directly between your AI client and the AI provider — they do not pass through Cirra AI's systems, and we do not store or log them. Some features of the Services may process prompts or responses through our systems; where a feature does so, the handling described for that feature will apply. Your agreement with the AI provider governs your use of that provider.
- Underlying Salesforce records and metadata are generally not persistently stored as part of the product. They may transit our infrastructure to perform the operation you request and may appear briefly in transient operational logs and short-lived response caches retained only as long as operationally necessary. We do retain limited account and operational data needed to provide the Services, such as administrator and user names and business email addresses, encrypted OAuth tokens for connected systems, and high-level records of tool usage that do not include Salesforce record content.
We do not use Customer Data to train, fine-tune, or improve any foundation, general-purpose, or shared machine-learning model, and we contractually prohibit our subprocessors from doing so.
4. How We Use Information
We use information to operate the Services and Website, respond to inquiries, send marketing communications consistent with your preferences and applicable law, analyze usage, detect and prevent fraud and abuse, comply with legal obligations, and enforce our rights.
Where GDPR or UK GDPR applies, our legal bases are: consent (non-essential cookies, marketing emails, session recording); performance of a contract or pre-contractual steps; our legitimate interests in operating and improving our business; and compliance with legal obligations.
5. Cookies and Tracking
We use cookies and similar technologies to operate the Website, analyze usage, and (where permitted) market our Services. We also use cookies and similar technologies in the authenticated Services for account access and security, to maintain in-product messaging and support sessions, and for limited onboarding and usability analytics with masking applied. Categories include strictly necessary, preferences, statistics, and marketing cookies.
Visitors from the EEA, UK, and Switzerland see a consent banner before non-essential cookies are set. All visitors can manage choices via the "Your Privacy Choices" link in the Website footer. We honor Global Privacy Control signals from California residents' browsers as a CCPA opt-out signal. Our docs. and skills. subdomains do not load advertising, analytics, or behavioral-tracking technologies.
6. How We Share Information
We share personal information:
- With our personnel and contractors who need access to do their jobs, subject to confidentiality;
- With service providers and subprocessors described in Section 7, under written agreements limiting their use to providing services to us;
- With customers (for Customer Data) — we make Customer Data available to the customer that submitted it and do not share it with other customers;
- In a corporate transaction (merger, acquisition, financing, asset sale), subject to confidentiality;
- For legal reasons — to comply with law, respond to lawful requests, enforce our agreements, or protect rights, property, and safety; and
- With your consent or direction.
We do not sell personal information for monetary consideration. We may share certain identifiers with advertising providers for targeted advertising on the Website, which may constitute "sharing" under CCPA/CPRA. California residents may opt out as described in Section 9.
7. Service Providers and Subprocessors
We rely on third-party service providers to deliver the Services and operate the Website. These include providers of cloud hosting and infrastructure, database hosting, authentication, payment processing, transactional email, customer support and in-product messaging, and product and website analytics. Each is bound by a written agreement that requires data-protection commitments at least as protective as those in this Policy and limits their use of personal information to providing services to us. We do not authorize them to use Customer Data to train machine-learning models.
8. Security
We maintain administrative, physical, and technical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. These safeguards include measures such as access controls, encryption in transit, encryption at rest for sensitive stored data, logging and monitoring, incident response procedures, and vendor review. No system is perfectly secure; we cannot guarantee absolute security.
We will notify affected customers of a confirmed security incident involving their personal information without undue delay and as required by law.
9. Your Privacy Rights
California residents (CCPA/CPRA). You have the right to know what personal information we collect and how we use, disclose, and (where applicable) share it; to delete it; to correct it; to opt out of sale or sharing; to limit certain uses of sensitive personal information; and to non-discrimination. To exercise rights, email [email protected] with the subject "California Privacy Request" or use any privacy request mechanism we make available through the Website or Services. We will verify and respond within 45 days (extendable once by 45 days where reasonably necessary). You may designate an authorized agent with proof. We honor Global Privacy Control as an opt-out signal.
In the preceding 12 months, we collected the following categories of personal information: identifiers and contact information; commercial or transaction information related to subscriptions or purchases; professional or employment-related information; internet or other electronic network activity information; approximate geolocation derived from IP address; account credentials and similar information needed to authenticate users and maintain connected-system access; and communications or other information you, your organization, or your authorized users choose to provide. We collect this information directly from you, from your organization, automatically from your use of the Website and Services, from connected systems you authorize, and from our service providers. We use it for the purposes described in Section 4. We disclose these categories for business purposes to the categories of recipients described in Sections 6 and 7. We may share identifiers and internet or other electronic network activity information with advertising partners for targeted advertising on the Website. We do not sell personal information for monetary consideration. We do not use or disclose sensitive personal information for purposes other than providing the Services, security, fraud prevention, and other purposes permitted by applicable law.
EEA, UK, and Swiss residents (GDPR / UK GDPR / FADP). You have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent, and the right to lodge a complaint with your supervisory authority. To exercise rights, email [email protected]. If you are an end user of the Services on behalf of a customer, please direct your request to that customer; we will assist them in responding.
Residents of Colorado, Connecticut, and certain other U.S. states. Depending on your state of residence, you may have rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale of personal data, or certain profiling. To exercise these rights, email [email protected] or use any privacy request mechanism we make available through the Website or Services. If we decline to act on your request, you may appeal by replying to our response or emailing [email protected] with the subject line "Privacy Appeal." We will review and respond within the period required by applicable law and, where required, provide information about how to contact your state attorney general if you remain dissatisfied.
10. International Transfers
Cirra AI is based in the United States and most of our subprocessors are located there. If you are accessing the Website or Services from outside the United States, your personal information will be transferred to and processed in the United States. For transfers of personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other appropriate transfer mechanisms.
11. Retention
We retain personal information for as long as we need it to provide the Services and operate our business, and as required by law (for example, for tax and accounting purposes). We determine retention periods by considering the nature and sensitivity of the information, the purposes for which it was collected, whether the relevant account or integration remains active, our legal and contractual obligations, and the need to establish, exercise, or defend legal claims.
In general, business contact and account records are retained for the duration of the relationship and a reasonable period thereafter; subscription and transaction records are retained as needed for billing, accounting, and tax purposes; encrypted OAuth tokens are retained while the relevant integration remains active and are deleted or disabled when no longer needed; security, support, and usage logs are retained for short operational periods and longer where reasonably necessary for security, fraud prevention, or legal compliance; and Customer Data that we do store is returned or deleted on the timelines set out in our customer agreement upon termination. Underlying Salesforce records and metadata processed through the Services are generally not persistently stored, except as they may appear in short-lived operational logs and caches.
12. Children
The Website and Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. Contact [email protected] if you believe a child has provided us with personal information.
13. Changes
We may update this Policy from time to time. We will post the updated Policy with a new "Last Updated" date. If we make material changes, we will provide additional notice before they take effect.
14. Contact
Questions, requests, or complaints: [email protected]. Postal mail: Cirra AI, Inc., 2261 Market Street STE 10421, San Francisco, CA 94114.