Privacy Policy
Effective Date: February 7, 2026 · Last Updated: February 15, 2026
Overview
OrgTracer is a browser extension (Chrome, Firefox, and Edge) that visualizes Salesforce automation execution order. It runs entirely in your browser and does not collect, transmit, or store any user data on external servers.
What Data OrgTracer Accesses
- Session cookie (sid): Used to authenticate API calls to your Salesforce org. Never transmitted anywhere else.
- Salesforce metadata: Queries your org's Flows, Apex Triggers, Validation Rules, Workflow Rules, and sObject definitions via Salesforce REST and Tooling APIs. Used solely to render the automation map.
- User and permission data: When using the Permission Tracer, OrgTracer queries user records including names, emails, usernames, profile assignments, permission sets, object/field permissions, system permissions, role hierarchy, and more. This data is used solely to display effective permissions and is never stored persistently or transmitted externally.
- Debug logs (optional): When you upload or paste a debug log into the Log Debugger, it is parsed entirely in your browser using a Web Worker. Debug log content is never transmitted to any external server.
What Data OrgTracer Stores
- Recent objects list: Saved locally in
chrome.storage.local. Never leaves your browser. - OAuth tokens: Access tokens, refresh tokens, instance URL, and org ID stored in
chrome.storage.localkeyed by org. Never transmitted externally. - OAuth Consumer Key: If you configure a Connected App, the Consumer Key is stored in
chrome.storage.localand used only to initiate the OAuth flow. - In-memory cache: API responses cached for up to 5 minutes. Cleared when the extension is closed.
Settings Export / Import
The Settings page allows you to export all OrgTracer data from chrome.storage.local as a JSON file and import a previously exported file. Exported files may include OAuth configuration and tokens. Treat exported files as sensitive if they contain OAuth data.
What OrgTracer Does NOT Do
- Does not collect personal information for its own use
- Does not send data to any external server, analytics service, or third party
- Does not track usage or browsing behavior
- Does not modify any data in your Salesforce org (read-only access)
- Does not access any browser data outside of Salesforce domains
- Does not transmit debug log contents to any server
Authentication
- Session cookie (default): Reads the Salesforce session cookie from your browser. No credentials stored — it piggybacks on your existing authenticated session.
- OAuth 2.0 PKCE (fallback): For orgs with API Access Control, OrgTracer authenticates via OAuth 2.0 PKCE using
chrome.identity.launchWebAuthFlow(). Requires configuring a Connected App Consumer Key in Settings.
Permissions Explained
| Permission | Why It's Needed |
|---|---|
| cookies | Read Salesforce session cookie for API auth |
| identity | OAuth 2.0 PKCE authentication flow |
| storage | Save recent objects, OAuth config, and tokens locally |
| tabs | Detect active Salesforce tab for messaging |
Host Permissions
OrgTracer requests host permissions for all Salesforce-operated domains to make read-only API calls (Tooling API and REST API) to fetch automation metadata and permission data. These calls go directly from your browser to your Salesforce instance. No data passes through any external server.
| Domain Pattern | Purpose |
|---|---|
| *.salesforce.com | Standard Salesforce orgs |
| *.salesforce-setup.com | Salesforce Setup pages |
| *.force.com | Custom domains, Lightning, Classic |
| *.cloudforce.com | Legacy Salesforce domains |
| *.visualforce.com | Visualforce pages |
| *.sfcrmapps.cn | Salesforce China region |
| *.sfcrmproducts.cn | Salesforce China region |
| *.salesforce.mil | Government Cloud (DoD) |
| *.force.mil | Government Cloud custom domains |
| *.cloudforce.mil | Government Cloud legacy |
| *.visualforce.mil | Government Cloud Visualforce |
| *.crmforce.mil | Government Cloud CRM |
| *.force.com.mcas.ms | Microsoft Cloud App Security proxy |
| *.builder.salesforce-experience.com | Experience Cloud Builder |
Data Security
All communication between OrgTracer and your Salesforce org uses HTTPS. OAuth tokens in chrome.storage.local are accessible only to the extension and are never transmitted externally.
No Backend
OrgTracer has no backend server. All processing happens locally in your browser. Your Salesforce data never leaves the direct connection between your browser and your Salesforce org.
Changes to This Policy
If this privacy policy changes, the updated version will be published with the extension update and noted in the changelog.
Contact
For questions about this privacy policy or the extension, please open an issue on the project repository.