HelloMavens

Policy

Privacy Policy

Last updated: May 5, 2026

The short version

HelloMavens runs the Salesforce Security Review at this site. We collect the minimum data needed to deliver the service, we never sell anyone's data, and we honor every deletion request.

  • We collect your email when you start the questionnaire so we can send you the report.
  • We use a single privacy-respecting analytics tool (PostHog) to understand which pages help and which don't. You can opt out at any time via the cookie preferences link in the footer.
  • The free questionnaire flow does NOT connect to your Salesforce instance.
  • The consultant CLI flow reads org metadata only — no records, no PII, no writes — and evidence bundles are scored in memory and discarded; only the resulting report summary is stored.

What we collect

Information you give us

  • Email address. Required to deliver the report and let you sign back in.
  • Optional profile context. Company name, size band, industry, and regulations in scope. You can leave any of these blank — they only shape how the report frames its findings.
  • Questionnaire responses.Yes / No / I don't know answers across 42 SBS controls, plus any free-text remediation notes you choose to add.

Information we collect automatically

  • Standard server logs. Request method, URL, HTTP status, user-agent, IP address. Retained for up to 30 days for security and abuse prevention.
  • Analytics eventsvia PostHog (page views, CTA clicks, scroll depth, section completion). Subject to your cookie consent — opt out and PostHog doesn't fire.
  • Consent log. Each time you accept, reject, or change your cookie preferences we record the decision (categories, jurisdiction code, hashed UA + IP). We never store the raw user-agent or raw IP.

What we do NOT collect

  • Salesforce records or PII from your org. The questionnaire never touches your Salesforce instance. The consultant CLI scan reads metadata only — user counts, profile permissions, named credentials inventories — never customer or employee personal data.
  • Salesforce credentials. The consultant CLI uses your local Salesforce CLI auth (sfdx). We never see, transmit, or store your Salesforce username, password, or session token.
  • Marketing or advertising trackers. No Google Analytics, no Meta pixel, no third-party ad SDKs.

How we use what we collect

  • To compute and deliver your security review report.
  • To email you the report link, transactional sign-in links, and (only if you opted in) a single follow-up about your scan.
  • To improve the product based on aggregate usage patterns — funnel completion rates, section drop-off, common “I don't know” questions.
  • To operate the service (security, abuse prevention, debugging) and to comply with legal obligations.

Who we share data with

We share data only with the service providers that make this product work, and only the minimum each needs:

  • Supabase — database hosting (your responses, the scored report, optional profile context).
  • Vercel — application hosting and edge network.
  • Resend — transactional email delivery.
  • PostHog— analytics (only when you've consented).

We do not sell, rent, or trade your information to third parties for marketing or any other purpose.

How long we keep data

  • Reports + responses: retained until you ask us to delete them or until HelloMavens shuts down the service. You can request deletion at any time.
  • Server logs: up to 30 days.
  • Consent log: retained for the lifetime of the consent record so we can demonstrate compliance.
  • Cached PDFs: 90 days, then auto-purged.

Your rights

Depending on where you live, you have the right to access, correct, delete, port, or object to processing of your personal data. You can exercise any of these rights by emailing mike@hellomavens.com. We'll respond within 30 days.

California residents can also use the Cookie Preferences link in the footer to control analytics; that link doubles as your “Do Not Sell or Share My Personal Information” control under CPRA, even though we don't sell or share data for cross-context behavioral advertising.

International transfers

HelloMavens is based in the United States. Our service providers operate globally; if you access this product from outside the US, your data may be transferred to and processed in the US under standard contractual clauses or equivalent safeguards.

Children

This product is not directed to children under 16, and we don't knowingly collect personal data from anyone under 16. If you believe a child has submitted information, email us and we'll delete it.

Changes to this policy

When we make material changes, we'll bump the “Last updated” date at the top and surface the change in the cookie banner the next time you visit (so you can re-confirm your consent if categories changed).

Contact

Questions, requests, or concerns: mike@hellomavens.com