Privacy Policy

Green Mountain Ventures LLC, a Colorado limited liability company (“Green Mountain Ventures,” “we,” “us,” or “our”), operates the dairi platform (“dairi,” the “Service”), available at dairi.ai. This Privacy Policy explains what information we collect, how we use and share it, and the choices and rights you have regarding that information.

By accessing or using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, do not access or use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, our authentication provider (Clerk) collects your email address, name, profile image (if provided), and password or single-sign-on credential. We receive a user identifier and basic profile data from Clerk to associate with your dairi account.

1.2 Salesforce Authorization Tokens

When you connect a Salesforce organization to dairi via OAuth 2.0, Salesforce issues access tokens and refresh tokens to dairi on your behalf. We store these tokens encrypted at rest using AES-256-GCM. We never receive or store your Salesforce username or password.

1.3 Salesforce Customer Data

When you (or an AI assistant acting on your behalf) invoke a dairi tool, dairi makes API calls to your Salesforce org using the stored tokens, retrieves the requested data, and returns it to the calling client. Except for short-lived processing in memory, we do not store, copy, index, sell, share, or use this Salesforce customer data to train machine-learning models. Audit log entries record only metadata about each call (tool name, timestamp, parameters, result status) — not the underlying Salesforce records.

1.4 Payment Information

Payments are processed by Stripe, Inc. We do not collect or store full payment card numbers, CVV codes, or bank credentials. Stripe provides us with a customer identifier, the last four digits of your card, card brand, billing country, and subscription status.

1.5 Usage and Telemetry Data

We collect operational data to provide and improve the Service, including: tool invocation logs (which tool, when, success or failure, credit cost), IP address, user agent, request and response timing, error reports, and aggregated usage counts.

1.6 Cookies and Similar Technologies

We use strictly necessary cookies to authenticate your session and remember your preferences. We do not use third-party advertising cookies. Clerk and Stripe may set their own first-party cookies in connection with the services they provide to us.

2. How We Use Information

We use the information we collect to:

• Provide, operate, and maintain the Service;
• Authenticate users and authorize access to connected Salesforce orgs;
• Process payments, manage subscriptions, and grant credits;
• Send transactional emails (account, billing, security, low-credit alerts);
• Monitor for fraud, abuse, security incidents, and rate-limit violations;
• Debug errors, analyze usage trends in aggregate, and improve reliability;
• Comply with legal obligations and enforce our Terms of Service.

3. How We Share Information

We do not sell your personal information. We do not share your personal information with third parties for their own marketing purposes. We share information only as described below.

3.1 Sub-Processors

We engage trusted third-party service providers (“sub-processors”) to operate the Service. Each is bound by contract to use information only to perform services for us:

• Clerk, Inc. — user authentication and identity management;
• Stripe, Inc. — payment processing and subscription billing;
• Resend (Resend.com, Inc.) — transactional email delivery;
• Vercel Inc. — hosting of the dairi web application;
• Railway Corp. — hosting of the dairi API and MCP server, and the production PostgreSQL database;
• Salesforce, Inc. — the connected CRM platform whose APIs the Service calls on your behalf.

3.2 Legal Requirements

We may disclose information if required by law, subpoena, court order, or other legal process, or where we have a good-faith belief that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

3.3 Business Transfers

If Green Mountain Ventures is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

3.4 With Your Consent

We may share information for any other purpose disclosed to you at the time we collect it or with your subsequent consent.

4. Salesforce Data Handling

Your Salesforce data belongs to you. dairi acts as a conduit between your AI client and your Salesforce org. Specifically:

• We do not store Salesforce records (Accounts, Contacts, Leads, Opportunities, custom-object data, etc.) in our database;
• We do not use Salesforce data to train, fine-tune, or evaluate any machine-learning model;
• We do not sell, rent, lease, or share Salesforce data with any third party for their own purposes;
• We do store metadata about each tool call (tool name, timestamp, calling user, parameters, result status, credit cost) for audit, billing, abuse-prevention, and debugging purposes;
• You can revoke dairi's access to your Salesforce org at any time from your dairi dashboard or directly within Salesforce Setup → Connected Apps. Revocation immediately renders our stored tokens unusable.

5. Data Retention

We retain account information for as long as your account is active. After account closure, we retain account, billing, and audit-log records for up to seven (7) years to comply with tax, accounting, and legal obligations. Encrypted Salesforce tokens are deleted within thirty (30) days of org disconnection or account closure, whichever is sooner. Aggregated and de-identified data that cannot reasonably be linked to you may be retained indefinitely.

6. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

• AES-256-GCM encryption of Salesforce OAuth tokens at rest;
• TLS 1.2+ for all data in transit;
• SHA-256 hashing of API keys (we never store plaintext keys);
• Row-level security policies in our database for tenant isolation;
• HSTS, strict CORS, and other security headers on our web application;
• Rate limiting on authentication, OAuth, and tool-call endpoints;
• Structured audit logging of every tool invocation and administrative access;
• Stripe and Clerk webhook signature verification with idempotency checks.

No security measure is perfect. We cannot guarantee absolute security and you use the Service at your own risk.

7. International Data Transfers

Green Mountain Ventures is based in the United States, and our sub-processors process data primarily in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our sub-processors operate. By using the Service, you consent to such transfers. Where required by law, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses.

8. Your Privacy Rights

8.1 General Rights

Subject to applicable law, you may have the right to: access the personal information we hold about you, correct inaccurate information, request deletion of your information, restrict or object to processing, request portability of your information, and withdraw consent where processing is based on consent. To exercise any of these rights, contact us at privacy@dairi.ai.

8.2 Colorado Residents (Colorado Privacy Act)

If you are a Colorado resident, you have the right to access, correct, or delete personal data we hold about you; the right to data portability; and the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not sell personal data and do not engage in targeted advertising or such profiling. To exercise your rights, email privacy@dairi.ai. If we deny a request, you may appeal by replying to our response within sixty (60) days.

8.3 California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, use, and disclose; to request deletion or correction; to opt out of the sale or sharing of personal information; and to limit use of sensitive personal information. We do not sell or share personal information as those terms are defined under the CCPA. You can exercise these rights by emailing privacy@dairi.ai. We will not discriminate against you for exercising any CCPA right.

8.4 EU / UK Residents (GDPR / UK GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, our legal bases for processing your personal data are: (a) performance of a contract with you, (b) compliance with legal obligations, (c) our legitimate interests in operating, securing, and improving the Service, and (d) your consent where required. You have the right to lodge a complaint with your local supervisory authority.

9. Children's Privacy

The Service is not directed to and not intended for children under sixteen (16). We do not knowingly collect personal information from children under 16. If you believe we have collected such information, contact us at privacy@dairi.ai and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email to the address associated with your account and post the updated policy with a new “Last Updated” date. Your continued use of the Service after an update constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Green Mountain Ventures LLC
Attn: Privacy
State of Colorado, United States
Email: privacy@dairi.ai