Privacy Policy

Last updated: November 30, 2025

Tough Customer (“Tough Customer,” “we,” “us,” or “our”) provides AI-powered coaching and simulation tools that integrate with platforms such as Slack and Salesforce, as well as web-based applications under the toughcustomer.ai domain (collectively, the “Services”).

This Privacy Policy explains how we collect, use, store, and share information when you:

• Install or use a Tough Customer Slack app
• Use a Tough Customer Salesforce ISV package
• Access our web applications or website at toughcustomer.ai

If you do not agree with this policy, you should not use the Services.

1. Who is responsible and how to contact us

Tough Customer is the controller of personal data we process through our own infrastructure, except where we act as a processor on behalf of a customer (for example, when processing Salesforce data under a customer contract).

If you have questions or requests about this Privacy Policy or your data, contact us at:

Email: Contact Support

2. What data we collect

2.1 Data from Slack

When you install and use a Tough Customer Slack app, Slack sends us certain data as part of OAuth and API calls. Depending on the scopes you approve, this may include:

• Workspace and team information (e.g., workspace ID, team name)
• User information (e.g., Slack user ID, display name, email address as permitted by Slack)
• Channel information (e.g., channel IDs and names where the app is used)
• App-related events and payloads (e.g., slash commands, button clicks, view submissions)
• Message content and attachments in channels, DMs, or threads where the app is explicitly invoked (for roleplays, prompts, or commands)
• Technical metadata (e.g., timestamps, request IDs, error codes, minimal diagnostic context)

We request only the scopes necessary for the app’s functionality and described in the Slack App Directory listing.

2.2 Data from Salesforce

As a Salesforce ISV, the primary system of record for CRM data is your Salesforce org. When you connect our Services to Salesforce and grant access via the Salesforce security model, we may process:

• CRM records such as Accounts, Contacts, Opportunities, custom objects, and related fields as configured
• Roleplay metadata, scores, and transcripts stored as records in your Salesforce org
• User and profile/permission details required to enforce access control and licensing

In most cases we do not store independent long-term copies of your Salesforce data on Tough Customer infrastructure; we process it and write results back into Salesforce.

2.3 Data from the Web Application and Website

When you use our web apps or visit toughcustomer.ai, we may collect:

• Account and profile information (e.g., name, email, organization, role)
• Authentication data (e.g., hashed passwords, SSO identifiers, session tokens)
• Usage data (e.g., pages visited, actions taken, configuration settings)
• Support and communications data (e.g., emails you send us, support tickets)

We may also use standard cookies or similar technologies for authentication, remembering preferences, and basic analytics.

2.4 Roleplay Transcripts and Scoring Data

A core part of our Services involves AI-driven roleplays and coaching. To provide these features, we may process:

• Roleplay transcripts (e.g., what you say to the AI “buyer” in Slack, Salesforce, or web)
• Scoring and feedback (e.g., numeric scores, rubric evaluations, coaching comments)
• Contextual metadata (e.g., scenario type, object IDs, timestamps)

Where configured, these outputs are stored in your Salesforce org as the system of record. We may temporarily store copies on Tough Customer infrastructure to process and deliver the results reliably, troubleshoot issues, and improve model quality.

3. How we use the data

We use the data we collect to:

• Provide and operate the Services
  • Run roleplays, generate transcripts, scores, and coaching feedback
  • Save results back into Salesforce or display them in Slack/web
  • Maintain app configurations, licensing, and user access
• Secure and monitor the Services
  • Detect and prevent abuse, fraud, and security incidents
  • Monitor performance, availability, and error rates
  • Maintain audit logs where necessary for security and compliance
• Improve the Services
  • Analyze usage patterns and anonymized roleplay data to improve prompts, scoring, and user experience
  • Develop new features and refine existing ones
• Support and communication
  • Respond to support requests and questions
  • Send service-related notifications (e.g., important security or policy updates)

Where privacy laws like GDPR apply, our primary legal bases are: (a) performance of a contract (providing the Services to our customers), (b) legitimate interests (improving and securing our Services), and, where required, (c) consent.

We do not sell personal data or use Slack or Salesforce data for advertising.

4. Data storage and retention

4.1 System of record

• Salesforce CRM data (including roleplay transcripts and scores stored in Salesforce) remains under the control of the customer and is subject to the customer’s Salesforce retention policies.
• Tough Customer does not maintain an independent long-term copy of your CRM data outside Salesforce, except as described below.

4.2 Tough Customer–hosted data

To operate and secure the Services, we may store limited data on Tough Customer–managed infrastructure, such as:

• Integration and configuration metadata (e.g., workspace IDs, org IDs, feature flags, app settings)
• Technical and security logs (e.g., timestamps, error codes, request IDs, minimal diagnostic context)
• Roleplay transcript and scoring data needed to process AI coaching, generate feedback, and reliably deliver results back into Salesforce or Slack

We retain this Tough Customer–hosted data only for as long as necessary for:

• Service delivery and reliability
• Security monitoring and troubleshooting
• Compliance with legal or contractual obligations

After that, we delete or anonymize it according to our internal retention schedules.

5. Data sharing and third parties

We do not sell or rent your personal data.

We may share data:

• With service providers (processors)
  We use reputable cloud and service providers (e.g., hosting, logging, monitoring) that process data on our behalf under written contracts that include confidentiality and data protection obligations.
• With platforms you connect
  When you use our Slack and Salesforce integrations, data flows between Tough Customer and those platforms based on the scopes and permissions you grant. Those platforms process data under their own terms and privacy policies.
• For legal and safety reasons
  We may disclose data if we believe it is reasonably necessary to:
  • Comply with applicable law, regulation, or legal process
  • Protect the rights, property, or safety of Tough Customer, our users, or others
  • Investigate and prevent fraud or security incidents
• Business transfers
  In connection with a merger, acquisition, or sale of assets, data may be transferred as part of the transaction, subject to appropriate safeguards and continued protection.

We do not allow third parties to use your data for their own marketing purposes without your consent.

6. Your rights and choices

Depending on your location and applicable law (e.g., GDPR, CCPA/CPRA), you may have rights to:

• Access personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (“right to be forgotten”)
• Request restriction or objection to certain processing
• Request a copy of your data in a portable format

6.1 Requests related to Slack or Salesforce workspace data

For data controlled by your organization (e.g., messages, records, roleplays stored in your Slack workspace or Salesforce org):

• Your workspace owner/admin (Slack) or Salesforce admin/customer generally controls that data.
• Please contact your organization’s administrator to exercise your rights; they may then work with us if our assistance is required.

6.2 Requests to Tough Customer

For data we control directly (e.g., account data, app configuration, Tough Customer–hosted logs and transcripts), you can contact us at:

Contact Support

We will respond within a reasonable timeframe and in accordance with applicable law. We may need to verify your identity before acting on the request.

7. Data deletion requests

When we receive a valid deletion request from an authorized customer representative or individual (subject to law and contractual obligations), we:

• Scope the request – Determine what data is in Salesforce, Slack, and Tough Customer systems.
• Coordinate with the customer admin – For data in Salesforce or Slack workspaces, we provide guidance; the customer typically performs deletion in their own environment.
• Delete/anonymize Tough Customer–hosted data – We delete or anonymize configuration, logs, and relevant transcripts/scores within a commercially reasonable period, except where retention is required by law.
• Handle backups – Any residual copies in backup systems are not actively processed and are removed automatically as backups age out of the normal backup cycle.
• Document and confirm – We document the request and confirm completion to the requester.

(See also our Data Archival/Removal and Data Storage policies.)

8. Security

We take the security of your data seriously and implement a combination of technical and organizational measures, including:

• Encryption in transit (TLS) and encryption at rest for Tough Customer–hosted data
• Role-based access control and least-privilege principles
• Secure Software Development Lifecycle (SSDLC) practices, including code review and vulnerability scanning
• Incident response and vulnerability disclosure processes

No method of transmission or storage is 100% secure, but we continuously work to enhance our safeguards.

9. International data transfers

Our Services may be provided using cloud infrastructure located in one or more countries. If you are located in a different jurisdiction, your data may be transferred across borders.

Where required, we implement appropriate safeguards for international transfers, such as standard contractual clauses or equivalent mechanisms, and ensure our processors provide adequate protection.

10. Children’s privacy

Our Services are designed for business and professional use and are not directed to children under the age of 16 (or lower age as defined by local law). We do not knowingly collect personal data from children. If we learn that we have collected such data, we will delete it promptly.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or operational practices. When we make material changes, we will:

• Provide additional notice where required (e.g., via email, in-app, or on our website)

Your continued use of the Services after an update means you accept the revised Privacy Policy.

12. Contact

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

Security & Vulnerabilities: Contact Support

If you are in a jurisdiction with a data protection authority and believe we have not addressed your concerns, you may have the right to lodge a complaint with that authority.