Skip to content
Stony Point

Legal

Privacy Policy

This is the company-level umbrella privacy policy for all Digadop products and websites. It is published by Stony Point, Inc., a Florida corporation, doing business as (“d/b/a”) Digadop (“Digadop,” “we,” “us,” or “our”), 8742 Peachtree Park Ct, Windermere, FL 34786, USA.

1. Who we are

This policy is published by Stony Point, Inc., a Florida corporation, doing business as (“d/b/a”) Digadop (“Digadop,” “we,” “us,” or “our”), with a principal business address at 8742 Peachtree Park Ct, Windermere, FL 34786, USA. “Digadop” is a trade name (DBA), not a separate legal entity; the contracting and responsible party is always Stony Point, Inc.

For privacy questions and data-subject requests, contact our privacy point of contact and Data Protection Officer, Steve Wasula, at privacy@digadop.com. For legal notices, contact legal@digadop.com.

2. Scope

This policy applies to all Digadop-branded products (each a “Service”) and to the Digadop websites and marketing pages, including but not limited to Who Sees What, Lynceon, Clionyx, jobuna, and Messigent. It describes, at the company level, how we collect, use, share, secure, and retain information across the product family.

Each product handles data differently. Product-specific data handling is summarized in Section 3 below and is described in full in that product’s Product Schedule and, where published, its product privacy page. Where this umbrella policy and a Product Schedule or product privacy page differ on a product-specific point, the product-specific document governs for that product.

This policy does not by itself describe the contractual terms under which we process Personal Data inside a Customer’s Connected Org. Those terms are in the Digadop Data Processing Addendum (the “DPA”); see Section 6.

2.1 Product summaries (pointers, not full descriptions)

  • Who Sees What: a read-only Salesforce permission and access auditor. It reads access configuration, metadata, and the user directory from a Connected Org via OAuth (scopes api refresh_token offline_access openid), encrypts the refresh token with AWS KMS, isolates tenants with per-tenant Row-Level Security, and does not apply any LLM or AI processing to Customer Data. See the Who Sees What Product Schedule.
  • Lynceon: a security and posture-monitoring product that consumes the Who Sees What access graph and scans code and metadata. See the Lynceon Product Schedule.
  • Clionyx: an AI documentation product that uses large language models (LLMs) to generate Salesforce documentation. The AI Features Addendum applies. See the Clionyx Product Schedule.
  • jobuna: a consumer-facing AI job-search product, which may be governed by its own consumer privacy notice rather than this umbrella policy.
  • Messigent: a messaging and marketing-automation platform that sends email and therefore implicates CAN-SPAM and CASL.

3. Information we collect

We collect the following categories of information, depending on the products and websites you use:

  • Account Data: data we hold about the Customer and Authorized Users for account, billing, security, and support purposes, such as login identifiers, organization identifiers, and contact details.
  • Usage and telemetry data: information about how the Service is accessed and used, such as feature usage, audit-history snapshots, preferences, log and diagnostic data, device and browser information, and approximate location derived from IP address.
  • Marketing and waitlist sign-ups: information you provide when you join a waitlist, request a demo, or subscribe to updates, together with technical metadata captured at submission, including your IP address and user-agent string.
  • Feedback and support submissions: information you provide when you send feedback through an in-app assistant or support widget, including the message you type and contextual metadata captured with it, such as your organization and user identifiers, the identifiers (not the contents) of any object or record you were auditing, the application version, the last client-side error, your IP address, and your user-agent string. To triage and respond to your submission, we may create an issue containing this context in our third-party issue-tracking system (GitHub); see Section 8.
  • Data read from connected services: where you connect a third-party platform organization (a “Connected Org,” such as a Salesforce production org or sandbox) to a Service via OAuth, we read data from that Connected Org to provide the Service. For products that audit access configuration (such as Who Sees What), this is primarily configuration, metadata, and access information (including the user directory: names, usernames, and profiles), rather than your underlying business records. The specific data each product reads is described in that product’s Product Schedule.

We do not intentionally collect special categories of Personal Data (such as health, biometric, or precise-location data) and do not seek them through the Service.

4. How we use information

We use the information we collect to:

  • provide, operate, maintain, and secure the Service and our websites;
  • authenticate Authorized Users and manage Connected Org connections;
  • perform the audits, scans, documentation, or other processing the Customer directs the Service to perform;
  • communicate with you about your account, security, support, and Service changes;
  • send marketing communications where permitted, and operate waitlists and sign-up flows;
  • monitor, troubleshoot, and improve the Service, including through Aggregated/De-identified Data;
  • detect, prevent, and respond to fraud, abuse, and security incidents; and
  • comply with our legal obligations and enforce our agreements.

We may create and use Aggregated/De-identified Data (data that has been aggregated or de-identified so that it no longer identifies, and cannot reasonably be used to identify, any individual or Customer) for any lawful business purpose.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Processing purposeLegal basis
Providing the Service and performing our contract with the CustomerPerformance of a contract (Art. 6(1)(b))
Account, billing, security, and supportPerformance of a contract; legitimate interests (Art. 6(1)(f))
Usage and telemetry, troubleshooting, and product improvementLegitimate interests in operating and improving the Service (Art. 6(1)(f))
Marketing communications and waitlist sign-upsConsent (Art. 6(1)(a)) where required, otherwise legitimate interests (Art. 6(1)(f))
Detecting and preventing fraud, abuse, and security incidentsLegitimate interests; legal obligation (Art. 6(1)(c))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

For Personal Data within a Connected Org that we process on a Customer’s behalf, the Customer (as Controller) is responsible for establishing the legal basis; we process it as a Processor on the Customer’s documented instructions (see Section 6).

6. Controller and processor roles

For most data we collect directly about the Customer and Authorized Users (Account Data, usage and telemetry, marketing and waitlist data), Digadop acts as a Controller: we determine the purposes and means of that processing.

For Personal Data within a Customer’s Connected Org that a Service reads and processes to perform an audit, scan, documentation, or similar task at the Customer’s direction, the Customer is the Controller and Digadop is the Processor (a “service provider” under the CCPA/CPRA). We process that Personal Data only on the Customer’s documented instructions, as set out in the Digadop Data Processing Addendum (the “DPA”). Customers whose Connected Orgs contain Personal Data subject to the GDPR, UK GDPR, or CCPA/CPRA should review and, where applicable, execute the DPA.

7. Cookies and similar technologies

Our Services and websites use cookies and similar technologies. For a description of the cookies we use, including the strictly-functional session and sign-in security cookies, and how to control them, see the Digadop Cookie Policy.

Our Stony Point training and marketing website at stonyp.com uses Google Analytics to understand how visitors use the site. Google Analytics sets non-essential analytics cookies and is loaded only after you consent through our cookie-consent banner; you can withdraw consent at any time. We enable IP anonymization and do not enable Google advertising or cross-site personalization features. See the Digadop Cookie Policy for the analytics cookies and consent controls.

8. Sharing and sub-processors

We do not sell your Personal Data, and we do not “share” it for cross-context behavioral advertising as those terms are used under the CCPA/CPRA.

We engage a limited set of trusted third parties (“Sub-processors”) to process Personal Data in connection with providing the Service, such as our cloud hosting provider. We require each Sub-processor to protect Personal Data under terms consistent with this policy and the DPA. The current list of Sub-processors is maintained on the Digadop Sub-processor List.

Where you send feedback or support submissions through an in-app assistant or support widget, the feedback context described in Section 3 may be transmitted to our issue-tracking provider (GitHub) so that we can triage and respond to it, as listed on the Digadop Sub-processor List.

For our AI products (for example, Clionyx), we engage AI model providers (currently Anthropic and OpenAI) as Sub-processors to provide AI features. These AI providers are not used by the Who Sees What Service, which applies deterministic analysis only and does not send Customer Data to any AI provider. The use of AI providers, and the data sent to them, is described in the relevant product’s documentation and the Digadop Sub-processor List.

For our stonyp.com marketing site, we use Google Analytics, and Google, LLC acts as our analytics service provider (processor), receiving site-usage data to provide the analytics service. We configure Google Analytics for analytics only (IP anonymization on; Google advertising and cross-site personalization features off), so this is not a “sale” or “share” of Personal Data for cross-context behavioral advertising under the CCPA/CPRA.

We may also disclose information: to comply with law or valid legal process; to protect the rights, property, or safety of Digadop, our Customers, or others; and in connection with a merger, acquisition, financing, or sale of assets, subject to the protections of this policy.

9. How we secure data

We maintain technical and organizational measures appropriate to the risk, which currently include:

  • encryption of stored credentials (for example, the Salesforce refresh token is encrypted with AWS Key Management Service (KMS));
  • encryption in transit using TLS;
  • tenant isolation using per-tenant Row-Level Security (RLS);
  • access controls limiting access to Personal Data to a need-to-know basis;
  • logging and monitoring; and
  • hosting with our cloud infrastructure provider in the United States (currently the AWS us-east-1 region, given as the present example).

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Data retention

We retain information for as long as needed for the purposes described in this policy, then delete or de-identify it. Specifically:

  • While your account is active: audit-history snapshots, preferences, and account and telemetry data are retained for as long as needed to provide the Service, or until you delete them sooner.
  • Connected Org credentials: the encrypted Salesforce refresh token is deleted immediately on sign-out or revocation.
  • After account closure or termination: all stored data, including backups, is deleted within a commercially reasonable period of closure.
  • Marketing and waitlist data: retained until you ask us to delete it.

We may retain Aggregated/De-identified Data and records we are required to keep by law beyond these periods.

11. International transfers

We are based in the United States and host data in the United States (AWS, us-east-1). For Personal Data subject to the GDPR or UK GDPR, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum (and the Swiss addendum where applicable) as the transfer mechanism; these are incorporated into our Data Processing Addendum. Our hosting sub-processor (AWS) provides equivalent safeguards for onward transfers under its own Standard Contractual Clauses. You can request a copy of the relevant transfer terms at privacy@digadop.com.

12. Your rights

Depending on where you live, you may have rights over your Personal Data.

GDPR / UK GDPR. You may have the right to access, correct, delete, restrict, or object to our processing of your Personal Data; to data portability; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority. Where we process Connected Org Personal Data as a Processor, please direct your request to the relevant Customer (the Controller); we will assist that Customer as required by the DPA.

CCPA / CPRA. If you are a California resident, you may have the right to know what Personal Information we collect, use, and disclose; to access and delete it; to correct inaccurate Personal Information; and to limit certain uses. We do not sell or share Personal Information, so no opt-out of sale or sharing is required. We will not discriminate against you for exercising your rights.

To exercise any right, contact us at privacy@digadop.com. We will verify your request as required by law before responding. You may use an authorized agent where the law permits.

13. Children

Our Services and websites are not directed to children, and we do not knowingly collect Personal Data from children. If you believe a child has provided us Personal Data, contact us at privacy@digadop.com and we will delete it.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the Effective Date above and, where appropriate, provide additional notice. Your continued use of the Service after an update takes effect constitutes acceptance of the updated policy.

15. Contact

Stony Point, Inc., doing business as Digadop 8742 Peachtree Park Ct, Windermere, FL 34786, USA Privacy contact / Data Protection Officer: Steve Wasula, privacy@digadop.com Legal notices: legal@digadop.com