Privacy

Informativa sulla privacy.

In breve: l'app desktop salva tutto in locale e non invia mai dati all'esterno. Il pannello account e la newsletter raccolgono solo il minimo indispensabile per funzionare.

Ultimo aggiornamento: April 2026

Per motivi di accuratezza legale, al momento questa informativa è pubblicata solo in inglese. Navigazione e interfaccia seguono invece la lingua che hai scelto.

1. Who we are

Transflator is a product of CloudInfinity, a sole proprietorship (jednoosobowa działalność gospodarcza) registered in Poland ("we", "us", "the Processor"). For the purposes of the GDPR, CloudInfinity is the data controller of the personal data collected through the Transflator marketing site and web panel, and the data processor for any Salesforce metadata you translate using the Transflator desktop app.

For privacy questions, data access requests, or to exercise any of the rights below, write to hello@tucario.com.

2. What we collect, and where

Transflator has three components. They collect different things, for different reasons.

2.1 Desktop app

The desktop app is a native macOS and Windows application that runs entirely on your machine. It does not contain analytics, crash reporting, or telemetry of any kind.

Stored locally in Application Support:

  • · Salesforce OAuth refresh tokens, encrypted with AES-256-CBC. The encryption key sits in a separate file with chmod 600 permissions.
  • · Access tokens — held in process memory only, never written to disk.
  • · Your saved connection metadata: a human-readable label, environment type (production / sandbox), the org URL, and the timestamp of the last successful connection test.
  • · STF file payloads you import, any offline edits you make, and a local log of deployments you initiate.

None of this is ever sent to us. If you uninstall the app, delete the transflate.db file, or wipe the .enc_key file, the data is gone.

2.2 Account panel

The web panel at panel.transflator.com is where you buy AI credits, view your API token, and manage your account. It's a Firebase-hosted app that stores:

  • · Account data: email address, hashed password (via Firebase Auth), account creation timestamp, role, AI credit balance, credit renewal timestamp, onboarding state, preferred AI engine, and a user-generated API token.
  • · Billing data: Stripe session ID, payment intent ID, the amount paid, currency, and how many characters the purchase unlocks. Card details are handled by Stripe and never reach us.
  • · Translation history: the source strings you submit to the translation endpoint, the target language, and the resulting translations. This history is automatically erased at the end of each credit cycle (≤ 30 days).

2.3 This marketing website

The site you are reading is a static Astro build served from Cloudflare Pages. It does not use advertising trackers, session-replay tools, or third-party tag managers.

If you accept analytics cookies, we load PostHog to collect anonymous page-view and interaction events. PostHog does not receive your name, email, or any Salesforce data.

Cloudflare keeps standard edge access logs (IP address, user agent, requested URL, timestamp) as part of delivering the site to you.

The one place the site actively collects personal data is the newsletter form. If you enter your email there, it is submitted to a Cloudflare Pages Function which forwards it to CampaignLark with the single tag product:transflator.

3. Why we process this data (legal basis)

  • · Contract (Art. 6(1)(b) GDPR) — account data, billing data, translation history.
  • · Legal obligation (Art. 6(1)(c) GDPR) — billing data is retained for 5 years to meet Polish accounting and tax law.
  • · Consent (Art. 6(1)(a) GDPR) — the newsletter.
  • · Legitimate interest (Art. 6(1)(f) GDPR) — Cloudflare edge access logs, used solely for operational troubleshooting and abuse prevention.

4. Who else touches your data (sub-processors)

A sub-processor is a third party that processes your personal data on our behalf. Naming them here is a legal requirement under GDPR Art. 28 and also how we think it should work.

Sub-processor Purpose Location Transfer mechanism
Google LLC (Firebase) Authentication, Firestore database, Hosting, Cloud Functions for the account panel EU / US multi-region Standard Contractual Clauses (SCCs)
Google LLC (Gemini API) AI translation engine — only when you choose Gemini as your engine US / EU SCCs
Anthropic, PBC (Claude) AI translation engine — only when you choose Claude as your engine US SCCs
Mistral AI AI translation engine — only when you choose Mistral as your engine France (EU) Intra-EEA, no transfer mechanism required
DeepSeek AI translation engine — only when you choose DeepSeek as your engine non-EEA SCCs
Stripe, Inc. Payment processing for AI credit top-ups US / IE SCCs
Maileroo Transactional email delivery (email verification, password reset, receipts) EU Intra-EEA
CampaignLark (Maileroo) Newsletter delivery — only if you opt in to the newsletter on this site EU Intra-EEA
Cloudflare, Inc. Marketing website hosting (Cloudflare Pages), DNS, edge TLS Global anycast SCCs
PostHog, Inc. Product analytics on the marketing website — page views and interaction events. Only loaded after you accept analytics cookies. EU (eu.i.posthog.com) SCCs

5. International transfers

Some of the sub-processors above are located outside the European Economic Area. Where that is the case, we rely on Standard Contractual Clauses (SCCs).

6. How long we keep your data (retention)

  • · Account data — for the lifetime of your account.
  • · Translation history — deleted automatically at the end of each credit renewal cycle.
  • · Billing data — retained for 5 years after the transaction.
  • · Newsletter email — retained as long as you remain subscribed.
  • · Cloudflare access logs — retained per Cloudflare's default retention policy.

7. Your rights under the GDPR

You have, at any time, the right to access, rectification, erasure, restriction, data portability, objection, and complaint.

8. Security

  • · All external traffic is over TLS 1.2+.
  • · Salesforce refresh tokens on disk are encrypted with AES-256-CBC.
  • · OAuth with Salesforce uses PKCE (S256).
  • · Firestore collections are protected by role-based security rules.
  • · Firestore and Firebase Storage are encrypted at rest by Google Cloud.
  • · No analytics SDKs, session replay, or third-party tag managers run on any part of the product.

9. Data breach notification

If a personal data breach occurs and it is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours.

10. Children

Transflator is a professional B2B tool for Salesforce administrators. It is not directed at anyone under 16.

11. Changes to this policy

If we change how we process your data in a material way, we update this page and the "Last updated" date above.

12. Cookies and local storage

Name Type Purpose Expiry
tucario-analytics-consent localStorage Stores your cookie preference so the banner does not reappear. Persistent (until cleared)
ph_* localStorage + cookie PostHog analytics tokens. Only set if you accept analytics cookies. 1 year

Manage your cookie choice

You can change your decision about product analytics at any time. Clicking the button below clears your stored choice and reopens the cookie banner.

13. Contact

Privacy questions, data access, correction, erasure, or portability requests:

hello@tucario.com
CloudInfinity (sole proprietorship)
Poland