This kind of privacy issues are very well taken care of by the Salesforce team. Here is the solution they implemented to overcome privacy issues like this:

Salesforce allows to configure “Remote site settings”, that basically control where our application can send requests. Think of it as a security guard that stands near the only way out. It controls where the data leaves from your organization.

Here is what “Remote site settings” look like:

Salesforce Remote site settings

Unless our applications sends its data to one of these sites, Remote site settings won’t let it. And you are in charge of editing those settings.

Notice the “GoogleAnalytics” site. This is the only setting we will ask you to add there — so that our app can send updates to your Google Analytics account.

Bottom line is, thanks to Salesforce design, it’s technically impossible for us to access private information in your organization.