The Computer Work Company

Privacy Policy

Last updated: June 26, 2026

Front Matter

FieldValue
Document typePublic Privacy Policy
CompanyThe Computer Work Company, Inc.
Domainthecomputerworkcompany.com
Last updatedJune 26, 2026
Privacy contactprivacy@thecomputerworkcompany.com
Mailing address2632D Hyde Street, San Francisco, CA 94109

This Privacy Policy explains how The Computer Work Company, Inc. ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects information when users connect Google Workspace accounts to our service.

1. Scope And Definitions

1.1 Scope

This Privacy Policy applies to the Company's service where users connect Google Workspace accounts, sign in, or direct the service to perform user-requested workflows or agent actions.

1.2 Defined Terms

For purposes of this Privacy Policy:

(a) "Google Workspace Data" means data from Google Workspace services that a user authorizes the service to access, including Gmail, Google Drive, Google Calendar, Google Docs, Google Sheets, Google Slides, and related Google account data.

(b) "Privacy Mode" means the desktop application setting that, where available, disables automatic completed-turn uploads described in Section 6.3.

(c) "Service" means the Company's connected-account, desktop, web, online, and related services.

(d) "User" means a person who accesses or uses the Service.

2. Information We Collect

2.1 Collection Triggers

We collect account and workspace information only when a user connects an account, signs in, or directs the Service to perform an action.

2.2 Account Information

Account information may include name, email address, profile image, account identifier, organization or workspace metadata, authentication status, and connected-account identifiers.

2.3 Google Workspace Information

Google Workspace information may include the following information when needed to perform user-directed actions:

(a) Gmail: message IDs, thread IDs, labels, headers, recipients, senders, subject lines, timestamps, message bodies, attachments, draft content, and mailbox state needed to search, read, draft, send, label, archive, trash, or otherwise modify messages at the user's direction.

(b) Google Drive: file and folder IDs, names, metadata, permissions visible to the user, file contents, exported file contents, comments, and file changes needed to search, read, create, update, organize, copy, export, download, or manage files at the user's direction.

(c) Google Calendar: calendar IDs, event IDs, attendees, titles, descriptions, locations, conference details, reminders, free/busy information, timestamps, and event metadata needed to read availability and create, update, respond to, or delete events at the user's direction.

(d) Google Docs: document IDs, text, structure, tables, comments, paragraph ranges, and edits needed to read or update documents at the user's direction.

(e) Google Sheets: spreadsheet IDs, sheet metadata, cell values, formulas, comments, and range updates needed to read, search, duplicate, create, or update spreadsheets at the user's direction.

(f) Google Slides: presentation IDs, slide IDs, speaker notes or text content, thumbnails, tables, comments, and presentation edits needed to read, create, copy, or update presentations at the user's direction.

2.4 Operational Information

We may also collect operational information such as device/browser metadata, request metadata, IP address, approximate location derived from IP address, connection status, error status, audit events, product analytics events, masked session recordings, completed-turn records where Privacy Mode is not enabled, and security logs.

3. How We Use Information

3.1 Use Purposes

We use information to:

(a) authenticate users and maintain connected accounts;

(b) run user-directed workflows and agent actions;

(c) search, read, summarize, draft, send, create, update, organize, or delete Google Workspace content when requested by the user;

(d) show connected accounts, connection status, and account metadata;

(e) understand approximate user location for security, diagnostics, abuse prevention, localization, and product analytics;

(f) troubleshoot, secure, monitor, and improve the Service; and

(g) comply with law, security requirements, and our agreements.

3.2 Google Workspace Restrictions

We do not use Google Workspace Data for advertising. We do not sell Google Workspace Data. We do not use Google Workspace Data to train generalized AI or machine learning models unrelated to the user's requested workflow.

4. Google API Services User Data Policy

4.1 Limited Use Compliance

Our use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

4.2 User-Facing Feature Limitation

Google Workspace Data is used only to provide or improve user-facing features that are prominent in the Service. We do not transfer Google Workspace Data except as needed to provide the Service, comply with law, protect security, or with the user's direction or consent.

5. AI Processing

5.1 User-Directed Processing

When a user asks the Service to analyze, summarize, draft, transform, or act on Google Workspace content, relevant content may be sent to AI model providers or infrastructure processors solely to complete that user-directed request.

5.2 Processor Restrictions

We require processors, through applicable agreements or service terms where applicable, to handle data under confidentiality, security, and use restrictions appropriate to their role. We do not permit processors to use Google Workspace Data for advertising or unrelated model training.

6. Product Analytics, Session Recordings, Debug Traces, And Privacy Mode

6.1 Product Analytics And Diagnostics

We use product analytics and diagnostic tools to understand service reliability, errors, and product usage. These tools may collect account identifiers, email address, device/application metadata, page or action events, error reports, request metadata, IP address, approximate location derived from IP address, and usage metadata.

6.2 Masked Session Recordings

We may use masked session recordings to troubleshoot product behavior and improve the Service. Session recordings are configured to mask visible text as *****, so Google Workspace content, prompts, and other user-visible text should not be readable in recordings. Session recordings may still show non-text interaction metadata such as clicks, navigation, timing, layout, and masked input activity.

6.3 Completed-Turn Records

Unless Privacy Mode is enabled, the desktop application may automatically upload completed-turn records to our account API for reliability, support, abuse prevention, product improvement, and diagnostic review. Completed-turn records may include thread identifiers, turn identifiers, app version, release channel, status and timing metadata, and the turn content or items associated with the interaction. Completed-turn records are stored in private Google Cloud Storage used for completed-turn trace storage.

6.4 Privacy Mode

Where available in the desktop application's settings, Privacy Mode disables the automatic completed-turn upload described in Section 6.3. Privacy Mode does not disable user-directed processing needed to operate requested features, including sign-in, account and organization services, connected-account APIs, AI model providers, payment or account services, product telemetry, masked session recordings, error reporting, or debug traces and bug reports that a user or operator affirmatively submits for support.

6.5 Debug Traces And Bug Reports

Users or operators may submit debug traces or bug reports for support or security troubleshooting. Debug traces and bug reports are stored through private support and diagnostic infrastructure, currently including Cloudflare R2 through our trace-ingest workflow, with access limited to authorized personnel. We retain debug traces only as long as needed to investigate the related support or security issue, unless a longer period is required for legal, security, or compliance reasons.

7. Subprocessors And Infrastructure Providers

7.1 Provider Use

We use subprocessors and infrastructure providers to operate the Service, connect user-authorized Google Workspace accounts, process user-directed workflows, monitor reliability, and handle support or security operations.

7.2 Provider Table

The providers, purposes, and data categories are listed in Schedule A.

7.3 Sharing Limitation

Google Workspace Data is shared with these providers only as needed to provide, secure, troubleshoot, or support user-facing features; comply with law; or follow the user's direction.

8. OAuth Tokens And Connected Accounts

8.1 Token Storage And Use

When users connect Google accounts, OAuth tokens are stored and managed by our OAuth/integration infrastructure and related processors. Tokens are used to access Google APIs only for user-authorized scopes and user-directed workflows.

8.2 Disconnection And Revocation

Users can disconnect connected accounts, which disables future access through the Service. Users may also revoke access directly from their Google Account security settings.

9. Storage And Retention

9.1 General Retention Standard

We retain account, connection, workflow, audit, analytics, diagnostic, and operational records for as long as needed to provide the Service, secure the Service, comply with legal obligations, resolve disputes, and enforce agreements.

9.2 Google Workspace Content

Google Workspace content is processed for user-directed workflows and is not intentionally retained on our servers as workflow output, except where included in completed-turn records when Privacy Mode is not enabled, user- or operator-submitted debug traces, bug reports, support records, security records, or other records described in this Privacy Policy. User-visible outputs are stored locally on the user's computer where applicable. We may retain limited operational, security, diagnostic, analytics, and audit metadata needed to run and secure the Service.

9.3 Default Retention Targets

Default retention targets are listed in Schedule B.

10. Sharing

10.1 Categories Of Recipients

We may share information with:

(a) infrastructure providers that host, secure, monitor, or process the Service;

(b) OAuth and integration providers used to connect Google Workspace;

(c) AI/model providers used for user-directed features;

(d) support and security vendors;

(e) professional advisors;

(f) authorities when required by law or necessary to protect rights, users, or security; and

(g) third parties in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate protections.

10.2 No Sale

We do not sell personal information or Google Workspace Data.

11. Security

11.1 Safeguards

We use administrative, technical, and organizational safeguards designed to protect user data, including encryption in transit, access controls designed to limit production access to authorized personnel, secrets management, logging, monitoring, and vulnerability management processes.

11.2 Security Limitation

No system is perfectly secure, but we work to prevent unauthorized access, disclosure, alteration, or destruction of user data.

12. User Controls

12.1 Available Controls

Users may:

(a) connect or disconnect Google accounts;

(b) enable Privacy Mode where available to prevent automatic completed-turn uploads;

(c) revoke OAuth access in their Google Account settings;

(d) delete workflows, outputs, or account data where supported; and

(e) request access, correction, deletion, or export of personal information by contacting us.

12.2 Limited Record Retention

We may need to retain limited records where required for security, legal compliance, dispute resolution, or backup integrity.

13. Children

13.1 Child Privacy

The Service is not intended for children under 13 or the minimum age required by applicable law. We do not knowingly collect personal information from children.

14. International Transfers

14.1 Transfer Locations And Safeguards

Information may be processed in the United States and other countries where we or our subprocessors operate. Where required by law, we use transfer safeguards reflected in applicable contracts, data-processing terms, or other approved transfer mechanisms.

15. Changes

15.1 Policy Updates

We may update this Privacy Policy from time to time. If changes are material, we will provide notice as required by law or through the Service.

16. Contact Us

16.1 Privacy Requests

Questions or requests may be sent to privacy@thecomputerworkcompany.com.

Schedule A — Subprocessors And Infrastructure Providers

ProviderPurposeData processed
Google Cloud PlatformHosting, database, completed-turn trace storage where Privacy Mode is not enabled, secret management, build/deployment, operational logging, diagnostic storage where applicable, and infrastructure security.Account metadata, connection metadata, service logs, configuration, secrets, completed-turn records, diagnostic records, bug reports where applicable, and operational records.
Google Workspace APIsUser-authorized source and destination for connected-account actions.Gmail, Drive, Calendar, Docs, Sheets, Slides, and related Google account data that the user authorizes and directs the service to access.
Self-hosted Nango integration infrastructureOAuth connection flow, token management, provider API proxying, and connection lifecycle management, operated by us on our infrastructure.OAuth tokens, connection metadata, provider request metadata, and Google Workspace data transmitted for user-directed actions.
PostHogProduct telemetry, masked session recordings, error reporting, approximate location analytics, and operational diagnostics.Account identifiers, email address, IP address, approximate location derived from IP address, device/application metadata, page/action events, masked session recordings, error reports, and usage metadata.
CloudflareWorker and R2 infrastructure for debug trace and bug report ingestion/storage, and release or support infrastructure where applicable.Debug traces, bug reports, related operational/support records, and release/support metadata where applicable.
OpenAIUser-directed AI processing when selected or routed through a user-authorized ChatGPT/OpenAI path.User prompts, AI responses, and selected Google Workspace content needed to complete the user's requested workflow.
AnthropicUser-directed AI processing when enabled or routed through Anthropic APIs.User prompts, AI responses, and selected Google Workspace content needed to complete the user's requested workflow.
StripeBilling, subscription, checkout, invoice, and payment processing.Billing contact information, subscription metadata, payment metadata, and related commercial records.
GitHubSource control, CI/CD, code review, release/deployment metadata, and security/remediation evidence.Developer account data, code/change metadata, CI logs, workflow metadata, and repository/security evidence.
VantaSecurity, privacy, risk, vendor, policy, access review, and audit-readiness evidence management.Compliance evidence, owner assignments, access/vendor/risk metadata, audit records, and related business contact information.

Schedule B — Default Retention Targets

Record categoryDefault retention target
OAuth connection records and credentialsRetained while the account remains connected and deleted or disabled when the user disconnects the account, subject to limited security, audit, backup, and provider deletion windows.
Workflow logs, completed-turn records, and metadataRetained for the period needed to operate, secure, troubleshoot, and improve the Service. Privacy Mode disables automatic completed-turn uploads where that setting is available.
User-visible workflow outputsStored on the user's computer and controlled or deleted by the user locally.
Session recordings and product analyticsRetained only for operational, diagnostic, security, and product-improvement purposes according to our analytics retention settings.
Security logsRetained for security, abuse prevention, incident response, and audit purposes.
Debug traces and bug reportsRetained only as long as needed to investigate the related support or security issue, unless a longer period is required for legal, security, or compliance reasons.
BackupsRetained according to backup and disaster recovery practices.