Front Matter
| Field | Value |
|---|---|
| Document type | Public Privacy Policy |
| Company | The Computer Work Company, Inc. |
| Domain | thecomputerworkcompany.com |
| Last updated | June 26, 2026 |
| Privacy contact | privacy@thecomputerworkcompany.com |
| Mailing address | 2632D Hyde Street, San Francisco, CA 94109 |
This Privacy Policy explains how The Computer Work Company, Inc. ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects information when users connect Google Workspace accounts to our service.
1. Scope And Definitions
1.1 Scope
This Privacy Policy applies to the Company's service where users connect Google Workspace accounts, sign in, or direct the service to perform user-requested workflows or agent actions.
1.2 Defined Terms
For purposes of this Privacy Policy:
(a) "Google Workspace Data" means data from Google Workspace services that a user authorizes the service to access, including Gmail, Google Drive, Google Calendar, Google Docs, Google Sheets, Google Slides, and related Google account data.
(b) "Privacy Mode" means the desktop application setting that, where available, disables automatic completed-turn uploads described in Section 6.3.
(c) "Service" means the Company's connected-account, desktop, web, online, and related services.
(d) "User" means a person who accesses or uses the Service.
2. Information We Collect
2.1 Collection Triggers
We collect account and workspace information only when a user connects an account, signs in, or directs the Service to perform an action.
2.2 Account Information
Account information may include name, email address, profile image, account identifier, organization or workspace metadata, authentication status, and connected-account identifiers.
2.3 Google Workspace Information
Google Workspace information may include the following information when needed to perform user-directed actions:
(a) Gmail: message IDs, thread IDs, labels, headers, recipients, senders, subject lines, timestamps, message bodies, attachments, draft content, and mailbox state needed to search, read, draft, send, label, archive, trash, or otherwise modify messages at the user's direction.
(b) Google Drive: file and folder IDs, names, metadata, permissions visible to the user, file contents, exported file contents, comments, and file changes needed to search, read, create, update, organize, copy, export, download, or manage files at the user's direction.
(c) Google Calendar: calendar IDs, event IDs, attendees, titles, descriptions, locations, conference details, reminders, free/busy information, timestamps, and event metadata needed to read availability and create, update, respond to, or delete events at the user's direction.
(d) Google Docs: document IDs, text, structure, tables, comments, paragraph ranges, and edits needed to read or update documents at the user's direction.
(e) Google Sheets: spreadsheet IDs, sheet metadata, cell values, formulas, comments, and range updates needed to read, search, duplicate, create, or update spreadsheets at the user's direction.
(f) Google Slides: presentation IDs, slide IDs, speaker notes or text content, thumbnails, tables, comments, and presentation edits needed to read, create, copy, or update presentations at the user's direction.
2.4 Operational Information
We may also collect operational information such as device/browser metadata, request metadata, IP address, approximate location derived from IP address, connection status, error status, audit events, product analytics events, masked session recordings, completed-turn records where Privacy Mode is not enabled, and security logs.
3. How We Use Information
3.1 Use Purposes
We use information to:
(a) authenticate users and maintain connected accounts;
(b) run user-directed workflows and agent actions;
(c) search, read, summarize, draft, send, create, update, organize, or delete Google Workspace content when requested by the user;
(d) show connected accounts, connection status, and account metadata;
(e) understand approximate user location for security, diagnostics, abuse prevention, localization, and product analytics;
(f) troubleshoot, secure, monitor, and improve the Service; and
(g) comply with law, security requirements, and our agreements.
3.2 Google Workspace Restrictions
We do not use Google Workspace Data for advertising. We do not sell Google Workspace Data. We do not use Google Workspace Data to train generalized AI or machine learning models unrelated to the user's requested workflow.
4. Google API Services User Data Policy
4.1 Limited Use Compliance
Our use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.
4.2 User-Facing Feature Limitation
Google Workspace Data is used only to provide or improve user-facing features that are prominent in the Service. We do not transfer Google Workspace Data except as needed to provide the Service, comply with law, protect security, or with the user's direction or consent.
5. AI Processing
5.1 User-Directed Processing
When a user asks the Service to analyze, summarize, draft, transform, or act on Google Workspace content, relevant content may be sent to AI model providers or infrastructure processors solely to complete that user-directed request.
5.2 Processor Restrictions
We require processors, through applicable agreements or service terms where applicable, to handle data under confidentiality, security, and use restrictions appropriate to their role. We do not permit processors to use Google Workspace Data for advertising or unrelated model training.
6. Product Analytics, Session Recordings, Debug Traces, And Privacy Mode
6.1 Product Analytics And Diagnostics
We use product analytics and diagnostic tools to understand service reliability, errors, and product usage. These tools may collect account identifiers, email address, device/application metadata, page or action events, error reports, request metadata, IP address, approximate location derived from IP address, and usage metadata.
6.2 Masked Session Recordings
We may use masked session recordings to troubleshoot product behavior and improve the Service. Session recordings are configured to mask visible text as *****, so Google Workspace content, prompts, and other user-visible text should not be readable in recordings. Session recordings may still show non-text interaction metadata such as clicks, navigation, timing, layout, and masked input activity.
6.3 Completed-Turn Records
Unless Privacy Mode is enabled, the desktop application may automatically upload completed-turn records to our account API for reliability, support, abuse prevention, product improvement, and diagnostic review. Completed-turn records may include thread identifiers, turn identifiers, app version, release channel, status and timing metadata, and the turn content or items associated with the interaction. Completed-turn records are stored in private Google Cloud Storage used for completed-turn trace storage.
6.4 Privacy Mode
Where available in the desktop application's settings, Privacy Mode disables the automatic completed-turn upload described in Section 6.3. Privacy Mode does not disable user-directed processing needed to operate requested features, including sign-in, account and organization services, connected-account APIs, AI model providers, payment or account services, product telemetry, masked session recordings, error reporting, or debug traces and bug reports that a user or operator affirmatively submits for support.
6.5 Debug Traces And Bug Reports
Users or operators may submit debug traces or bug reports for support or security troubleshooting. Debug traces and bug reports are stored through private support and diagnostic infrastructure, currently including Cloudflare R2 through our trace-ingest workflow, with access limited to authorized personnel. We retain debug traces only as long as needed to investigate the related support or security issue, unless a longer period is required for legal, security, or compliance reasons.
7. Subprocessors And Infrastructure Providers
7.1 Provider Use
We use subprocessors and infrastructure providers to operate the Service, connect user-authorized Google Workspace accounts, process user-directed workflows, monitor reliability, and handle support or security operations.
7.2 Provider Table
The providers, purposes, and data categories are listed in Schedule A.
7.3 Sharing Limitation
Google Workspace Data is shared with these providers only as needed to provide, secure, troubleshoot, or support user-facing features; comply with law; or follow the user's direction.
8. OAuth Tokens And Connected Accounts
8.1 Token Storage And Use
When users connect Google accounts, OAuth tokens are stored and managed by our OAuth/integration infrastructure and related processors. Tokens are used to access Google APIs only for user-authorized scopes and user-directed workflows.
8.2 Disconnection And Revocation
Users can disconnect connected accounts, which disables future access through the Service. Users may also revoke access directly from their Google Account security settings.
9. Storage And Retention
9.1 General Retention Standard
We retain account, connection, workflow, audit, analytics, diagnostic, and operational records for as long as needed to provide the Service, secure the Service, comply with legal obligations, resolve disputes, and enforce agreements.
9.2 Google Workspace Content
Google Workspace content is processed for user-directed workflows and is not intentionally retained on our servers as workflow output, except where included in completed-turn records when Privacy Mode is not enabled, user- or operator-submitted debug traces, bug reports, support records, security records, or other records described in this Privacy Policy. User-visible outputs are stored locally on the user's computer where applicable. We may retain limited operational, security, diagnostic, analytics, and audit metadata needed to run and secure the Service.
9.3 Default Retention Targets
Default retention targets are listed in Schedule B.
10. Sharing
10.1 Categories Of Recipients
We may share information with:
(a) infrastructure providers that host, secure, monitor, or process the Service;
(b) OAuth and integration providers used to connect Google Workspace;
(c) AI/model providers used for user-directed features;
(d) support and security vendors;
(e) professional advisors;
(f) authorities when required by law or necessary to protect rights, users, or security; and
(g) third parties in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate protections.
10.2 No Sale
We do not sell personal information or Google Workspace Data.
11. Security
11.1 Safeguards
We use administrative, technical, and organizational safeguards designed to protect user data, including encryption in transit, access controls designed to limit production access to authorized personnel, secrets management, logging, monitoring, and vulnerability management processes.
11.2 Security Limitation
No system is perfectly secure, but we work to prevent unauthorized access, disclosure, alteration, or destruction of user data.
12. User Controls
12.1 Available Controls
Users may:
(a) connect or disconnect Google accounts;
(b) enable Privacy Mode where available to prevent automatic completed-turn uploads;
(c) revoke OAuth access in their Google Account settings;
(d) delete workflows, outputs, or account data where supported; and
(e) request access, correction, deletion, or export of personal information by contacting us.
12.2 Limited Record Retention
We may need to retain limited records where required for security, legal compliance, dispute resolution, or backup integrity.
13. Children
13.1 Child Privacy
The Service is not intended for children under 13 or the minimum age required by applicable law. We do not knowingly collect personal information from children.
14. International Transfers
14.1 Transfer Locations And Safeguards
Information may be processed in the United States and other countries where we or our subprocessors operate. Where required by law, we use transfer safeguards reflected in applicable contracts, data-processing terms, or other approved transfer mechanisms.
15. Changes
15.1 Policy Updates
We may update this Privacy Policy from time to time. If changes are material, we will provide notice as required by law or through the Service.
16. Contact Us
16.1 Privacy Requests
Questions or requests may be sent to privacy@thecomputerworkcompany.com.
Schedule A — Subprocessors And Infrastructure Providers
| Provider | Purpose | Data processed |
|---|---|---|
| Google Cloud Platform | Hosting, database, completed-turn trace storage where Privacy Mode is not enabled, secret management, build/deployment, operational logging, diagnostic storage where applicable, and infrastructure security. | Account metadata, connection metadata, service logs, configuration, secrets, completed-turn records, diagnostic records, bug reports where applicable, and operational records. |
| Google Workspace APIs | User-authorized source and destination for connected-account actions. | Gmail, Drive, Calendar, Docs, Sheets, Slides, and related Google account data that the user authorizes and directs the service to access. |
| Self-hosted Nango integration infrastructure | OAuth connection flow, token management, provider API proxying, and connection lifecycle management, operated by us on our infrastructure. | OAuth tokens, connection metadata, provider request metadata, and Google Workspace data transmitted for user-directed actions. |
| PostHog | Product telemetry, masked session recordings, error reporting, approximate location analytics, and operational diagnostics. | Account identifiers, email address, IP address, approximate location derived from IP address, device/application metadata, page/action events, masked session recordings, error reports, and usage metadata. |
| Cloudflare | Worker and R2 infrastructure for debug trace and bug report ingestion/storage, and release or support infrastructure where applicable. | Debug traces, bug reports, related operational/support records, and release/support metadata where applicable. |
| OpenAI | User-directed AI processing when selected or routed through a user-authorized ChatGPT/OpenAI path. | User prompts, AI responses, and selected Google Workspace content needed to complete the user's requested workflow. |
| Anthropic | User-directed AI processing when enabled or routed through Anthropic APIs. | User prompts, AI responses, and selected Google Workspace content needed to complete the user's requested workflow. |
| Stripe | Billing, subscription, checkout, invoice, and payment processing. | Billing contact information, subscription metadata, payment metadata, and related commercial records. |
| GitHub | Source control, CI/CD, code review, release/deployment metadata, and security/remediation evidence. | Developer account data, code/change metadata, CI logs, workflow metadata, and repository/security evidence. |
| Vanta | Security, privacy, risk, vendor, policy, access review, and audit-readiness evidence management. | Compliance evidence, owner assignments, access/vendor/risk metadata, audit records, and related business contact information. |
Schedule B — Default Retention Targets
| Record category | Default retention target |
|---|---|
| OAuth connection records and credentials | Retained while the account remains connected and deleted or disabled when the user disconnects the account, subject to limited security, audit, backup, and provider deletion windows. |
| Workflow logs, completed-turn records, and metadata | Retained for the period needed to operate, secure, troubleshoot, and improve the Service. Privacy Mode disables automatic completed-turn uploads where that setting is available. |
| User-visible workflow outputs | Stored on the user's computer and controlled or deleted by the user locally. |
| Session recordings and product analytics | Retained only for operational, diagnostic, security, and product-improvement purposes according to our analytics retention settings. |
| Security logs | Retained for security, abuse prevention, incident response, and audit purposes. |
| Debug traces and bug reports | Retained only as long as needed to investigate the related support or security issue, unless a longer period is required for legal, security, or compliance reasons. |
| Backups | Retained according to backup and disaster recovery practices. |