Privacy Policy

Placeholder. This page is the structural shell. The actual policy content is being finalized by the operator and will be published before the public launch.

What we collect

When you sign in with Google, we receive your email address, name, and profile photo URL. We request the drive.file OAuth scope, which limits our access to only the files our app creates or opens for you — we cannot see any other file in your Google Drive.

How we use it

We use your Google identity to coordinate audit-project workflows (task assignment, status transitions, comments) and to upload evidence files into a folder structure inside your own Google Drive. The files themselves never leave your Drive — they are never copied to our servers.

How we store it

User profile data and project workflow state lives in our Supabase Postgres database with row-level security enforcing per-engagement isolation. OAuth refresh tokens are encrypted at rest using AES-256-GCM with a key managed separately from the database.

Sharing

We do not sell, rent, or share your OAuth tokens, file content, or identifying information with any third party. Aggregated, anonymized usage metrics may be reviewed internally for product improvement.

Your rights

You can revoke our access at any time from your Google Account permissions page. You can request a copy of your stored data or its deletion by emailing us at the address below.

Contact

For privacy questions, contact: (operator: add email).