← Back to Home

Privacy Policy

Last updated: December 13, 2025

1. Introduction

Welcome to Sleuthr. We are committed to protecting your privacy and ensuring the security of your data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Google Workspace security auditing platform.

By using Sleuthr, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

2. Information We Collect

2.1 Information You Provide

When you create an account and use Sleuthr, we collect:

  • Account Information: Name, email address, and company/organization name
  • Authentication Data: Credentials and authentication tokens managed through our authentication provider (Stytch)
  • Billing Information: Payment details processed securely through Stripe (we do not store complete credit card numbers)
  • Communications: Any messages, feedback, or support requests you send us

2.2 Google Workspace Data

With your explicit authorization via Google OAuth, we access and analyze:

  • File Metadata: Names, types, sizes, creation dates, and modification dates of files in your Google Workspace
  • Permission Data: Sharing settings, access levels, and permission grants for files and folders
  • User Information: Email addresses and names of users with access to shared files
  • Domain Settings: Organization-level security settings and policies

Important: We do not read, store, or analyze the actual content of your documents, spreadsheets, or other files. We only analyze file metadata and sharing permissions.

2.3 Automatically Collected Information

When you use our service, we automatically collect:

  • Usage Data: Pages visited, features used, time spent on platform, and interaction patterns
  • Device Information: Browser type, operating system, IP address, and device identifiers
  • Cookies and Tracking: Session cookies for authentication and analytics cookies (see Section 7)
  • Log Data: Server logs including timestamps, error messages, and system events

3. How We Use Your Information

We use the collected information for the following purposes:

  • Service Delivery: To provide security audits, identify permission risks, and generate compliance reports
  • Authentication: To verify your identity and maintain secure access to your account
  • Billing: To process payments, manage subscriptions, and send invoices
  • Improvements: To analyze usage patterns, improve features, and develop new functionality
  • Support: To respond to your questions, provide technical assistance, and resolve issues
  • Communications: To send service updates, security alerts, and important notifications
  • Security: To detect fraud, prevent abuse, and protect against security threats
  • Legal Compliance: To comply with legal obligations and enforce our terms

4. Data Storage and Security

4.1 Where We Store Data

Your data is stored using industry-leading cloud infrastructure:

  • Database: Supabase (PostgreSQL) with encryption at rest
  • Application Hosting: Vercel with edge network distribution
  • Authentication: Stytch for secure session management
  • Payment Processing: Stripe with PCI DSS Level 1 compliance

4.2 Security Measures

We implement comprehensive security measures including:

  • Encryption: TLS/SSL for data in transit, AES-256-GCM for sensitive data at rest (including OAuth tokens)
  • Multi-Tenant Isolation: Row-Level Security (RLS) policies ensure complete data isolation between organizations
  • Access Controls: Role-based permissions and principle of least privilege
  • Regular Audits: Security assessments and vulnerability scanning
  • Monitoring: Real-time security monitoring and incident response
  • Secure Development: Code reviews, automated security testing, and dependency scanning

While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who assist us:

  • Stytch: Authentication and identity management
  • Supabase: Database hosting and infrastructure
  • Stripe: Payment processing and billing
  • Vercel: Application hosting and delivery
  • Google: OAuth authentication and Workspace API access

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required by law or in response to:

  • Valid legal processes (subpoenas, court orders)
  • Requests from government or regulatory authorities
  • Protection of our rights, property, or safety, or that of our users
  • Investigation of fraud, security issues, or technical problems

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have.

6. Data Retention

We retain your information for as long as necessary to provide services and comply with legal obligations:

  • Account Data: Retained while your account is active and for 90 days after deletion
  • Audit Results: Retained according to your subscription plan and for compliance purposes
  • Billing Records: Retained for 7 years for tax and accounting purposes
  • Logs and Analytics: Retained for 90 days unless required for security investigations

When you delete your account, we will delete or anonymize your personal information within 90 days, except where retention is required by law.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to maintain sessions and improve user experience:

  • Essential Cookies: Required for authentication and core functionality (stytch_session)
  • Analytics Cookies: To understand usage patterns and improve our service
  • Preference Cookies: To remember your settings and preferences

You can control cookies through your browser settings, but disabling essential cookies may limit functionality.

8. Your Rights and Choices

Depending on your location, you may have the following rights:

8.1 General Rights

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and data
  • Portability: Export your audit data in a structured format
  • Objection: Object to certain processing activities
  • Restriction: Request limitation of data processing

8.2 GDPR Rights (EU/EEA Users)

If you are in the European Economic Area, you have additional rights under GDPR including the right to lodge a complaint with your local data protection authority.

8.3 CCPA Rights (California Residents)

California residents have specific rights under CCPA including the right to know what personal information is collected and the right to opt-out of the sale of personal information (note: we do not sell personal information).

8.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@sleuthr.com. We will respond to your request within 30 days.

9. Google OAuth and API Use

Sleuthr's use and transfer of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.

We request only the minimum necessary scopes to provide security auditing services. You can revoke our access at any time through your Google Account permissions page.

10. Children's Privacy

Sleuthr is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including:

  • Standard contractual clauses approved by the European Commission
  • Service providers certified under recognized data protection frameworks
  • Adequacy decisions by relevant data protection authorities

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to your registered email address
  • Prominent notice on our website
  • In-app notification upon your next login

Your continued use of Sleuthr after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Sleuthr

Email: privacy@sleuthr.com

Support: support@sleuthr.com

← Back to HomeView Terms of Service →