Privacy Policy

Welcome to CloudAI Workflow ("we," "our," or "us"). We provide a workforce management platform for organizations to manage attendance, workflows, and payroll (the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access our Service. By using the Service, you consent to the data practices described in this policy.

Note for End Users: If you use CloudAI Workflow as an employee or contractor of an organization, that organization is the "Data Controller" of your information, and we act as a "Data Processor." Please direct privacy questions to your organization's administrator.

• Account data: name, email, organization details, role, and authentication metadata.
• Location Data: precise or approximate location information, including background location data if you enable features like journey tracking or geofenced attendance.
• Usage data: app interactions, device information, logs, diagnostic events, and time spent on pages while the app/tab is active (measured using focus and visibility signals, not keystrokes).
• Content: forms, workflows, attachments, and comments you or your team submit.
• Google account data (if you connect one): the rows of any Google Sheets you explicitly connect, basic metadata about those sheets (file ID, title, sheet/tab names), and the OAuth tokens needed to read or update them. See the Google User Data section below for the full disclosure.
• Cookies: essential cookies for authentication, plus optional analytics/preferences.

• Provide and secure access to the platform, including authentication and fraud prevention.
• Operate features such as attendance, workflows, notifications, and performance reporting.
• Verify your physical presence for attendance (clock-in/out) at designated locations.
• Track and record your work-related journeys (including while the app is in the background) if required by your organization.
• Improve reliability and user experience through analytics and diagnostics, including understanding how long users actively spend on specific pages to prioritize performance and UX fixes.
• Communicate about updates, product changes, and support requests.

When you connect a Google account to CloudAI Workflow (for example, to sync data with Google Sheets), we receive specific information from Google's APIs based on the OAuth scopes you grant. This section explains exactly what we receive, how we use it, and how you can revoke access.

Scopes we may request

• Google Drive (per-file)

  What Google asks: See, edit, create, and delete only the specific Google Drive files you use with this app

  Why we need it: We use this scope to access only the spreadsheets you explicitly select with the Google Picker. We cannot see any other file in your Drive. This is the most privacy-preserving Drive scope and is non-sensitive in Google's classification.

  How we handle the data: No content is stored from this scope alone, it gates access to the spreadsheets used by the Sheets API scope below.

• Google Sheets

  What Google asks: See, edit, create, and delete your spreadsheets in Google Drive

  Why we need it: We use this scope to read rows from the sheets you connect, push back changes you make in our editor, and append rows when you submit forms that are mapped to a sheet. We never modify sheets you have not explicitly connected through the Google Picker.

  How we handle the data: Sheet contents you connect are mirrored into our sheet_cache table to power offline reads and the in-app data editor. When you disconnect a sheet, the corresponding cached rows are purged within 24 hours.

Limited Use

Our use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we do not do with Google user data

• We do not sell or rent your Google user data to anyone.
• We do not use Google user data to train generalized or third-party machine-learning models.
• We do not transfer Google user data for advertising, retargeting, or audience-building purposes.
• We do not allow humans to read your Google user data, except (a) with your explicit consent for a specific support request, (b) where strictly necessary for security or legal compliance, or (c) where the data has been aggregated and anonymized for internal reliability work.

Retention and deletion

Sheet contents fetched under the scopes above are mirrored into our internal cache so the in-app data editor and workflow triggers can read them. When you disconnect a Google account or remove a sheet from CloudAI Workflow, the cached rows for the affected connections are purged within 24 hours. Disconnecting from inside CloudAI Workflow also calls Google's revocation endpoint so the underlying token is invalidated on Google's side, not just on ours.

You can also revoke CloudAI Workflow's access at any time directly from your Google account at myaccount.google.com/permissions. Doing so will stop further reads or writes from our side; we will purge the corresponding cached rows on the next sync attempt or within 24 hours of the next health check, whichever is sooner.

Requesting deletion

To request deletion of any data we received from Google APIs, email [email protected]. We aim to action verified requests within 30 days. Note that deleting data from CloudAI Workflow does not delete anything from your Google account itself.

We apply encryption in transit and at rest, role-based access, and audit logging. Access to production data is limited to authorized personnel following least-privilege principles.

If you require custom data residency, backups, or retention controls, please contact us so we can tailor the configuration.

Depending on your region, you may have rights to access, correct, delete, or export personal data. You can also object to certain processing or withdraw consent where applicable.

To exercise these rights, email [email protected].

We use essential cookies to maintain your session. Where enabled, we may use analytics and preference cookies. You can manage these choices in the cookie banner or your browser settings.

If you opt into analytics, we measure active time spent on pages using browser focus and visibility signals (pausing when tabs are hidden or the browser is closed). This helps us understand feature adoption and improve the experience without recording keystrokes or screen content. You can change your consent anytime from privacy choices.

We use trusted third-party service providers to help us operate our Service. These providers may have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use it for any other purpose.

• Google Cloud Platform (GCP): Hosting, computing, and logging infrastructure.
• Google APIs (Drive & Sheets): When you connect a Google account, we exchange data with Google's Drive and Sheets APIs on your behalf to read and update the spreadsheets you have explicitly connected. See the dedicated Google User Data section for the full disclosure.
• Supabase: Database hosting, authentication, and file storage.
• Stripe: Payment processing and subscription management.
• PostHog (Optional): Product analytics and feature usage tracking.

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

For End Users, we retain data in accordance with the instructions of the Data Controller (your organization). Upon termination of an organization's account, data is typically deleted within 90 days, unless a longer retention period is required by law.

Your information, including Personal Data, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we comply with applicable laws to provide an adequate level of data protection for the transfer of your Personal Data to the US.

Questions or requests? Contact us at [email protected]. We aim to respond within 30 days.