StandslyBack

Legal

Privacy Policy

Last updated June 9, 2026

This page explains what Standsly collects, what we do with it, and what rights you have. We run a tool for logging your own work, not an ad network — our goals and yours are aligned.

The short version

  • We only collect data we need to run the product.
  • We do not sell your data. Ever.
  • We do not run ads or third-party marketing trackers.
  • Your log entries are sent to Anthropic (Claude) when you click “Generate summary” — and only then.
  • You can export everything as CSV or delete your account any time, no questions.

What we collect

We collect only what is needed to operate your work log, integrations, and billing.

Account data

  • Email address (required for login)
  • Full name and avatar URL (optional, from signup or Google OAuth)
  • Timezone (for correct daily rollover of entries)
  • Reminder preferences (time and whether enabled)

Work log data

  • Log entries: the text, duration, category, and timestamp you provide
  • Derived metadata: project tags and ticket keys parsed from entry text
  • Soft-deleted entries (we never hard-delete — kept in case you undo)
  • AI summaries you generate

Billing data

Payments go through Lemon Squeezy (our Merchant of Record). We receive a customer id and subscription status from them; we never see or store your card number. See Lemon Squeezy's privacy policy.

Who else touches your data

A small number of third-party services run specific parts of the product. None receive your data for their own purposes.

ProviderRole
SupabaseHosts the database and handles authentication. Your data lives here.
Anthropic (Claude)When you generate an AI summary, the relevant log entries are sent to Anthropic’s API. API inputs are not used to train their models.
ResendSends transactional email (sign-in links, reminders, weekly teasers).
InngestRuns the scheduled jobs behind reminders and summaries.
Lemon SqueezyProcesses payments and collects regional taxes as Merchant of Record.
VercelHosts the application and serves traffic.

We do not sell, rent, or share your data with any party that is not directly required to deliver the product.

Cookies and tracking

We keep tracking to the minimum required to keep you signed in.

We use a session cookie (from Supabase) to keep you signed in. That is the only cookie we set. We do not use Google Analytics, Facebook Pixel, Segment, or any other behavioral tracking.

How long we keep it

Retention depends on whether your account is active and what type of data you have stored.

  • Active account data is retained for as long as your account exists.
  • If you delete your account, your profile and all associated log entries, summaries, and preferences are removed within 30 days. Billing records required for accounting may be retained for up to 7 years as required by applicable tax law.
  • Soft-deleted entries are kept indefinitely while your account is active, so you can restore them.

Your rights

Regardless of where you live, you can exercise the following controls.

Export

Download all your entries as CSV from Settings → Categories → Export.

Correct

Edit any log entry directly, or update your profile in Settings.

Delete

Remove your account and all associated data from Settings → Danger Zone.

Object

Email us at standslyai@gmail.com if you want us to stop processing your data for any other reason.

Users in the EU, UK, and California have additional rights under GDPR, UK-GDPR, and CCPA respectively. Email us and we'll respond within 30 days.

Google Calendar integration

Optional. If you connect Google Calendar, Standsly reads calendar data read-only to suggest work blocks on the Memory page. You review and confirm each suggestion before it becomes a log entry.

Read-only calendar access

Standsly never writes to your Google Calendar. Suggestions stay in Standsly until you confirm or dismiss them.

Scopes we request and why

Google Calendar (read-only)

To read calendar events within a ~48-hour lookback and 14-day lookahead window and generate scheduling suggestions for your review on the Memory page. Standsly requests read-only access only — no write access is requested or used.

Google account email (Identity scope)

To identify the Google account being connected and associate the OAuth grant with your Standsly account. Standsly does not store your Google email address separately as Google user data; your account email is managed through Standsly authentication.

What we store from Google Calendar

Standsly does not store raw Google Calendar event payloads. During sync, events are read read-only and mapped to derived suggestion fields: event title, start and end time, meeting type, attendee count, recurring flag, and a calendar link. These derived fields are stored as suggestions pending your review.

How long we keep Google Calendar data

  • OAuth tokens are retained while Google Calendar is connected and are revoked when you disconnect or delete your account.
  • Unconfirmed suggestions remain stored until you confirm or skip them on the Memory page. Standsly does not automatically delete unconfirmed suggestions after a fixed number of days.
  • Confirmed or skipped suggestions are retained for the life of your account unless you delete your account.
  • Disconnecting Google Calendar stops future syncs and revokes OAuth access but does not remove previously stored suggestion records. Account deletion removes all associated data.

Data protection mechanisms

01

Encrypted OAuth tokens

AES-256-GCM envelope encryption; server-side decrypt only; never exposed to the browser

02

HTTPS-only transfer

All data in transit encrypted via TLS

03

Row-level security (RLS)

Calendar-derived suggestions scoped to the owning user at the database layer

04

No client-side OAuth secrets

Access and refresh tokens stored in encrypted server-side vault only

05

Revocation on disconnect and account deletion

Google grant revoked on Disconnect; all integration grants revoked on account deletion

06

Step-up authentication

Recent sign-in required before connecting or disconnecting Google Calendar

07

Restricted infrastructure access

Data processed only by named subprocessors (Supabase, Vercel) under data-processor terms; no sale or licensing to third parties

Human access

Standsly employees and contractors do not access your Google Calendar data in the normal course of operations. Human access to calendar-derived data may occur only in the following circumstances permitted by Google's Limited Use policy: to investigate a security incident, to comply with applicable law, or at your explicit request for support. In all cases, access is limited to the minimum necessary and is subject to internal access controls and audit logging.

AI and machine learning

Google Calendar data is never used to develop, improve, or train AI or machine learning models. Only entries explicitly confirmed by the user may be included in user-initiated summaries, and only the content the user has approved is sent.

Third-party sharing

Google Calendar data is not sold, licensed, or transferred to third parties. Supabase and Vercel process data solely as infrastructure providers and do not access Google data for their own purposes.

Your controls

  1. 1Disconnect Google Calendar in Settings → Integrations
  2. 2Revoke Standsly access at Google Account permissions
  3. 3Delete account and all associated data from Settings → Danger Zone

For technical detail on encryption and access control, see our Trust & Security page.

Google API Services Limited Use Disclosure

Public attestation of our compliance with Google’s API data policies.

Standsly's use and transfer to any other app of information received from Google Workspace APIs (including the Google Calendar API) will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Read the full policy at Google API Services User Data Policy.

How we comply with Limited Use

User benefit only

Google Calendar data is used solely to generate scheduling suggestions on your Memory page. It is not used for any purpose unrelated to this feature.

No advertising

Google Calendar data is never used to serve ads, for interest-based advertising, or for retargeting of any kind.

No unauthorized human access

Standsly staff do not read your calendar-derived data except as described in the human access policy above.

No unauthorized transfer

Google Calendar data is not transferred to any third party except to named infrastructure subprocessors (Supabase, Vercel) solely for the purpose of operating the service.

Security

Defense-in-depth controls protect your work log and integration credentials.

Standsly uses row-level database isolation, encrypted OAuth credentials, responsible AI guardrails, and defense-in-depth browser protections. See our Trust & Security page for the full breakdown. Google Calendar disclosures are in the Google Calendar integration section above.

All traffic is served over HTTPS. Access to production data is restricted to the smallest set of operators necessary to keep the service running.

No system is perfectly secure. If you discover a vulnerability, please report it to standslyai@gmail.com and we'll acknowledge within 2 business days.

Children

Standsly is not intended for anyone under 16. We do not knowingly collect data from children.

Changes to this policy

If we make a material change to this policy, we will email all active users at least 14 days before it takes effect. Minor edits (typos, reformatting) will be reflected by updating the “Last updated” date above.

Contact

Questions, complaints, or data requests: standslyai@gmail.com.