Legal
Privacy Policy
Last updated June 9, 2026
This page explains what Standsly collects, what we do with it, and what rights you have. We run a tool for logging your own work, not an ad network — our goals and yours are aligned.
The short version
- We only collect data we need to run the product.
- We do not sell your data. Ever.
- We do not run ads or third-party marketing trackers.
- Your log entries are sent to Anthropic (Claude) when you click “Generate summary” — and only then.
- You can export everything as CSV or delete your account any time, no questions.
What we collect
We collect only what is needed to operate your work log, integrations, and billing.
Account data
- Email address (required for login)
- Full name and avatar URL (optional, from signup or Google OAuth)
- Timezone (for correct daily rollover of entries)
- Reminder preferences (time and whether enabled)
Work log data
- Log entries: the text, duration, category, and timestamp you provide
- Derived metadata: project tags and ticket keys parsed from entry text
- Soft-deleted entries (we never hard-delete — kept in case you undo)
- AI summaries you generate
Billing data
Payments go through Lemon Squeezy (our Merchant of Record). We receive a customer id and subscription status from them; we never see or store your card number. See Lemon Squeezy's privacy policy.
Who else touches your data
A small number of third-party services run specific parts of the product. None receive your data for their own purposes.
| Provider | Role |
|---|---|
| Supabase | Hosts the database and handles authentication. Your data lives here. |
| Anthropic (Claude) | When you generate an AI summary, the relevant log entries are sent to Anthropic’s API. API inputs are not used to train their models. |
| Resend | Sends transactional email (sign-in links, reminders, weekly teasers). |
| Inngest | Runs the scheduled jobs behind reminders and summaries. |
| Lemon Squeezy | Processes payments and collects regional taxes as Merchant of Record. |
| Vercel | Hosts the application and serves traffic. |
We do not sell, rent, or share your data with any party that is not directly required to deliver the product.
How long we keep it
Retention depends on whether your account is active and what type of data you have stored.
- Active account data is retained for as long as your account exists.
- If you delete your account, your profile and all associated log entries, summaries, and preferences are removed within 30 days. Billing records required for accounting may be retained for up to 7 years as required by applicable tax law.
- Soft-deleted entries are kept indefinitely while your account is active, so you can restore them.
Your rights
Regardless of where you live, you can exercise the following controls.
Export
Download all your entries as CSV from Settings → Categories → Export.
Correct
Edit any log entry directly, or update your profile in Settings.
Delete
Remove your account and all associated data from Settings → Danger Zone.
Object
Email us at standslyai@gmail.com if you want us to stop processing your data for any other reason.
Users in the EU, UK, and California have additional rights under GDPR, UK-GDPR, and CCPA respectively. Email us and we'll respond within 30 days.
Google Calendar integration
Optional. If you connect Google Calendar, Standsly reads calendar data read-only to suggest work blocks on the Memory page. You review and confirm each suggestion before it becomes a log entry.
Read-only calendar access
Standsly never writes to your Google Calendar. Suggestions stay in Standsly until you confirm or dismiss them.
Scopes we request and why
Google Calendar (read-only)
To read calendar events within a ~48-hour lookback and 14-day lookahead window and generate scheduling suggestions for your review on the Memory page. Standsly requests read-only access only — no write access is requested or used.
Google account email (Identity scope)
To identify the Google account being connected and associate the OAuth grant with your Standsly account. Standsly does not store your Google email address separately as Google user data; your account email is managed through Standsly authentication.
What we store from Google Calendar
How long we keep Google Calendar data
- OAuth tokens are retained while Google Calendar is connected and are revoked when you disconnect or delete your account.
- Unconfirmed suggestions remain stored until you confirm or skip them on the Memory page. Standsly does not automatically delete unconfirmed suggestions after a fixed number of days.
- Confirmed or skipped suggestions are retained for the life of your account unless you delete your account.
- Disconnecting Google Calendar stops future syncs and revokes OAuth access but does not remove previously stored suggestion records. Account deletion removes all associated data.
Data protection mechanisms
01
Encrypted OAuth tokens
AES-256-GCM envelope encryption; server-side decrypt only; never exposed to the browser
02
HTTPS-only transfer
All data in transit encrypted via TLS
03
Row-level security (RLS)
Calendar-derived suggestions scoped to the owning user at the database layer
04
No client-side OAuth secrets
Access and refresh tokens stored in encrypted server-side vault only
05
Revocation on disconnect and account deletion
Google grant revoked on Disconnect; all integration grants revoked on account deletion
06
Step-up authentication
Recent sign-in required before connecting or disconnecting Google Calendar
07
Restricted infrastructure access
Data processed only by named subprocessors (Supabase, Vercel) under data-processor terms; no sale or licensing to third parties
Human access
AI and machine learning
Third-party sharing
Your controls
- 1Disconnect Google Calendar in Settings → Integrations
- 2Revoke Standsly access at Google Account permissions
- 3Delete account and all associated data from Settings → Danger Zone
For technical detail on encryption and access control, see our Trust & Security page.
Google API Services Limited Use Disclosure
Public attestation of our compliance with Google’s API data policies.
Standsly's use and transfer to any other app of information received from Google Workspace APIs (including the Google Calendar API) will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Read the full policy at Google API Services User Data Policy.
How we comply with Limited Use
User benefit only
Google Calendar data is used solely to generate scheduling suggestions on your Memory page. It is not used for any purpose unrelated to this feature.
No advertising
Google Calendar data is never used to serve ads, for interest-based advertising, or for retargeting of any kind.
No unauthorized human access
Standsly staff do not read your calendar-derived data except as described in the human access policy above.
No unauthorized transfer
Google Calendar data is not transferred to any third party except to named infrastructure subprocessors (Supabase, Vercel) solely for the purpose of operating the service.
Security
Defense-in-depth controls protect your work log and integration credentials.
Standsly uses row-level database isolation, encrypted OAuth credentials, responsible AI guardrails, and defense-in-depth browser protections. See our Trust & Security page for the full breakdown. Google Calendar disclosures are in the Google Calendar integration section above.
All traffic is served over HTTPS. Access to production data is restricted to the smallest set of operators necessary to keep the service running.
No system is perfectly secure. If you discover a vulnerability, please report it to standslyai@gmail.com and we'll acknowledge within 2 business days.
Children
Standsly is not intended for anyone under 16. We do not knowingly collect data from children.
Changes to this policy
If we make a material change to this policy, we will email all active users at least 14 days before it takes effect. Minor edits (typos, reformatting) will be reflected by updating the “Last updated” date above.
Contact
Questions, complaints, or data requests: standslyai@gmail.com.