Privacy Policy

This policy covers visitors to our website and customers who create an account and/or connect a Google Workspace for assessment. The person connecting a Workspace must be a Workspace administrator acting on behalf of their organization.

Account data. When you sign up we store your email address, your name (optional), and—if you use email/password login—a bcrypt hash of your password. We never store your password in plaintext.

Google Workspace configuration (read-only). When you connect Google, we request the read-only scopes listed at the end of this policy. We read your directory metadata (users, admin status, 2-Step Verification enrollment, last-login times, account status) and OAuth app-grant audit events to assess your security posture.

What we deliberately do NOT collect: we do not read the contents of emails, files, calendars, or chats. We do not download or store your user directory. We request no write or delete permission of any kind.

Billing data. Payments are processed by our payment provider (a Merchant of Record). We do not see or store your full card details; we store only your plan and a subscription identifier needed to keep your entitlements in sync.

We use your data solely to: evaluate your Workspace configuration and produce a security score, ranked findings, and recommended fixes; generate the report/PDF you request; send you account and (if enabled) risk-alert emails; and operate billing. We do not use your data to train any AI/ML model, and we do not use it for advertising.

We evaluate your configuration in memory and persist only the findings— for example “3 admins without 2-Step Verification” — together with minimal, sanitized evidence (counts and, at most, a few identifiers). We do not persist your raw directory, file contents, or message contents.

Posqure’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we only use Google Workspace data to provide and improve the security-assessment features visible to you; we do not transfer this data to others except as necessary to provide the service, comply with law, or as part of a merger/acquisition; we do not use it for advertising; and no humans read it except with your explicit consent, for security/debugging, or where required by law.

Read-only by design. Every Google scope we request ends in .readonly, and a guard in our code refuses to start if a non-read-only scope is ever added — we cannot modify your account.

Tokens encrypted at rest. Your Google refresh token is encrypted with AES-256-GCM using a key that does not live in our codebase. Disconnecting deletes it immediately.

No secrets in logs. Tokens and credentials are never written to logs or error trackers. Data is encrypted in transit (TLS).

We rely on a small number of vendors to run the service: Supabase (database hosting), Vercel (application hosting), Resend / Gmail (transactional email), and Google (the APIs you connect). Each processes data only to provide their function.

AI assistant (optional).If you use the "Ask Posqure" AI assistant or AI summary, we send only your sanitized findings — check titles, severities, counts, and your score/compliance status — to our AI provider (Groq or Google Gemini) to generate a response. We never send your raw directory, emails, files, or tokens to any AI model, and we do not use your data to train models.

We keep findings for the retention window of your plan. You can disconnect a Workspace at any time from Settings, which immediately deletes the stored refresh token. You may request deletion of your account and all associated data by emailing posqure@gmail.com; we will delete it within 30 days.

Depending on your location (e.g. GDPR in the EU/UK, India’s DPDP Act), you may have rights to access, correct, export, or delete your personal data. Contact us at posqure@gmail.com to exercise them. We do not sell personal data.

Posqure is a business product and is not directed to anyone under 16.

We may update this policy; we will change the “Last updated” date above and, for material changes, notify account holders by email.

Questions or requests: posqure@gmail.com.

• openid
• email
• profile
• https://www.googleapis.com/auth/admin.directory.user.readonly
• https://www.googleapis.com/auth/admin.directory.domain.readonly
• https://www.googleapis.com/auth/admin.directory.orgunit.readonly
• https://www.googleapis.com/auth/admin.reports.audit.readonly