Privacy Policy

Last updated: April 14, 2026

What we access

When you sign in with Google, UpSkiller Scanner requests read-only access to:

  • Gmail (read-only) — We scan email sender domains to discover your tech stack. For financial emails (invoices, receipts, subscriptions), we read the full email body to extract dollar amounts, vendor names, and contract details. Email content is truncated to 2,000 characters per message.
  • Google Drive (metadata only) — We read file names and modification dates to find contracts, SOWs, and procurement documents. We never read file contents.
  • Google Calendar (read-only) — We read meeting titles, dates, and attendee counts to identify vendor relationships and operational cadences.
  • Google Admin Directory (admin mode only) — If you connect as an admin, we read organization user profiles (names, emails, departments) to map team structure and identify license usage patterns. No passwords or credentials are accessed.

File uploads

You may also upload spreadsheet files (CSV, XLSX, JSON) directly for analysis. Uploaded file content is processed in-memory during your scan and sent to Claude for AI analysis. The file content itself is not permanently stored, but scan results (findings, recommendations) derived from the file are saved to your account if you are signed in.

What we don't do

  • We never write to, modify, or delete anything in your Google account.
  • We never permanently store your raw email content or uploaded file content on our servers. This data is held in memory only during your scan session.
  • We never use your data for advertising.

How data is processed

During your scan, data from connected sources (email content, file uploads, calendar metadata, drive metadata, and admin directory profiles) is sent to Claude by Anthropic for AI analysis. This data is processed in real-time to produce findings and is not stored by Anthropic for model training. Scan results (findings, tech stack maps, recommendations, agent logs) are saved to our database and associated with your account. Raw source data (emails, files) is discarded after the scan completes.

Authentication tokens

Your Google OAuth token is stored in a secure, httpOnly cookie that expires after 1 hour. It is only used to access the Google APIs listed above during your active scan session. Tokens are never logged or stored in any database.

Data retention

If you create an account, your scan results (findings and recommendations) are stored in our database so you can return to them later. Your raw email content is never stored. You can request deletion of your account and all associated data at any time by emailing scotty@upskillerai.com.

Third-party services

  • Anthropic (Claude AI) — We send email content (sender domains, financial email bodies truncated to 2,000 characters, extracted amounts), Drive file metadata, and calendar event summaries to Claude for analysis. Anthropic does not use this data for model training per their API terms.
  • Vercel — Our application is hosted on Vercel's serverless infrastructure.
  • Supabase — User accounts, scan results (findings, recommendations, agent logs), and usage tracking are stored in Supabase. Data is retained until you request deletion.

Your rights

You can revoke UpSkiller's access to your Google account at any time by visiting Google Account Permissions. You can also request complete deletion of your data by contacting us.

Contact

Questions about this policy? Email scotty@upskillerai.com.