Privacy Policy

Your trust is important to us. Here's how we protect your data.

Effective Date: 17th November 2025

1. Introduction

This Privacy Policy describes how AppsEDU ("we", "us", or "our") collects, uses, and protects your information when you use our Workspace Audit application (the "Service"). Our commitment is to be transparent about the data we access and to safeguard your privacy.

2. What Data We Collect

We collect only the information necessary to provide and improve our Service. This data is broken down into the following categories:

Information You Provide Directly

  • Account Information: When you sign in with Google, we receive your name, email address, and profile photo as provided by Google.
  • Onboarding Information: For new users, we ask for your Organisation Type, Organisation Size, and your Role. This helps us understand our user base and improve the tool.

Google API Scopes (Manual Scan)

To perform the security audit when you sign in, our Service requests your permission to use the following "read-only" scopes from the Google API:

  • https://www.googleapis.com/auth/cloud-identity.policies.readonly
    Used to read all security policies applied to your domain.
  • https://www.googleapis.com/auth/admin.directory.orgunit.readonly
    Used to read your Organizational Unit structure to determine policy inheritance.
  • https://www.googleapis.com/auth/admin.directory.group.readonly
    Used to read your Group structure to determine policy inheritance.

Information We Access from Your Google Workspace

Our Core Privacy Commitment

The Service is designed with a "read-only" architecture. It **only requests read-only permissions** to your Google Workspace environment. We cannot change any of your settings.

Specifically, we **DO NOT** access, read, or store the content of your emails, files in Google Drive, calendar events, chat messages, or any other user-generated content.

The Service accesses the following types of data to perform the security audit:

  • Google Workspace Security Settings: We read security and policy settings from across various services (e.g., Gmail, Drive, Calendar) via the Google Cloud Identity and Admin SDK APIs.
  • Organizational Structure: We read the structure of your Organizational Units (OUs) and Groups to accurately report which policies apply to which parts of your organization.

Additional Scopes (Pro Tier Automated Scans)

For users who upgrade to our Pro tier and enable automated scanning, we require you to manually grant additional "read-only" permissions to our secure backend service account via Google's Domain-Wide Delegation (DwD) feature. These scopes are:

  • https://www.googleapis.com/auth/admin.reports.audit.readonly
    Used by the "Third-Party App Risk" scan to find app authorization events in your domain's audit logs.
  • https://www.googleapis.com/auth/apps.groups.settings
    Used by the "Google Groups Security" scan to read the security settings of your groups.

These scopes are never requested from you at sign-in and are only used by our automated backend functions, which you explicitly authorize inside your own Google Admin Console.

Your Communication Preferences

During onboarding, we ask for your preferences regarding email communications, such as product updates or security newsletters.

3. How We Use Your Data

  • To Provide the Service: The primary use of your Google Workspace data is to run the security scan, compare it against best practices, and generate the report for you to view in the dashboard.
  • To Improve the Service: We use the onboarding information (e.g., Organisation Size, Role) in an **anonymized and aggregated** format to analyze user demographics and guide our product development. Your specific data is never singled out.
  • Data Usage Clarification: We do not use your specific security findings for aggregated analytics or any other purpose without your explicit consent. Your report data is for your use only.
  • To Communicate With You: If you opt-in, we will use your email address to send you the communications you have requested, such as product updates or security newsletters. You can unsubscribe from these emails at any time via a link in the email footer.

4. Data Storage, Security, and Transfers

All customer data, including your user profile and generated security reports, is stored exclusively on servers located within the European Union (EU).

We take data security seriously and implement industry-standard measures to protect your information, including encryption of data in transit (HTTPS) and at rest (as provided by Google Cloud Firestore). Access to production data is strictly limited to authorized personnel for maintenance and support purposes.

5. Your Data Protection Rights (GDPR)

If you are a resident of the European Economic Area (EEA), you have certain data protection rights. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

You have the right to:

  • Access, update, or delete the information we have on you.
  • Request correction of any information that is inaccurate or incomplete.
  • Object to our processing of your Personal Data.
  • Request that we restrict the processing of your personal information.

To exercise these rights, please contact us at privacy@appsedu.com.

6. Data Sharing (Subprocessors)

We do not sell your personal data to third parties. We only share data with essential service providers ("subprocessors") who are required to provide our service. Our subprocessors are:

  • Google Cloud Platform: Used for application hosting, database storage (Firestore), and backend logic (Cloud Functions).
  • Google Authentication: Used to securely manage user sign-in.
  • SendGrid: Used to send email notifications, security alerts, and PDF/CSV reports to you, the user.
  • Google Gemini API: Used to generate the AI-powered insights and summaries within your dashboard. We send aggregated, non-personally identifiable data about security settings to this service for analysis.

7. Data Retention and Deletion

We retain your user profile information as long as your account is active. Security scan reports are retained for a period of twelve (12) months to enable historical analysis (a Pro feature) and then are securely deleted.

You may request the permanent deletion of your account and all associated data, including all historical reports, at any time by contacting us at privacy@appsedu.com.

8. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. We may also notify you via email if the changes are significant.

9. Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@appsedu.com.