Privacy Policy

Keepli values your privacy. This Privacy Policy explains how we collect, use, and protect your information.

1. Information We Collect

We collect the following Google user data to provide our enterprise security services:

Basic Profile Information: Name, email address, and profile information from your Google account
Google Workspace User Data: User directory information including 2FA enrollment status, last login times, admin status, and organizational unit paths
Google Drive Metadata: File names, owners, sharing permissions, and file IDs (we do NOT access file content)
Authentication Data: OAuth tokens and session information to maintain secure access to your workspace

Important: We do not access, store, or process the actual content of your files, emails, or documents. We only analyze metadata for security compliance purposes.

Google API Services Compliance

The use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

For detailed testing instructions and OAuth verification guidance, please see our OAuth Testing Instructions.

2. Google Drive API Access

Our application uses Google Drive API with the following scopes to provide enterprise security compliance services:

Required API Scopes:

https://www.googleapis.com/auth/drive.metadata.readonly - Read-only access to file metadata (names, owners, sharing permissions) for security analysis
https://www.googleapis.com/auth/admin.directory.user.readonly - Read-only access to user directory information for security reporting

Why We Need These Scopes:

Our enterprise security tool requires comprehensive visibility across your entire Google Workspace domain to:

Analyze file sharing permissions across all files in your organization
Identify files with risky sharing settings (public or domain-wide access)
Generate security compliance reports for IT administrators
Provide automated security scanning and alerts

Data Access Limitations:

Metadata Only: We only access file metadata (names, owners, permissions) - never file content
Read-Only: We never modify, delete, or create files in your Google Drive
Security Focus: All data access is exclusively for security analysis and compliance reporting
Admin Delegation: Access is granted through domain-wide delegation by your Google Workspace administrator

Note: The drive.file scope would be insufficient for our security tool as it only provides access to files created by our application, which would miss 99% of files that need security analysis in your organization.

3. Human Access to User Data

We do not allow humans to read your Google user data, except in the following limited circumstances:

User Consent: When you explicitly consent to us reading specific data to help you re-access the service or resolve technical issues
Security Purposes: When necessary to investigate abuse, security incidents, or unauthorized access
Legal Compliance: When required by applicable laws or regulations
Aggregated Data: When data is aggregated and anonymized for internal operations and service improvement

Important: All human access to user data is logged, monitored, and requires explicit authorization. We never read your data for commercial purposes or without your consent.

4. Google User Data Protection

We implement comprehensive security measures to protect Google user data:

Data Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption
Access Controls: Strict role-based access controls limit data access to authorized personnel only
Data Minimization: We only collect and process the minimum data necessary for security analysis
Secure Storage: Google user data is stored in secure, encrypted databases with regular security audits
Data Retention: User data is automatically purged after 90 days unless required for ongoing security analysis
Third-Party Security: We use Google's official APIs and follow Google's security best practices
Audit Logging: All data access is logged and monitored for security compliance
Security Incident Response: We have procedures in place to detect, respond to, and report security incidents

Security Incident Reporting

In the event of a security incident involving your data, we will notify Google at security@google.com and cooperate fully with their investigation. We will also notify affected users as required by law.

5. How We Use Information

We use Google user data exclusively for the following purposes:

Security Analysis: Analyze file sharing permissions and user security settings to identify potential security risks
Compliance Reporting: Generate security reports for IT administrators showing 2FA adoption, file visibility risks, and user activity
Service Improvement: Improve our security scanning algorithms and reporting features
Communication: Send security alerts and service updates to authorized administrators

Prohibited Uses: We do NOT use your data for advertising, selling to third parties, training AI models, or any purpose other than providing our security compliance services.

6. Data Sharing

We do not sell, rent, or trade your Google user data. We may share information only in the following limited circumstances:

Service Providers: With trusted third-party services (such as email delivery providers) strictly to operate our security compliance services
Legal Requirements: When required by law or to protect our rights and the rights of our users
Business Transfers: In connection with a merger, acquisition, or sale of assets (with user notification)

No Third-Party Data Sales: We do not share your data with data brokers, advertisers, or any third parties for marketing or advertising purposes.

7. Data Retention

We retain Google user data for the following periods:

Active Users: Data is retained while your account is active and for 90 days after account termination
Security Reports: Historical security scan data is retained for up to 1 year for compliance reporting
Authentication Data: OAuth tokens are refreshed automatically and old tokens are deleted immediately
Automatic Deletion: User data is automatically purged after the retention period expires

Data Deletion: You may request immediate deletion of your data by contacting us at nourdine@trykeepli.com. We will delete your data within 30 days of your request, except where retention is required by law.

8. Your Rights

You have the following rights regarding your Google user data:

Access: Request a copy of all data we have collected about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your data (subject to legal requirements)
Portability: Request your data in a machine-readable format
Withdrawal: Withdraw consent for data processing at any time

To exercise these rights, contact us at nourdine@trykeepli.com or through our support channels. We will respond to your request within 30 days.

9. Changes to Policy

We may update this Privacy Policy periodically. Any changes will be posted here with a new "Last Updated" date. We will notify users of material changes via email or through our service interface.

10. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: nourdine@trykeepli.com
Support: Available through our application dashboard
Data Protection Officer: nourdine@trykeepli.com

Last updated: 10/30/2025

This privacy policy is specifically designed for Keepli's Google Workspace security compliance services and complies with Google's OAuth verification requirements.