← back

Your data stays in your cloud.

Period. Steamshovel's compute and your content run in infrastructure you control. Your files in Google Drive, Microsoft OneDrive, or Zoho WorkDrive. Your analytics on your own VM in your own GCP, AWS, or Azure project. Your LLM dispatch from your own sidecar with your own provider API key. Your documents, the questions you ask, and the answers the model writes never traverse the public network to us.

How

Each install is scoped to the files you open it in. No shared store. No cross-customer reads. No copy of your work on our infrastructure. Per-project service accounts gate Drive access at Google's IAM layer. A workflow in one project cannot, by the auth enforcement itself, read another project's files. The LLM dispatcher runs in your cloud with your provider API key. The model vendor sees what your workflow sends it and nothing more.

The only thing that reaches us is the shape of agent traffic. Which workflow ran. In which suite. Whether you accepted the result. The timing. An opaque per-install identifier. Plus the bug-report words you choose to send. Counters and shapes. Never content. That line is enforced in code, in three places. The client builds only structural fields. The collector rejects any payload that smuggles a content-bearing key. The storage schema has no column for content to land in. A bug that tried to send your data would be refused at the door.

How both are true at once

A traffic record is structural. It says a summarize workflow ran in a Microsoft document at 14:22, took 1.2 seconds, and you accepted the result. It does not carry the document, the prompt, or the summary. It cannot. We measure that you did the work and whether it landed, the same way a payment processor records that a charge succeeded without keeping a photo of what you bought.

That line is enforced in code, in three places: the client builds only structural fields; the control-plane collector rejects any payload that smuggles a content-bearing key; and the storage schema has no column for content to land in. A bug that tried to send your data would be refused at the door.

What reaches steamshovel.ai

What never leaves your cloud

Third-party services

Steamshovel talks to a small, named set of outside services. Most of them you choose and point at yourself. Here is the whole list.

Bring your own key

You connect Steamshovel to your own model account with your own API key. That key lives in your cloud, in your Stratum sidecar or in your browser's local storage. It dispatches direct to the provider. It never passes through steamshovel.ai, at any tier. Not on the free light trial, not on the full trial, not when you are paying. The control plane sees that an install is active. It never sees the key, the request, or the response.

How long we keep the little we hold

Your work lives in your cloud. You keep it as long as you want and erase it on demand. The only data we hold is the structural telemetry and the feedback you send. Both are deleted on a 90-day schedule, the feedback cleared once the issue you reported is closed. You can erase everything tied to your install at any time, from the sidebar. The full per-category schedule is in our Data Processing Addendum.

What we don't ask for

Steamshovel doesn't read your email. The Gmail integration sees only the subject of a message you've clicked. No search. No body. No plan to add either.

Why this shape

The control plane needs to know that Steamshovel is being used, where, and whether it works. For billing. For support. To find the failure the next user would hit. None of that needs your data. So the split is clean. The control plane holds the shape of usage. The data plane, in your cloud, holds the work itself. The thing that makes Steamshovel valuable as it grows, a view of agent traffic across every office suite, is built entirely from the structural side of that line.

Google API Services Limited Use

Steamshovel's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain terms. We use the access you grant only to run the workflows you ask for. We do not sell it. We do not use it for advertising. We do not let a human read it, except where you send us a bug report yourself or the law compels us. Your Drive, Docs, Sheets, Slides, and Gmail access serves the feature you invoked and nothing else.