Your data stays in your cloud.
Period. Steamshovel's compute and your content run in infrastructure you control. Your files in Google Drive, Microsoft OneDrive, or Zoho WorkDrive. Your analytics on your own VM in your own GCP, AWS, or Azure project. Your LLM dispatch from your own sidecar with your own provider API key. Your documents, the questions you ask, and the answers the model writes never traverse the public network to us.
How
Each install is scoped to the files you open it in. No shared store. No cross-customer reads. No copy of your work on our infrastructure. Per-project service accounts gate Drive access at Google's IAM layer. A workflow in one project cannot, by the auth enforcement itself, read another project's files. The LLM dispatcher runs in your cloud with your provider API key. The model vendor sees what your workflow sends it and nothing more.
The only thing that reaches us is the shape of agent traffic. Which workflow ran. In which suite. Whether you accepted the result. The timing. An opaque per-install identifier. Plus the bug-report words you choose to send. Counters and shapes. Never content. That line is enforced in code, in three places. The client builds only structural fields. The collector rejects any payload that smuggles a content-bearing key. The storage schema has no column for content to land in. A bug that tried to send your data would be refused at the door.
How both are true at once
A traffic record is structural. It says a summarize workflow ran in a Microsoft document at 14:22, took 1.2 seconds, and you accepted the result. It does not carry the document, the prompt, or the summary. It cannot. We measure that you did the work and whether it landed, the same way a payment processor records that a charge succeeded without keeping a photo of what you bought.
That line is enforced in code, in three places: the client builds only structural fields; the control-plane collector rejects any payload that smuggles a content-bearing key; and the storage schema has no column for content to land in. A bug that tried to send your data would be refused at the door.
What reaches steamshovel.ai
- Structural usage envelopes Which workflow ran (its template class), the suite and surface, the model it routed to, whether you accepted or rejected the result, timing, and an opaque per-install identifier. Counters and shapes. Never text.
- Feedback you choose to send When you tell the agent something is broken, it files a bug on your behalf with the words you used and, if you attach one, a screenshot you picked. Consented at the moment you send it. Never auto-collected.
What never leaves your cloud
- Your documents and their contents The files, the rows, the slides. They stay in your suite's storage. We never copy them.
- Your prompts and the model's output The question you ask and the answer it writes are between you, your files, and the model endpoint you point at. They are not in any record we keep.
- Tenant identifiers, embeddings, and row data Nothing that identifies your organization or reconstructs your data crosses the line. The collector refuses these keys outright.
Third-party services
Steamshovel talks to a small, named set of outside services. Most of them you choose and point at yourself. Here is the whole list.
- Your model provider: Anthropic, OpenAI, Google, AWS Bedrock, Azure OpenAI, or OpenRouter You bring your own key. Your Stratum sidecar dispatches straight to the provider you pick, from your own cloud. The provider sees what your workflow sends it and nothing more. It is your sub-processor, not ours. Your key never reaches steamshovel.ai.
- Your self-hosted Stratum analytics engine Runs on your own VM in your own GCP, AWS, or Azure project. It holds your captures, your embeddings, and your analytics. Your infrastructure, not ours.
- steamshovel.ai control-plane telemetry, stored in Google Cloud The structural usage envelopes and the feedback you choose to send, stored in BigQuery in a region you can configure. Counters and shapes. Never content. This is our one sub-processor. The full list, and our 30-day notice policy for any change, is at sub-processors.
Bring your own key
You connect Steamshovel to your own model account with your own API key. That key lives in your cloud, in your Stratum sidecar or in your browser's local storage. It dispatches direct to the provider. It never passes through steamshovel.ai, at any tier. Not on the free light trial, not on the full trial, not when you are paying. The control plane sees that an install is active. It never sees the key, the request, or the response.
How long we keep the little we hold
Your work lives in your cloud. You keep it as long as you want and erase it on demand. The only data we hold is the structural telemetry and the feedback you send. Both are deleted on a 90-day schedule, the feedback cleared once the issue you reported is closed. You can erase everything tied to your install at any time, from the sidebar. The full per-category schedule is in our Data Processing Addendum.
What we don't ask for
Steamshovel doesn't read your email. The Gmail integration sees only the subject of a message you've clicked. No search. No body. No plan to add either.
Why this shape
The control plane needs to know that Steamshovel is being used, where, and whether it works. For billing. For support. To find the failure the next user would hit. None of that needs your data. So the split is clean. The control plane holds the shape of usage. The data plane, in your cloud, holds the work itself. The thing that makes Steamshovel valuable as it grows, a view of agent traffic across every office suite, is built entirely from the structural side of that line.
Google API Services Limited Use
Steamshovel's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In plain terms. We use the access you grant only to run the workflows you ask for. We do not sell it. We do not use it for advertising. We do not let a human read it, except where you send us a bug report yourself or the law compels us. Your Drive, Docs, Sheets, Slides, and Gmail access serves the feature you invoked and nothing else.