Guideful logo
Log in Start for Free

Privacy Policy — Guideful.ai

We value the privacy of every Guideful user. This page explains how we collect, use, and protect personal data in line with GDPR requirements.

I. Information Regarding the Processing of Personal Data

We process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation, “GDPR”).

II. Personal Data Controller

The controller of your personal data is Good Sheet Sp. z o.o., headquartered in Wrocław, Krępicka 1/6, registered under KRS no. 0000510335 (District Court Wrocław-Fabryczna, VI Commercial Division of the National Court Register), NIP: 6793100885, REGON: 123126326.

You may contact us at: hi [at] guideful [dot] ai or by mail to the company’s registered address.

III. Gathering Personal Data

We collect your personal data lawfully. You provide data when creating an account and using the Guideful.ai application. We also collect certain technical data automatically (e.g. server logs, IP address, browser type).

IV. Purpose and Legal Basis of Processing

We process personal data for the following purposes:

  • To perform contracts and provide services you requested (Art. 6(1)(b) GDPR);
  • To pursue our legitimate interests (Art. 6(1)(f) GDPR), including ensuring service functionality, maintaining security, analyzing usage, and contacting you if needed to ensure proper onboarding and use of the service;
  • On the basis of your consent (Art. 6(1)(a) GDPR) — e.g. if you sign up for optional newsletters or marketing communications.

Support communications and onboarding calls (Art. 6(1)(b) GDPR – performance of the Agreement; Art. 6(1)(f) GDPR – our legitimate interest in delivering, improving, and documenting support and onboarding).

Call recordings and transcripts/summaries (Art. 6(1)(a) GDPR – consent; recordings and transcription are enabled only after we clearly announce it at the start of the call and receive your approval). If you do not consent, we disable recording and transcription.

We process only the data necessary and adequate for these purposes.

V. Scope of Data

We may process: name, e-mail address, login data (including password, stored securely as a hash), server logs (IP address, browser type/version, device information), and application usage data.

We may additionally process, when you contact support or join a call:

  • support e-mail content and headers (Google Workspace);
  • meeting metadata (date, time, participants);
  • audio/video recordings of support or onboarding calls (Google Meet; recordings are clearly announced);
  • meeting transcripts and AI-generated summaries or notes (Fireflies.ai).

VI. Sharing Data

We do not sell personal data and we do not use personal data for advertising or cross-context behavioral advertising.

Your data may be shared with trusted service providers acting as processors under GDPR-compliant agreements, including:

  • Hetzner Online GmbH (hosting infrastructure),
  • Appliku.com (deployment and hosting management),
  • Cloudflare, Inc. (content delivery network, security),
  • Cloudflare R2 (Cloudflare, Inc.) (S3-compatible object storage for tutorial-related assets: screenshots, audio files (MP3), and compressed HTML snapshots used to analyse pages where the widget runs and to improve element detection. These assets are uploaded as part of tutorial recording by creators/developers of the application, not by end users who merely follow tutorials. This is not a primary user database.),
  • Supabase.com (database services, EU region),
  • Postmark (ActiveCampaign, LLC) (transactional e-mail delivery),
  • Stripe Payments Europe Ltd. (payment processing),
  • Sentry (Sentry, Inc.) (application error monitoring; default PII disabled, sensitive headers redacted; processes error stack traces, minimal request metadata, and event context to diagnose production issues),
  • OpenAI, L.L.C. (AI-based processing in the service),
  • Google Workspace / Google Meet (Google LLC / Google Cloud EMEA) (e-mail delivery and storage; online meetings with recordings enabled only after express participant consent),
  • Fireflies.ai (transcription and AI summaries of meetings with express participant consent).

These providers process contact data, e-mail content or metadata, meeting metadata, and—where recording or analysis is enabled—audio/video along with transcripts or summaries. Transfers outside the EEA may occur; we rely on Standard Contractual Clauses plus supplementary measures, or select EEA regions where available.

Data may also be disclosed to supervisory or judicial authorities as required by law.

Google OAuth & API Data

Use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data Accessed

  • Scopes requested: profile, email.
  • Fields received from Google: your name, email address, Google account identifier, and profile picture URL.
  • We do not request or access Gmail, Drive, Calendar, Contacts, or any other Google data beyond the scopes listed above.

Data Usage

  • We use Google user data solely to authenticate you, create or link your Guideful account, prefill your profile (name/avatar), and keep you signed in.
  • We do not use Google user data for advertising, cross-context behavioral ads, profiling, or to train generalized AI/ML models.
  • No human access to Google user data occurs except as required for security, to comply with the law, or with your explicit consent for support purposes.

Data Sharing

  • We do not sell Google user data.
  • We do not share Google OAuth tokens with any third parties.
  • As part of service delivery, certain subprocessors (e.g., hosting, email delivery, billing) may process your email address or related account metadata in a minimal, necessary scope (see the “Sharing Data” section).

Data Storage & Protection

  • We do not persist Google OAuth access tokens under our current configuration (SSO-only).
  • We request online access only (no offline access; no refresh tokens).
  • Access tokens, if issued, are used transiently to complete sign‑in and are not retained for other purposes. If stored by our identity system, they are protected at rest with encryption and subject to strict least‑privilege access controls.
  • Account data derived from Google (e.g., name, email, avatar URL) is stored in the EU on managed PostgreSQL (Supabase) with TLS in transit and encryption at rest. We enforce least privilege, audit logging, and environment‑based secret management.

Data Retention & Deletion

  • Google‑sourced fields (name, email, avatar URL) are retained while your Guideful account remains active.
  • We do not currently persist Google OAuth tokens; thus no tokens are retained as part of routine operations. The 30‑day timeline below is our retention standard should token storage be introduced for additional Google API features, and we will update this policy accordingly.
  • If you revoke Guideful’s access at any time at myaccount.google.com/permissions or request disconnection/deletion, we delete associated Google auth data and tokens without undue delay (typically within 30 days). Encrypted backups may persist for up to 12 months and expire automatically.
  • You can request account deletion at support [at] guideful [dot] ai.

VII. Data Retention

Your personal data will be stored for the duration of your account.

You may request deletion of your account at any time. When you do so, active data will be removed, but copies may remain in encrypted backups that are retained for up to 12 months for security and business continuity purposes. These backups are not used for any other processing and will expire automatically.

Support e-mails are retained according to our general retention and backup policy.

Meeting recordings and transcripts or summaries are retained for up to 24 months and then deleted, unless a longer retention period is required to establish, exercise, or defend legal claims. Backup copies may persist for up to 12 months and cannot be selectively purged; they are overwritten on schedule.

You may request deletion of a specific recording or transcript (where applicable) at support [at] guideful [dot] ai.

Technical server logs may be retained for up to 24 months for security, diagnostic, and legal compliance purposes.

Data required for legal or contractual claims will be kept as long as those claims may be pursued or defended.

VIII. Your Rights

You may:

  • Access, correct, delete, or restrict processing of your data;
  • Object to processing based on legitimate interest;
  • Receive a copy or transfer your data;
  • Withdraw consent where applicable;
  • Lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw.

If you prefer not to be recorded or analysed during a call, or you wish to withdraw consent, please tell us before or during the call; we will disable recording or analysis for that session.

IX. Consequences of Not Providing Data

Providing data is necessary to use the service. Without it, we cannot provide access to Guideful.ai. In other cases, providing data is voluntary.

X. Automated Processing

Your data is not subject to automated decision-making that produces legal effects. We may perform analytics and usage segmentation (e.g. which users launched the widget, completed onboarding, or used specific features), but this does not result in decisions that have legal or similarly significant effects for you.

Tracking & Analytics

We do not use cookies or invasive trackers. We use Plausible Analytics, a GDPR-compliant, cookieless analytics tool, to collect anonymous statistical information on service usage.

We also collect technical data (server logs, browser type, IP address) for security, performance monitoring, and to ensure reliable operation of the service.

Last updated: September 29th, 2025