Privacy Policy
Last updated: February 26, 2026
Workflow Spy is built on a simple promise: we collect only what we need to help you find automation opportunities, and nothing more. This policy explains exactly what we do — and don't — collect.
What we collect
- App names — the name of the application that has focus (e.g., “Google Chrome”, “Slack”, “Microsoft Excel”)
- Window titles — the title bar text of the active window (e.g., “Q4 Budget - Google Sheets”). Window titles are optional and can be disabled in HIPAA mode.
- Duration — how long each app was in the foreground, measured in seconds
- Idle time — periods where no keyboard or mouse activity was detected, so we can exclude them from active time calculations
- Account email — used to associate activity data with your account and deliver reports
What we do NOT collect
- ✗Keystrokes or typing content
- ✗Screenshots or screen recordings
- ✗Clipboard contents
- ✗Passwords or authentication tokens
- ✗Browser history or URLs visited
- ✗File contents or document data
- ✗Microphone or camera input
- ✗Network traffic or packet contents
How it's stored
All data is stored in Google Cloud Firebase (Firestore) in US data centers. Data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. Access to raw activity data is restricted to automated analysis processes and authenticated account owners. No human employee of Workflow Spy can access your individual activity logs without your explicit consent.
Data retention
| Plan | Retention period |
|---|---|
| Free trial | 7 days |
| Solo | 90 days |
| Team | 180 days |
| Enterprise | 365 days |
After cancellation, all activity data is permanently deleted within 30 days. AI-generated insight reports are deleted on the same schedule unless you download them before cancellation.
HIPAA mode
For healthcare organizations subject to HIPAA, Workflow Spy offers HIPAA mode. When enabled:
- All window titles and URLs are stripped from data collection at the device level — they are never transmitted
- Only app names and duration are retained
- AI analysis is performed solely on app-level time patterns
- Data is stored in dedicated HIPAA-eligible Firebase infrastructure
Contact privacy@workflowspy.com to enable HIPAA mode or request a Business Associate Agreement (BAA).
How we use your data
- To generate AI-powered workflow analysis reports for your account
- To identify automation opportunities specific to your app usage patterns
- To calculate efficiency scores and track improvement over time
- To send you reports and product updates via email
We do not sell, rent, or share your activity data with any third party. We do not use your data to train general AI models.
Third-party services
- Google Firebase — data storage and cloud functions (Google Cloud, US)
- Anthropic Claude API — AI analysis of compressed, anonymized activity summaries
- Stripe — payment processing (Stripe does not receive activity data)
Your rights
You have the right to access, correct, or delete your data at any time. To exercise these rights:
- Email privacy@workflowspy.com with your request
- We will respond within 30 days
- Data deletion requests are fulfilled within 30 days
Contact
Questions about this policy? Email privacy@workflowspy.com.