Privacy Policy

Spy Finance / Gary's Shed ("the service") is operated by the individual account-holder for personal and professional record-keeping. There is no commercial operator and no third-party reseller. For the purpose of UK GDPR the account-holder is both data controller and primary data subject.

Where the service is granted access to data about other individuals (for example, contacts imported from LinkedIn or correspondents who exchange messages with the account-holder), the account-holder acts as data controller for that data.

We do not use cookies for tracking. We do not use third-party analytics. We do not run advertisements. The service is not free; cost is the means of revenue, not data resale.

• Account information you provide directly — email address, display name, password (stored hashed, never in plain text).
• Files you choose to share with the service via the Drive Watch flow — including their contents, metadata, and any structured data we extract during processing.
• LinkedIn data you choose to import — your connections list, profile, messages, and other archive exports.
• Device signals you choose to forward to the service via the intake API (e.g., presence sensors, IoT events).
• Operational metadata generated by your use of the service — entry timestamps, hash chain references, billing tier, and usage counts.
• Location postcode if you choose to set one for the Weather Power feature.

Your data is used solely to provide the features you have requested. We do not sell, share, or otherwise disclose your data to any third party, with two narrow exceptions:

• Service providers acting on our instructions: Anthropic (Claude AI) and Google (Gemini AI) for content classification and summary generation; Stripe for payment processing; Mureka for audio generation. Each of these processors has its own privacy policy and processes data only as needed to deliver the specific feature you have invoked.
• Where required by law (court order, statutory request from a UK regulator). We will resist any request that exceeds the scope of the order.

If you connect a Google Drive folder via the Shredder feature, the service requests the `https://www.googleapis.com/auth/drive` scope. This grants read, move, and rename access scoped to your Google account. In practice the service only acts on the single folder you nominate; all reads and moves are limited to that folder and its sub-folders.

Your access tokens are stored encrypted at rest in our database. You can revoke access at any time either by disconnecting the integration from within the Shredder page, or directly via your Google Account permissions page at https://myaccount.google.com/permissions. Revocation takes immediate effect; we no longer issue any API calls on your behalf.

When you disconnect, we delete the stored access token and the watched-folder pin. By default we retain the ledger entries that were derived from your Drive files (the service operates an append-only canon for data integrity). You may request deletion of these entries — see "Your rights" below.

If you choose to sign in via Google ("Sign in with Google" button), the service uses Emergent's managed Google OAuth bridge. Emergent acts as a sub-processor under our instructions to authenticate your Google identity; they do not retain a copy of your profile beyond the brief window required to deliver the session to us.

We request the minimum scopes Google requires for sign-in: your name, email address, and the URL of your Google profile picture. No posting, no calendar access, no contact list — sign-in only.

From your Google profile we receive and store: a stable Google user identifier, your name, your email address, and the URL of your Google profile picture. The picture URL is stored so the UI can display your avatar; we do not download or cache the image itself on our servers.

We do not receive or store your Google password. We do not retain Google access tokens once the sign-in is complete.

If your Google email matches an existing account, the two are silently merged and the Google identifier is linked to the existing record. If no matching account exists, a new account is created in the lowest-privilege tier; that account can only be signed into via Google (no password is set).

You may unlink Google from your account at any time by writing to the contact address below. Unlinking removes the stored Google identifier and disables Google sign-in for that account, but does not delete the account itself or any data filed under it.

If you import a LinkedIn data export (via the LinkedIn-provided ZIP download), the service parses the archive locally and stores extracted contacts, messages, and profile data in your account. We do not connect to LinkedIn's API on your behalf and do not retain LinkedIn credentials.

Production data is stored in MongoDB Atlas, hosted in the European Union region. Backups are retained for 30 days. Application code and operational logs are hosted by Emergent on infrastructure compliant with UK and EU data protection standards.

We do not transfer your data outside the European Economic Area except where strictly necessary for a feature you have invoked (e.g., when you send a prompt to Anthropic's Claude API, that request reaches Anthropic's US infrastructure). All such transfers rely on the standard contractual clauses adopted by the relevant processor.

Ledger entries (your primary record) are retained for the lifetime of your account. The service operates an append-only hash-chained ledger; entries are not edited or deleted in normal operation. Where you request deletion of specific entries we will excise them and re-stamp the chain.

Access tokens for third-party integrations are deleted immediately upon disconnection.

Operational logs are retained for 90 days for security and debugging purposes, then purged automatically.

If you close your account, all personal data is purged within 30 days. Aggregated, anonymised usage statistics may be retained indefinitely for capacity planning.

Under UK GDPR you have the right to: access your data, correct inaccurate data, delete your data, restrict processing, port your data to another service, and object to processing. To exercise any of these rights, write to the address below.

• Access: a copy of all data held about you, in a machine-readable format, within 30 days.
• Deletion: a full account closure or selective excision of specific records.
• Portability: a JSON export of your ledger and contacts.
• Withdrawal of consent: disconnect any third-party integration at any time without affecting the rest of your account.

Passwords are hashed using bcrypt. Access tokens are stored encrypted at rest. All transport between your browser, the service, and integrated third parties is over TLS. The service operates an append-only hash-chained ledger which provides cryptographic detection of any post-write tampering.

We carry no insurance against catastrophic data loss for personal users. We strongly recommend you export your ledger periodically via the in-app export function and retain a copy outside the service.

The service is not intended for use by anyone under 18 years of age. We do not knowingly hold data about minors. If you believe we hold such data in error, contact us and we will delete it.

We will revise this policy from time to time. The version date at the top of this page is authoritative. Material changes will be announced in-app on next sign-in and (where you have provided one) by email.

For all privacy-related correspondence including subject access requests, deletions, and complaints:

Email: privacy@spyfinance.cloud

If you are not satisfied with our response you have the right to complain to the UK Information Commissioner's Office at https://ico.org.uk.