Legal
Privacy Policy
Last updated: July 16, 2026
This Privacy Policy describes how guidedby ("guidedby", "we", "us", or "our") collects, uses, and protects your information when you use the guidedby desktop application, the website at guidedby.ai, and related services (collectively, the "Service").
guidedby is currently operated by an individual based in San Francisco, California, doing business under the name "guidedby." We are not yet incorporated as a separate legal entity. References to "guidedby," "we," "us," or "our" refer to that operation. We will update this Policy when our legal structure changes.
Geographic scope. The Service is currently offered only to residents of the United States. We do not target the Service to residents of the European Economic Area, the United Kingdom, or Switzerland, and we are not currently equipped to provide the rights and protections afforded by the GDPR, UK GDPR, or Swiss FADP. If you are located in one of these regions, please do not use the Service. We will update this Policy when we expand availability.
1. The short version
guidedby is a workflow coaching service. To coach you, we record information about how you use your computer — which apps you switch between, window titles, brief clipboard content, the on-screen text of the app you're focused on (read through the accessibility layer), the URL of your active browser tab, the text you type, and patterns of clicking. This data is captured locally, encrypted on your machine, scrubbed for credentials and a narrow set of high-risk identifiers before upload, stored in row-level-secured databases, and analyzed to produce coaching recommendations. We never sell your data, never use it to train AI models, and never share it except as required by law.
2. Information we collect
The Service collects four buckets of data.
2.1 Account information
When you create an account or join the waitlist, we collect your email address, an optional note you provide, and basic timezone information. If you sign in with Google, we receive your email address and the unique identifier issued by Google.
2.2 Workflow capture data
The desktop application captures the following events while it is running and not paused:
- The name of the active application and the window title.
- For supported applications, the on-screen text of the foreground window, read through the accessibility layer: the visible content you're working with, such as the message you're drafting, the document or code you're reading, or your search terms. This is how the coach recognizes what kind of work you're doing. It's read from the app's accessibility data, not captured as a screenshot.
- Short clipboard content (when you copy or paste), used to identify tools and content that flow between apps.
- The text you type, reconstructed as readable text, along with typing volume and pace. Typing in password fields is not captured: macOS blocks password-field keystrokes at the operating-system level, and on Windows we skip fields the system marks as password fields.
- Clicks, recorded as the control you interacted with (its label and role), never as screen coordinates.
- Idle / active state, derived from input activity.
- For browsers, the URL of the active tab — with sensitive query parameters stripped before storage.
2.3 Service operation data
Standard product telemetry: device identifiers we issue, successful and failed upload counts, software version, error traces (with personal information scrubbed), and product-usage analytics. Our analytics measure how people move through the website and product — page views, sign-ups, downloads, and which features get used — as counts and events, never the workflow content the coach captures. See Section 2.5 for how we ask your permission before setting analytics cookies, and how to change your mind.
We also record session replays of our own product interface: the dashboard and coaching screens you use on the website, so we can see where the product confuses people or breaks. A replay captures how you move through our pages, but every text input is masked and any screen that would display your captured workflow content is blanked out, so a replay never reveals what you typed or the private data the coach saw. Replay stays off until you turn analytics on (Section 2.5), and we never record the desktop app this way.
2.4 Cookies and similar technologies
The website uses a small number of cookies and equivalent local-storage entries:
- Strictly necessary — authentication session cookies set by Supabase Auth so you stay signed in, and a short-lived invite-code cookie used during sign-in.
- Analytics — PostHog cookies that record page views and product-usage events (which features you use, where you are in sign-up), so we can see how the product is working. They do not record captured workflow data. We ask before setting these — see Section 2.5.
You can clear or block cookies through your browser settings; if you block strictly necessary cookies, you will not be able to sign in.
2.5 Your analytics choice
When you first visit the website, a banner tells you we use PostHog for product analytics and lets you choose. Your choice sets whether we place analytics cookies and record product-usage events and session replays (Section 2.3). Strictly necessary cookies are unaffected — those are always on so you can sign in.
How the choice works depends on where you are, which we infer from your IP address at the network level:
- In the United States, analytics are on by default and the banner lets you decline.
- Everywhere else — and whenever we can't tell where you are — analytics stay off until you turn them on from the banner.
Your choice is remembered on your device. To change it later, clear the site's cookies and local storage to bring the banner back, or email us at support@guidedby.ai and we'll opt you out.
3. What we don't collect
- No screenshots, screen recordings, audio, video, or camera input.
- No typing from password fields — macOS blocks those keystrokes at the operating-system level, and on Windows we skip fields the system marks as password fields.
- No content from applications you've added to your excluded apps list — capture is dropped at the source, on your device. We keep only the names of the apps we skipped, so you can see the exclusion working.
- No data while you have capture paused from the menu-bar tray.
4. How information is stored and retained
Captured events are written to a local SQLCipher-encrypted database on your machine, with the encryption key stored in your operating system's secure credential store (Keychain on macOS, Credential Manager on Windows). Events are uploaded over HTTPS to our ingest API in batches.
Before events leave your machine, the app strips a narrow set of high-risk strings — passwords, API keys, JSON Web Tokens, US Social Security Numbers, and credit-card numbers that pass a Luhn checksum — and the same scrub runs a second time on our servers before storage. Other content, including names, window titles, URLs, and search queries, is intentionally preserved, because the coach has to see what you were doing to be useful. Events are then written to Supabase-hosted Postgres (a managed Postgres service running on AWS infrastructure). All tables are protected with Row-Level Security so that only your authenticated session and our analysis pipeline can read your rows. Data is encrypted at rest and in transit.
Retention.We keep your raw captured workflow events for up to 180 days and then automatically delete them, so recent activity drives your coaching without building an indefinite archive. The coaching we derive from it — recommendations, daily summaries, and your profile — persists for the life of your account so you can reference it. Account information is retained until you delete your account. Operational logs and analytics are retained per the relevant sub-processor's defaults (typically 30–90 days). You can delete your data at any time (Section 8).
After deletion. When you delete your account, we hard-delete your captured events, recommendations, and profile data from our active databases. Backup copies and point-in-time recovery snapshots roll off within 30 days. Data the desktop app has stored locally on your machine stays there until you uninstall the app or delete its data folder. Some limited data may be retained longer where required by law. Anonymized aggregates do not identify you and may be kept indefinitely for product analytics.
5. How we use information
We use the data we collect to:
- Generate your daily timeline and coaching recommendations.
- Send your daily coaching email and product communications.
- Operate, secure, and improve the Service (including diagnosing errors and rate-limiting abuse).
- Comply with legal obligations.
We do notsell your data, share it with advertisers, or use it to train AI models — our own or anyone else's. Data sent to the AI model that writes your coaching is used to generate the response in real time and nothing more: under the zero-data-retention terms we require, the model provider keeps no copy of it and does not use it to train their models (see Section 6).
6. Sub-processors and third parties
We use a small number of sub-processors to operate the Service. Each is bound by their own privacy commitments and data processing terms. All operate primarily in the United States.
- Supabase — managed Postgres, authentication, file storage. Hosts your account and capture data.
- Modal — sandboxed serverless compute that runs the analysis pipeline.
- OpenRouter and Vercel AI Gateway — the two gateways that route your scrubbed timeline data to the AI model that writes your coaching. Every request runs under a zero-data-retention agreement: the gateway and the inference host process your data to generate the response and keep no copyof it afterward. We send data only to zero-retention endpoints — if one isn't available, the request fails rather than falling back to a provider that would retain it.
- Inference hosts (currently DeepInfra, AtlasCloud, and SiliconFlow) — run the open-weights DeepSeek model that generates your recommendations. All three are Western-hosted and run under the same zero-retention terms. We block DeepSeek's own first-party service, and any China-hosted provider, from ever receiving your data, so the model only ever runs on infrastructure we've vetted — never the model author's own servers.
- Vercel — hosts the web application and serverless API routes.
- Resend — sends your daily coaching emails and waitlist communications.
- Sentry — error monitoring, with PII scrubbing applied to every event.
- PostHog — product analytics (page views, usage events, and masked session replay of our own product interface, see Section 2.3). No captured workflow data is sent here.
- Apple & Microsoft — code signing and notarization of the desktop app.
7. Security
We protect your data with multiple layers: SQLCipher encryption on the local database, Apple Developer ID code-signing and Hardened Runtime on the desktop app, transport encryption (TLS), scrubbing of credentials and a narrow set of high-risk identifiers on your device before upload (and again at ingest), encryption at rest in Supabase, and Row-Level Security on every table. We sign and notarize every desktop release with Apple and Microsoft so that the OS can verify the binary's integrity.
No system is perfectly secure. If we discover a breach affecting your data, we will notify affected users without undue delay and as required by applicable law.
8. Your rights
You can exercise the following at any time:
- Access — see what we have. Your dashboard shows your timeline and the recommendations we have generated for you. We do not currently offer a self-serve data export.
- Correct — update your account information from Settings.
- Delete — delete your account from Settings and we hard-delete your captured events, recommendations, and profile data, with backup tails purged within 30 days.
- Restrict — exclude specific applications, or pause capture entirely, at any time.
- Object — decline analytics from the cookie banner (Section 2.5), or opt out of analytics or marketing emails by emailing us.
Depending on where you live in the United States, you may have additional rights under state privacy laws (such as the CCPA in California — see Section 9). To exercise any right, contact us at support@guidedby.ai.
9. California privacy disclosure
This section applies to California residents and supplements the rest of this Policy. Under the California Consumer Privacy Act (CCPA), as amended by the CPRA, you have the rights to know, delete, correct, and limit certain processing of your personal information.
Categories of personal information we collect
- Identifiers — email address, account ID, device identifier, IP address.
- Internet or other electronic network activity — captured workflow events (active application, window titles, accessibility-tree text, typed text, browser URLs with sensitive query parameters stripped, clipboard snippets, idle/active state) and product telemetry.
- Inferences — coaching recommendations and user-profile observations derived from the above.
- Commercial information — none collected at this time (the Service is free during beta).
Sources, purposes, and recipients
We collect this information directly from you (account fields) and from the desktop application running on your device (workflow capture, telemetry). We use it to operate the Service described in Section 5. We disclose it to the sub-processors listed in Section 6 for the purpose of operating the Service.
Sale and sharing
We do not sell or share your personal information as those terms are defined under the CCPA, and we have not done so in the preceding 12 months. We do not knowingly sell or share personal information of anyone under 16.
Direct-marketing disclosure
We do not share your personal information with third parties for their direct marketing purposes (Cal. Civ. Code §1798.83).
Exercising your CCPA rights
To make a verifiable consumer request, email support@guidedby.ai from the address on your account. We will respond within 45 days. We do not discriminate against users for exercising their CCPA rights.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect data from children. If you believe a child has given us data, contact us and we will delete it.
11. International users and transfers
We are based in the United States and offer the Service only to residents of the United States. Our sub-processors operate primarily in the U.S. but may host or process limited operational data (such as logs) in other jurisdictions. By using the Service, you acknowledge that your information will be processed in the United States.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via email or in-product notice. The effective date at the top reflects the latest revision.
13. Contact us
Questions, concerns, or rights requests: support@guidedby.ai.