Privacy Policy

1. Introduction

Serret ("we," "us," or "our") operates ChartPull, a software-as-a-service application that generates interactive organisational chart visualisations from Google Workspace directory data. ChartPull is available at chartpull.com and through the Google Workspace Marketplace.

This Privacy Policy explains how we collect, use, store, and protect information when you use ChartPull. By accessing or using our service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, you should not use ChartPull.

We are committed to protecting your privacy and handling your data with transparency. This policy applies to all users of ChartPull, including Google Workspace administrators who install the application and end users within their organisations who access the org chart.

2. Information We Collect

We collect and process the minimum amount of data necessary to provide ChartPull. The categories of information we collect are as follows:

2.1 Google Workspace Directory Data

When your Google Workspace administrator installs ChartPull and grants the required API scopes, we access the following user directory information in read-only mode through the Google Admin SDK Directory API:

• Full names (given name, family name)
• Email addresses (primary and aliases)
• Job titles
• Department names
• Office locations
• Manager relationships (reporting structure)
• Profile photos (as provided in Google Workspace)
• Organisational unit paths

This data is accessed using the following Google API OAuth scope:

• https://www.googleapis.com/auth/admin.directory.user.readonly — Read-only access to user directory data (including organisational unit paths)

We do not request or access any other Google Workspace data such as emails, calendar events, documents, or files.

2.2 Account Data

When you sign in to ChartPull using Google OAuth, we collect:

• Your email address
• Your name (as provided by Google)
• OAuth access and refresh tokens (used to authenticate API requests on your behalf)

2.3 Tenant Data

When an organisation subscribes to ChartPull, we store the following tenant-level information:

• Organisation name
• Google Workspace domain
• Branding preferences (logo, colours, custom domain settings)
• Subscription plan and billing status
• Administrator contact information

2.4 Usage Data

We collect basic analytics data to improve our service, including:

• Page views and navigation patterns
• Feature usage (e.g., which chart views are used, search frequency)
• Device type and browser information
• Error logs for troubleshooting

We do not use third-party tracking pixels or advertising cookies. Usage data is aggregated and not linked to individual Google Workspace user directory profiles.

3. How We Use Information

We use the information we collect solely for the following purposes:

3.1 Rendering Org Chart Visualisations

Directory data retrieved from the Google Admin SDK is used to generate interactive organisational chart visualisations, including tree views, list views, and search functionality. This is the core purpose of ChartPull.

3.2 Performance Caching

Directory data is temporarily cached for up to 15 minutes to reduce the number of API calls to Google and to improve page load times. Cached data is automatically purged after the 15-minute time-to-live (TTL) expires. This cache is stored in an in-memory data store (Vercel KV / Redis) and is not written to permanent disk storage.

3.3 Authentication and Authorisation

Account data and OAuth tokens are used to authenticate users, verify they belong to a registered tenant, and authorise access to the appropriate organisational data. We use Google OAuth 2.0 and service accounts with domain-wide delegation as the authentication mechanism.

3.4 Tenant Management

Tenant data is used to manage organisation settings, apply custom branding, enforce subscription limits, and provide tenant-specific configurations.

3.5 Service Improvement

Aggregated, anonymised usage data helps us identify performance issues, understand which features are most valuable, and prioritise development efforts.

4. Data Storage and Security

4.1 Directory Data Caching

Google Workspace directory data is cached temporarily in Vercel KV (a managed Redis instance) with a strict 15-minute time-to-live. After this period, the cached data is automatically deleted. Directory data is never permanently stored in any database, file system, or backup system. Each time the cache expires, fresh data is retrieved directly from the Google Admin SDK.

4.2 Tenant Metadata Storage

Tenant metadata (organisation settings, branding, subscription details) is stored in a PostgreSQL database hosted by Neon in the US East (AWS us-east-1) region. The database connection is encrypted using TLS, and data at rest is encrypted using AES-256 encryption provided by the infrastructure layer.

4.3 OAuth Token Storage

OAuth access tokens and refresh tokens are stored server-side only. They are never exposed to client-side JavaScript, never stored in browser cookies or local storage, and never transmitted to any third party. Tokens are used exclusively for authenticating requests to the Google Admin SDK on behalf of the tenant.

4.4 Data in Transit

All data transmitted between your browser and ChartPull, between our servers and Google APIs, and between our application and our database is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and do not support unencrypted HTTP connections.

4.5 Infrastructure Security

ChartPull is hosted on Vercel's edge network, which provides enterprise-grade security including DDoS protection, automated SSL certificate management, and infrastructure monitoring. Our database is hosted on Neon, which provides automated backups, point-in-time recovery, and SOC 2 compliant infrastructure.

4.6 No Sale of Data

We do not sell, rent, lease, or trade any user data, directory data, or tenant data to third parties. We do not use your data for advertising purposes. Your data is used exclusively to provide the ChartPull service.

5. Third-Party Services

ChartPull relies on the following third-party services to operate. Each service has access only to the minimum data required for its specific function:

5.1 Google Cloud Platform

We use the Google Admin SDK Directory API to retrieve user directory data from your Google Workspace domain. Communication with Google APIs is encrypted via TLS and authenticated using OAuth 2.0 and service account credentials. Google's privacy policy is available at https://policies.google.com/privacy.

5.2 Vercel

Vercel provides our hosting infrastructure, edge network (CDN), and serverless compute. Vercel also provides Vercel KV (Redis) for our temporary directory data cache. Vercel processes HTTP requests and may have access to request metadata (IP addresses, headers) as part of their hosting service. Vercel's privacy policy is available at https://vercel.com/legal/privacy-policy.

5.3 Neon

Neon provides our managed PostgreSQL database service, used to store tenant metadata, subscription details, configuration, and optional employee snapshots (for the Historical Org Chart feature). For subscribers who opt into the Historical Org Chart feature, daily snapshots of directory data are stored in the employee_snapshots table with a 365-day retention policy and automatic deletion. All data is encrypted at rest via Neon's AES-256 encryption. Neon's privacy policy is available at https://neon.tech/privacy-policy.

5.4 Anthropic

For subscribers who purchase the AI add-on, aggregated organisational summaries (employee counts, department breakdowns, structural metrics, and health scores) are sent server-side to Anthropic's Claude API for analysis. Raw employee lists, email addresses, profile photos, and Google OAuth tokens are never sent to Anthropic. Anthropic's commercial API terms prohibit using API inputs for model training. No data is sent to Anthropic for users who do not have the AI add-on. Anthropic's privacy policy is available at https://www.anthropic.com/privacy.

5.5 Svix

For subscribers who configure webhooks (Integrations add-on), Svix delivers event payloads to customer-controlled HTTPS endpoints. Svix acts as a data processor and does not retain payload data beyond delivery. The customer controls which endpoints receive data and can revoke access at any time. Svix's privacy policy is available at https://www.svix.com/privacy.

5.6 Slack

For subscribers who install the ChartPull Slack bot (Integrations add-on), employee names, titles, and departments are returned in ephemeral Slack messages visible only to the requesting user. No data from Slack interactions is stored in ChartPull's database. Messages are retained in the customer's Slack workspace per Slack's own retention policies.

6. API Access

Customers with the Integrations & Customizations add-on may access organisational directory data through our REST API, MCP Server, webhooks, and the Slack bot using authenticated API keys or app-level tokens. All programmatic access is limited to the customer's own organisational data and is enforced through tenant-scoped authentication. Data served through the API is cached for up to 15 minutes and is subject to the same data protection measures described in this policy.

API keys are issued per tenant and can be revoked at any time by the tenant administrator. All API requests are rate-limited and logged for audit purposes. The MCP Server additionally strips personally identifiable information (photos and email addresses) from all responses before they reach AI clients. The API does not provide access to any data beyond what is visible in the ChartPull user interface.

Webhooks deliver event notifications (e.g., employee created, updated, departed) to HTTPS endpoints configured by the tenant administrator. Webhook payloads contain the same directory fields accessible in the ChartPull UI and are delivered via Svix (see Section 5.5).

7. Data Retention

We retain data for the minimum period necessary for its intended purpose:

• Directory data cache: 15 minutes. Directory data is automatically purged from the cache after the TTL expires. No backup or archival copies are made.
• Tenant settings and configuration: Retained for the duration of the active subscription. If a subscription lapses, data is retained for up to 30 days to allow for reactivation before being permanently deleted.
• Account data and OAuth tokens: Retained while the user's organisation maintains an active ChartPull subscription. Tokens are revoked and deleted upon account deletion or subscription cancellation.
• Audit logs: Retained for 90 days for security and troubleshooting purposes, then automatically deleted.
• Historical org chart snapshots (opt-in): For subscribers who opt into the Historical Org Chart feature, daily snapshots are retained for 365 days with automatic deletion. Snapshots are permanently deleted immediately upon subscription cancellation.
• Upon account deletion: When a tenant requests account deletion, all associated data — including tenant settings, user records, OAuth tokens, employee snapshots, and any cached data — is permanently removed from all systems within 30 days of the request. We will provide written confirmation of deletion upon request.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Right of Access

You have the right to request a copy of the personal data we hold about you. This includes your account information, tenant settings, and any data associated with your profile. To make an access request, please contact us at support@chartpull.com.

8.2 Right to Deletion

You have the right to request that we delete all personal data we hold about you and your organisation. Upon receiving a valid deletion request, we will remove all tenant data, account data, cached data, and audit logs within 30 days. Note that directory data sourced from Google Workspace is not permanently stored by ChartPull and is automatically purged from the cache within 15 minutes.

8.3 Right to Data Export

You have the right to request an export of your data in a machine-readable format. Exportable data includes tenant settings and account information. Directory data can be exported directly from your Google Workspace Admin Console, as ChartPull does not permanently store this data.

8.4 Right to Revoke Access

At any time, your Google Workspace administrator can revoke ChartPull's access to your organisation's directory data by:

• Removing ChartPull from the Google Workspace Marketplace in the Google Admin Console
• Revoking domain-wide delegation permissions for the ChartPull service account
• Disabling the application in Security > API Controls > App Access Control

Once access is revoked, ChartPull will no longer be able to retrieve directory data. Any cached data will be automatically purged within 15 minutes.

8.5 GDPR Rights for EU Users

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including:

• Right to rectification: You may request that we correct any inaccurate personal data. Note that directory data is sourced from Google Workspace and should be corrected at the source by your domain administrator.
• Right to restriction of processing: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: You may request your personal data in a structured, commonly used, machine-readable format.
• Right to object: You may object to the processing of your personal data for certain purposes.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

Our legal basis for processing personal data under GDPR is the performance of a contract (the provision of the ChartPull service) and legitimate interests (improving and securing the service). To exercise any of these rights, please contact us at support@chartpull.com. We will respond to your request within 30 days.

9. Australian Privacy Act

ChartPull is operated by Jamie Karl Serret trading as Serret, an Australian sole trader. We are committed to compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) set out in Schedule 1 of that Act.

9.1 Australian Privacy Principles Compliance

The following APPs are particularly relevant to our processing of your data:

• APP 1 — Open and transparent management: This Privacy Policy constitutes our commitment to open and transparent management of personal information.
• APP 3 — Collection of solicited personal information: We only collect the personal information reasonably necessary for our functions — specifically, read-only access to Google Workspace directory data for the purpose of generating organisational charts.
• APP 5 — Notification of collection: We notify you of our data collection through this Privacy Policy, the Google OAuth consent screen, and in-app notices displayed when connecting your Google Workspace account.
• APP 6 — Use and disclosure: We use personal information only for the primary purpose for which it was collected (organisational chart visualisation and analysis) and directly related secondary purposes you would reasonably expect.
• APP 8 — Cross-border disclosure: Your data is processed on servers located in the United States, including Vercel (application hosting), Neon (PostgreSQL database, AWS us-east-1), and other sub-processors listed at chartpull.com/subprocessors. We take reasonable steps to ensure these recipients comply with obligations substantially similar to the APPs.
• APP 11 — Security: We implement appropriate technical and organisational measures to protect personal information, including AES-256-GCM encryption, HTTPS/TLS, multi-tenant isolation, and comprehensive audit logging (see Section 4).
• APP 12 — Access: You may request access to the personal information we hold about you by contacting support@chartpull.com.
• APP 13 — Correction: You may request correction of personal information that is inaccurate, out-of-date, incomplete, or misleading. As directory data is sourced from Google Workspace, corrections should be made by your domain administrator in the Google Admin Console.

9.2 Notifiable Data Breaches (NDB) Scheme

ChartPull complies with the Notifiable Data Breaches scheme established under Part IIIC of the Privacy Act 1988 (Cth). In the event of an eligible data breach — where there is unauthorised access to, unauthorised disclosure of, or loss of personal information that is likely to result in serious harm — we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable after becoming aware of the breach
• Notify affected individuals as soon as practicable
• Include in our notification: the nature of the breach, the types of personal information involved, and recommended steps individuals should take in response
• Complete our assessment of any suspected eligible data breach within 30 days of becoming aware of the suspected breach

9.3 Complaints

If you believe we have breached an Australian Privacy Principle, you may lodge a complaint with us at privacy@chartpull.com. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

10. Google API Services User Data Policy Compliance

ChartPull's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, ChartPull:

• Only requests access to the data necessary to provide the org chart visualisation service. We use the narrowest possible API scope: admin.directory.user.readonly.
• Does not use Google Workspace data for serving advertisements, including retargeting, personalised, or interest-based advertising.
• Does not allow humans to read user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), it is necessary to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymised.
• Does not transfer or sell Google user data to third parties except as necessary to provide or improve user-facing features that are prominent in the requesting application's user interface, to comply with applicable laws, or as part of a merger, acquisition, or sale of assets with notice to users.
• Provides a prominent link to this privacy policy in the application interface and in the Google Workspace Marketplace listing.

11. Children's Privacy

ChartPull is designed for use by organisations and businesses with Google Workspace accounts. Our service is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13.

If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as promptly as possible. If you believe that a child under 13 has provided personal information to ChartPull, please contact us at support@chartpull.com so that we can take appropriate action.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this policy, we will:

• Update the "Last updated" date at the top of this page.
• Notify registered tenant administrators via email at least 14 days before material changes take effect.
• Display a prominent notice within the ChartPull application for at least 14 days following the change.

Your continued use of ChartPull after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of the service and request account deletion.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: