Privacy Policy

Last updated: June 24, 2026

ScriptPilot ("ScriptPilot", "we", "us", or "our") provides an AI assistant for the Google Apps Script editor, delivered as a Chrome extension and web application backed by our hosted service. This Privacy Policy explains what information we collect, how we use and share it, and the choices you have. By using ScriptPilot you agree to the practices described here.

Operated by ScriptPilot, 1270 Caroline St NE, Ste D120-533, Atlanta, GA 30307, United States. Contact: dev@smallbusinessessupport.services.

1. Information we collect

Account & identity

When you sign in with Google, we receive your basic profile information through Google OAuth: your email address, name, and Google account identifier. We use this to create and secure your ScriptPilot account.

Google Apps Script content

With your authorization, ScriptPilot reads the source code, files, and manifest of the Apps Script projects you choose to work on, and — when you explicitly apply a proposed change — writes updated content back to those projects. We create encrypted snapshots of project source so you can review and roll back AI-proposed edits.

Conversations & AI requests

We store the chat threads, your prompts, AI responses, and proposed change sets associated with each project, plus telemetry about each AI request (the model used, token counts, and request status) for billing reconciliation and service reliability.

Billing

Paid subscriptions are processed by Stripe. We store your Stripe customer and subscription identifiers and your subscription status. We do not store your full card number or card details — those are handled directly by Stripe.

Your LLM API key (optional)

If you provide your own LLM provider API key, we store it encrypted at rest and retain only a short non-secret hint (the last few characters) to help you identify it. See Security.

Feedback

If you submit feedback, we store your message, the category you selected, and any optional context you choose to include.

2. Google user data & Limited Use

ScriptPilot requests the following Google OAuth scopes:

ScopeWhy we request it
openid, email, profileSign you in and identify your account.
.../auth/script.projectsRead the Apps Script projects you select so the AI can analyze them, and write changes back when you explicitly apply a proposed edit.
Limited Use disclosure. ScriptPilot's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We access your Apps Script content only to provide and improve the user-facing features of ScriptPilot, and only at your direction. We do not use Google user data for advertising, and we do not sell it. We do not allow humans to read your Apps Script content except (a) with your explicit consent (e.g. to resolve a support issue you report), (b) where required by law, or (c) as necessary for security (such as investigating abuse).

3. How we use information

We do not sell your personal information or your Apps Script content, and we do not use it for advertising.

4. Third-party services we share data with

To deliver ScriptPilot we share the minimum necessary data with the following processors:

ProviderPurposeData shared
GoogleSign-in and Apps Script API accessOAuth tokens; the Apps Script projects you act on
LLM gateway & model providers (by default OpenRouter, routing to Anthropic, OpenAI, and Google model APIs) Generating AI analysis and proposed edits The Apps Script source code, manifest, and your prompts for the project you are working on are transmitted to the selected model provider to produce a response
StripeSubscription billingBilling identifiers and payment details you enter into Stripe
Important — your code is sent to AI providers. To answer your questions and propose edits, ScriptPilot transmits the relevant Apps Script source code and your prompts to a third-party large language model provider. We send only the project content needed for your request. These providers process the data under their own terms and privacy policies; please review them: OpenRouter, Anthropic, OpenAI, Google.

5. Security

Sensitive secrets — your Google refresh/access tokens, your optional LLM API key, and your Apps Script source snapshots — are encrypted at rest using AES-256-GCM with per-record keys derived from a master key via HKDF. Session tokens are stored only as hashes. Access to production systems is restricted. No method of transmission or storage is perfectly secure, but we work to protect your data using industry-standard practices.

6. Data retention & deletion

We retain your account data and project-related data for as long as your account is active. You can delete your account at any time from the application; doing so permanently removes your associated records — conversations, snapshots, proposed change sets, stored keys, and feedback — and we make a best-effort attempt to revoke your Google refresh token. You may also disconnect ScriptPilot from your Google Account at any time via Google Account permissions. To request deletion or ask a data question, email dev@smallbusinessessupport.services.

7. Your rights

Depending on where you live (e.g. under GDPR or CCPA/CPRA), you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. To exercise these rights, contact us at dev@smallbusinessessupport.services. We will not discriminate against you for exercising them.

8. International users

ScriptPilot is operated from the State of Georgia, United States, and our processors may store and process data in the United States and other countries. By using the service you consent to the transfer of your information to countries that may have different data-protection rules than your own.

9. Children

ScriptPilot is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect their personal information.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date above and, where appropriate, notify you. Continued use of the service after an update constitutes acceptance of the revised policy.

11. Contact

Questions about this policy or your data? Email dev@smallbusinessessupport.services.