Privacy Policy
ScriptPilot ("ScriptPilot", "we", "us", or "our") provides an AI assistant for the Google Apps Script editor, delivered as a Chrome extension and web application backed by our hosted service. This Privacy Policy explains what information we collect, how we use and share it, and the choices you have. By using ScriptPilot you agree to the practices described here.
1. Information we collect
Account & identity
When you sign in with Google, we receive your basic profile information through Google OAuth: your email address, name, and Google account identifier. We use this to create and secure your ScriptPilot account.
Google Apps Script content
With your authorization, ScriptPilot reads the source code, files, and manifest of the Apps Script projects you choose to work on, and — when you explicitly apply a proposed change — writes updated content back to those projects. We create encrypted snapshots of project source so you can review and roll back AI-proposed edits.
Conversations & AI requests
We store the chat threads, your prompts, AI responses, and proposed change sets associated with each project, plus telemetry about each AI request (the model used, token counts, and request status) for billing reconciliation and service reliability.
Billing
Paid subscriptions are processed by Stripe. We store your Stripe customer and subscription identifiers and your subscription status. We do not store your full card number or card details — those are handled directly by Stripe.
Your LLM API key (optional)
If you provide your own LLM provider API key, we store it encrypted at rest and retain only a short non-secret hint (the last few characters) to help you identify it. See Security.
Feedback
If you submit feedback, we store your message, the category you selected, and any optional context you choose to include.
2. Google user data & Limited Use
ScriptPilot requests the following Google OAuth scopes:
| Scope | Why we request it |
|---|---|
openid, email, profile | Sign you in and identify your account. |
.../auth/script.projects | Read the Apps Script projects you select so the AI can analyze them, and write changes back when you explicitly apply a proposed edit. |
3. How we use information
- To provide the core service: analyzing your Apps Script projects and proposing/applying edits you approve.
- To maintain conversation history, snapshots, and rollback capability.
- To authenticate you and keep your account and stored secrets secure.
- To meter usage and administer billing.
- To operate, debug, and improve reliability of the service.
- To respond to your support requests and feedback.
We do not sell your personal information or your Apps Script content, and we do not use it for advertising.
4. Third-party services we share data with
To deliver ScriptPilot we share the minimum necessary data with the following processors:
| Provider | Purpose | Data shared |
|---|---|---|
| Sign-in and Apps Script API access | OAuth tokens; the Apps Script projects you act on | |
| LLM gateway & model providers (by default OpenRouter, routing to Anthropic, OpenAI, and Google model APIs) | Generating AI analysis and proposed edits | The Apps Script source code, manifest, and your prompts for the project you are working on are transmitted to the selected model provider to produce a response |
| Stripe | Subscription billing | Billing identifiers and payment details you enter into Stripe |
5. Security
Sensitive secrets — your Google refresh/access tokens, your optional LLM API key, and your Apps Script source snapshots — are encrypted at rest using AES-256-GCM with per-record keys derived from a master key via HKDF. Session tokens are stored only as hashes. Access to production systems is restricted. No method of transmission or storage is perfectly secure, but we work to protect your data using industry-standard practices.
6. Data retention & deletion
We retain your account data and project-related data for as long as your account is active. You can delete your account at any time from the application; doing so permanently removes your associated records — conversations, snapshots, proposed change sets, stored keys, and feedback — and we make a best-effort attempt to revoke your Google refresh token. You may also disconnect ScriptPilot from your Google Account at any time via Google Account permissions. To request deletion or ask a data question, email dev@smallbusinessessupport.services.
7. Your rights
Depending on where you live (e.g. under GDPR or CCPA/CPRA), you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. To exercise these rights, contact us at dev@smallbusinessessupport.services. We will not discriminate against you for exercising them.
8. International users
ScriptPilot is operated from the State of Georgia, United States, and our processors may store and process data in the United States and other countries. By using the service you consent to the transfer of your information to countries that may have different data-protection rules than your own.
9. Children
ScriptPilot is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect their personal information.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date above and, where appropriate, notify you. Continued use of the service after an update constitutes acceptance of the revised policy.
11. Contact
Questions about this policy or your data? Email dev@smallbusinessessupport.services.