Privacy Policy
This policy explains what information Gigdesk collects, how we use and protect it, and the specific commitments we make about Google account data when you connect a Gmail inbox to your AI secretary.
1.Who we are
Gigdesk (the "Service") is operated by Gigdesk, Inc., a Delaware corporation ("Gigdesk", "we", "us", or "our"). Gigdesk is an operating system for freelancers: workspaces, task queues, portfolios, AI agents, and an optional AI secretary that helps you manage your own email inbox. For our registered address and how to reach us, see our Company & contact page.
For the purposes of applicable data-protection law (including the EU/UK GDPR), Gigdesk is the data controller of the personal data described here, except where we act as a processor on behalf of a client who invites you to a workspace.
2.Scope of this policy
This policy covers the Gigdesk website (gigdesk.cc), the Gigdesk web application, and our APIs. It does not cover third-party services you connect to or reach through Gigdesk, which have their own privacy policies — including Google (Gmail), Dollar Platoon (the gig marketplace and on-chain payouts that power task queues), and any AI model provider whose API key you supply. Links to another site or service are not endorsements, and we are not responsible for their practices.
3.Data we collect
Account data
When you join Gigdesk we collect your email address and a display name (defaulted from your email, editable by you). If you set a password we store it only as a salted hash. Login can be passwordless: we email you a one-time code that expires in 10 minutes and is discarded once used.
Workspace & usage data
Content you create or import — workspaces, project briefs, bookmarks, AI-agent prompts, portfolios, notifications and their tags, invite codes, and connection metadata. If you connect an AI model provider, the API key you enter is stored so your agents can call that provider on your behalf.
Email gateway data
If you connect an email inbox (see Google user data), we process the messages that flow through the gateway so the secretary can read and respond to them, and we keep a limited operational record of gateway activity. Details and retention are in the Data retention section.
Technical data
Standard server logs from our infrastructure provider (IP address, timestamps, request paths, user agent) used to operate and secure the Service. Gigdesk does not run third-party advertising or cross-site tracking cookies; we use only the cookies/local storage strictly necessary to keep you signed in.
4.Google user data & Gmail
The Gigdesk secretary is an optional feature. If you choose to connect a Gmail account, Google shows you a consent screen listing the exact permissions requested. With your authorization, Gigdesk can, on your behalf:
- Read messages and their metadata in the connected inbox, so the secretary can triage and understand what needs a reply.
- Compose and send replies and messages that you or your secretary prepare — as your own individual correspondence.
- Manage labels, drafts, and read/unread state to keep the inbox organized.
We access only the Google data needed to provide the features you turn on. Authorization is granted via Google OAuth and can be revoked at any time (see Revoking access). Within Gigdesk, access to a connected inbox is brokered by revocable gateway tokens, so you can cut off any single integration without disconnecting the whole account.
5.Google Limited Use commitment
Gigdesk's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, in relation to data obtained through Google APIs (including Gmail), Gigdesk does not:
- use it for serving advertisements, or transfer it to data brokers or for any advertising purpose;
- sell it, or share or transfer it except to provide or improve the user-facing features you requested, for security or legal compliance, or as part of a merger/acquisition with notice to you;
- use it to train, fine-tune, or develop generalized or non-personalized AI/ML models; and
- allow humans to read it, except where you give explicit consent for specific messages, where it is necessary for security or to comply with the law, or where the data has been aggregated and anonymized for internal operations.
Any AI processing of your Gmail data is performed solely to deliver the secretary features to you, on your inbox, at your direction.
6.How we use data
- To provide, maintain, and secure the Service and your account.
- To operate the features you enable — workspaces, agents, portfolios, notifications, and the email secretary.
- To communicate with you about your account, security, and service changes (transactional email).
- To detect, prevent, and investigate fraud, abuse, and violations of our Terms of Use.
- To comply with legal obligations and enforce our agreements.
7.Legal bases (EU/UK)
Where GDPR applies, we rely on: performance of a contract (to give you the Service you signed up for); consent (for connecting a Gmail inbox and any optional integrations — you may withdraw it at any time); legitimate interests (to secure and improve the Service, balanced against your rights); and legal obligation (to comply with applicable law).
9.Sub-processors
We rely on a small set of infrastructure and service providers:
- Amazon Web Services (AWS) — cloud hosting, storage, and databases (our primary infrastructure).
- Google LLC — Gmail API, only for inboxes you explicitly connect.
- Resend — delivery of transactional email such as your login codes.
- Dollar Platoon — the gig marketplace and on-chain (USDC) payout rails behind task queues.
- AI model providers you choose — reached with the API key you supply, to power your agents and secretary.
10.Data retention
We keep personal data only as long as needed for the purposes above, then delete or anonymize it. Concretely:
| Data | Retention |
|---|---|
| Account & workspace records (profile, workspaces, projects, bookmarks, agents, notifications) | Kept for the life of your account; deleted on account deletion or verified request. |
| One-time login codes | Expire after 10 minutes and are deleted immediately on use. |
| Portfolio / editor image uploads | Automatically expire 180 days after upload. |
| Email gateway metadata (sender, recipient, subject, timestamps for filtering) | Automatically expires after 90 days. |
| Email & webhook gateway event records (operational activity log) | Automatically expires after 365 days. |
| Full captured message envelopes (retained for security, abuse-prevention, and support) | Automatically expires after 365 days. |
If you disconnect a Gmail account, we stop accessing it immediately. We may retain limited records beyond the windows above only where required to comply with law, resolve disputes, or enforce our agreements.
11.Security
Data is encrypted in transit (TLS) and at rest. Storage buckets and databases are encrypted with managed keys, private message captures are not publicly accessible, passwords are stored only as salted hashes, and API and gateway access is scoped to revocable tokens. No system is perfectly secure, but we work to protect your data with industry-standard safeguards and least-privilege access.
12.Your rights & choices
Depending on where you live, you may have rights to access, correct, export, restrict, or delete your personal data, to object to certain processing, and to withdraw consent. California residents have rights under the CCPA/CPRA, including the right to know and delete, and to not be discriminated against for exercising them — and note that Gigdesk does not sell or "share" personal information as those terms are defined. To exercise any right, contact us using the details in Contact us; we may need to verify your identity first.
13.Revoking access & deleting data
- Revoke Gmail access at any time from your Google Account under Security → Third-party access, or by disconnecting the inbox inside Gigdesk.
- Revoke a gateway or notification token inside Gigdesk to cut off a single integration without disconnecting your whole account.
- Delete your account and data by contacting us; we will delete your personal data except where retention is legally required.
14.International transfers
Gigdesk is operated from the United States and our infrastructure is hosted there. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.
15.Children
Gigdesk is not directed to children and is intended for users aged 18 and older. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
16.Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of the Service after an update means you accept the revised policy.
17.Contact us
Questions or requests about this policy or your data? Email privacy@gigdesk.cc, or write to us at the address on our Company & contact page. Highlighted fields such as Gigdesk, Inc. are placeholders pending completion of our corporate registration details.