Sever
Start trial
MenuClose

Legal

Privacy policy

Last updated June 5, 2026. Effective June 5, 2026.

The short version: Sever collects only what is necessary to run offboarding verification. We do not sell your data, use it to train AI models, or share it with advertisers. Your organization's directory data is never used outside its stated purpose.

Privacy boundary

Data moves through a narrow offboarding workflow.

Auth

Google admin identity

Used to authenticate, verify eligibility, and scope the active workspace.

Records

Org-scoped review data

Directory-backed offboarding records stay tenant-scoped behind RLS.

Storage

Private report artifacts

Generated PDFs stay in private Supabase Storage and stream through authorization.

1. Who we are

Sever provides Google Workspace offboarding verification, app-access review, and audit evidence reporting for IT, security, and compliance teams. This Privacy Policy explains how we collect, use, store, share, and protect information obtained through your use of the Service.

2. Data we collect

  • Google account identity, including basic profile and email address, used to authenticate your session, match your workspace domain, and verify administrator eligibility.
  • Google Workspace directory data needed to populate your offboarding dashboard, including suspended, archived, deleted, and other offboarded user records.
  • Limited employee metadata needed for reviews and reports, such as name, work email, department, manager, location, org unit path, employment/offboarding status, and relevant Google identifiers.
  • Access status records, reviewer attribution, and timestamps created during review.
  • Audit report metadata and generated evidence artifacts needed to preview, export, retain, and verify reports.
  • Billing, subscription, plan, invoice, and checkout status data. Payment card data is handled by Stripe, not stored by Sever.
  • Support, sales, privacy, and account-help messages you send to us.
  • Standard diagnostic logs used for reliability and security monitoring.

3. Data we do not use

  • We do not sell, rent, or trade your data.
  • We do not use your data to train, fine-tune, or evaluate AI models.
  • We do not request Gmail, Calendar, Drive, or other personal Google scopes.
  • We do not use advertising cookies or third-party marketing trackers.
  • We do not persist employee data or report artifacts in localStorage or sessionStorage.

4. How we use your data

  • To authenticate your identity and verify Google Workspace administrator eligibility.
  • To populate and operate your organization's offboarding dashboard.
  • To track access status during live reviews and generate reports.
  • To help administrators identify app access tied to offboarded users so teams can recover licenses during termination workflows instead of waiting for later SaaS audits.
  • To enforce org-level access boundaries and maintain subscription status.
  • To provide support, process billing changes, investigate service issues, and monitor security.

5. Google OAuth and API access

Sever uses Google OAuth 2.0 for authentication and requests Google identity, Google Admin directory user, and Google user security-session scopes needed for offboarding verification. We do not request Gmail, Calendar, Drive content, or other personal Google service scopes.

Offline access tokens are used solely to maintain authorized directory sync and permitted deprovisioning actions. Tokens are stored server-side and are not exposed to browser storage.

6. Cookies and security tokens

We use essential cookies needed for Supabase authentication sessions, OAuth flow verification, CSRF protection, and security controls. We do not use advertising cookies or behavioral tracking technologies.

7. Storage and security

Your data is stored in a multi-tenant database with row-level security enforced at the database layer. Data is encrypted in transit, and our infrastructure providers encrypt stored data as part of their managed services.

Generated report PDFs are stored in private Supabase Storage and streamed through server-side authorization. Sever does not expose public report object URLs.

Access to production data is restricted to authorized personnel on a strict need-to-know basis. Sensitive support and diagnostic workflows use minimized summaries where practical.

8. Sharing and sub-processors

Sever shares data only as needed to operate the Service, process billing, provide support, comply with law, or protect the Service and our users. We do not share customer data with advertisers or data brokers.

Sever relies on providers including Supabase, Google Workspace APIs, Vercel, Stripe, Upstash, and Sentry to deliver, secure, bill, host, rate-limit, and monitor the Service. Each provider is subject to its own privacy and security obligations.

9. Retention, export, and deletion

We retain your organization's data while your account is active and for a limited period afterward where necessary for legal, billing, backup, and security purposes.

Evidence retention depends on your plan and account status. Organization owners may request organization export or deletion from account settings. Deletion may be subject to a grace period and to retention needed for legal, billing, security, backup, and audit-evidence purposes.

10. Your choices

You may contact us to request access, correction, deletion, export, or restriction of personal information where applicable. Some requests must be handled by your organization's authorized administrator because Sever processes organization data on behalf of the customer.

11. Contact

If you have privacy questions, contact contact@usesever.com.