Privacy Policy
Last updated May 19, 2026
Production OS is a multi-tenant SaaS for creative-agency content-production operations. This policy describes what we collect, why, how we store it, and your rights. We've written it to match what the product actually does rather than what a template generator would say.
Who this policy applies to
This policy covers anyone who interacts with productionos.staginglab.xyz — visitors to public pages, users who sign in with their Google Workspace account, and platform administrators.
What we collect
Identity (everyone who signs in)
- Your email address, name, and profile picture, obtained via Google's
openid,email, andprofilescopes when you sign in. - The Google account ID (a stable identifier from Google) used to match return visits to your existing user record.
- OAuth access and refresh tokens for the providers you connect, stored server-side and used only to fulfill requests you initiate.
Google Drive (only when you connect Drive)
When you click Connect Drive, we request the drive.file scope (Google's documentation). This scope is intentionally narrow: it gives Production OS access only to files our app creates plus files you explicitly select. We do not read your other Drive files. We use it for two things:
- Creating a folder tree under
/Production OS/Clients/<client>/<project>/with four subfolders (Source Files, Finals, Exports, Archive) so your team has a consistent place to store deliverables. - Uploading files you submit through the Production OS UI and listing files inside those folders for the Asset Library.
We store the Drive file IDs, file names, MIME types, and sizes of files we touch (so the Asset Library doesn't have to re-ask Google on every page load). The file contents themselves remain in your Google Workspace; we don't copy them to our servers.
Tenant data you enter
When tenant admins or team members use the app, the things you create — client records, projects, due dates, reviews, comments, activity — are stored in our database. This is the core function of the product.
Server and usage logs
We log standard HTTP request metadata (IP, user agent, timestamp, URL) for security and debugging. Logs are retained 30 days unless an incident is under investigation.
How we store data
- Data lives in a Postgres database hosted on infrastructure we control.
- Per-tenant Google OAuth client secrets, the platform-wide LLM API key, and other operator-set secrets are encrypted at rest using AES-256-GCM with a key derived from a private server-side secret. They are never written to logs and never sent to clients.
- All traffic to the app uses HTTPS with a Let's Encrypt certificate.
- We do not back up encrypted secrets — rotating the underlying key intentionally invalidates them so we can recover from a key compromise without leaking historical tokens.
Per-tenant isolation
Production OS is multi-tenant. Each tenant (an organization you've signed up under, identified by a slug like productionos.staginglab.xyz/<slug>) has their own isolated data. Application code attaches your tenantId to every query so users of one tenant cannot read or write data belonging to another.
Each tenant also brings their own Google Cloud OAuth client. When your team signs in, the access tokens are minted against your tenant's OAuth client — not a shared one. Drive permissions you grant flow to your own tenant's grant, not ours.
What we don't do
- We don't sell your data. Period. Production OS is a paid tool; that is our business model.
- We don't read Drive files outside the folders the app creates or that you explicitly hand us via a file picker.
- We don't use the data inside your projects to train any machine-learning model.
- We don't share your data with advertisers, analytics vendors that re-sell, or other third parties beyond the processors listed below.
Third-party processors
We use a small set of vendors that process data on our behalf. Each one only sees what it needs to do its job:
- Google — identity (sign-in) and Drive storage on your behalf. Governed by your own Google Workspace contract and Google's privacy policy.
- Stripe (when billing is enabled) — payment processing. We send Stripe billing-related identifiers; they don't see your project data.
- Let's Encrypt — TLS certificates for the app domain.
Your rights
- Access: tenant admins can see all data belonging to their tenant from inside the app.
- Export: we'll provide a database export of your tenant's data on written request to the address below. We aim to deliver within 10 business days.
- Deletion: we'll delete a tenant's data on written request. Drive files we created remain in your Google Workspace until you delete them there; we only control the Production OS database side.
- Revoke Drive access at any time in your Google Account permissions page at myaccount.google.com/permissions. Doing so won't delete Production OS records; it just means we can no longer read or write Drive on your behalf.
Data retention
Tenant data persists for as long as the tenant remains active. On account closure we delete tenant-scoped data within 30 days, with the exception of backups (rotated quarterly) and audit log entries we may need to retain for legal or security reasons.
Children
Production OS is not directed at children. We don't knowingly collect data from anyone under 16.
Changes to this policy
Material changes will be communicated to active tenant admins by email and surfaced in the platform admin notice area at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.
Contact
Questions, data requests, or security disclosures: elliott@etfriedman.com.
See also: Terms of Service.