Trust
Security and data handling
Updated July 8, 2026
This page says where data lives, who processes it, and how changes to your files happen. It states what is built today; where something is still being verified, it says so instead of claiming it.
How changes to your files happen
- Nativeloop can read only the files your workspace picked through the Google file picker. There is no Drive-wide access. Email is send-only — the product holds no permission that can read a mailbox — and every send is approved first.
- Each kind of action runs at a level your workspace sets. Off: it watches and reports; nothing is proposed. Suggest: it prepares the change and applies it only after a person approves the preview. Auto: it applies on its own, and you review the record. Some actions are locked to Suggest permanently, and an incident tightens a level automatically — shown with its reason, never silently.
- A proposed change renders as a preview of exactly what will change — the cells, the message, the event — before it happens. Every applied change lands in an append-only record with who approved it and when.
Where data lives
Two separate storage buckets; the runtime can access both:
- Your workspace zone. Content derived from your Google files and your workspace's records, in a database created for your workspace alone plus a storage area scoped to it. Deleted at offboarding, after your export.
- The platform zone. New payloads are limited to fixture-authored test content. Content-free measurements of how the software ran stay in the Event record. Generated text, elicited or external content, and anything unproven or linked to workspace content goes to the workspace zone by default.
The application and Trigger.dev-hosted task runtime can access both buckets when they run the work you requested. The boundary is conservative classification and permitted use, not a claim that runtime credentials make one bucket unreachable. No platform-zone mining or export path is implemented today. Google Workspace user data is never used to train or improve generalized AI or machine-learning models. Human access to your content requires your explicit consent. The full statement is in the privacy policy.
Usage data
Signed-in product analytics is computed from Nativeloop's own Event record.
There is no third-party analytics and no session replay inside the product; the audit record is the analytics. The one place we may run page analytics is this public site — listed below — and never behind sign-in.
Sign-in
Sign-in is Google only; Nativeloop passwords do not exist. You can revoke Nativeloop's access at myaccount.google.com/permissions at any time — revocation cuts off new reads and writes immediately.
Who processes data
| Provider | Role | What it sees |
|---|---|---|
| Google Cloud | Runs the application and its main database | Application data and operational records |
| Neon | Hosts each workspace's own database | Your workspace's records and content derived from your Google files |
| Anthropic | Model inference | The content a step sends to produce its output (retention: see the pending item below) |
| Trigger.dev | Runs background work durably | Run and Step identifiers, scheduling state, and the content each hosted task processes, including connected file content when a Run needs it |
| Resend | Delivers the email we send you | Recipient addresses and the content of those notifications |
| Stripe | Payments, when paid plans open | Billing details you enter with Stripe; card numbers never touch our servers |
| PostHog | Page analytics for this public site — not yet active | Public-page visits only; never anything behind sign-in |
Model provider data retention
We are confirming our organization's data-retention configuration with Anthropic — how long step inputs and outputs persist on their systems. This page will state it exactly once verified. Until then, we make no claim here.
Certifications, honestly
We hold no SOC 2 or ISO 27001 today. What exists instead is structural: a database per workspace, the two storage zones above, per-file Google access, previews before changes, and the append-only record. Google's app verification for the permissions we request is in progress.
Report something
Found a vulnerability, or something that looks wrong? Write to nick@mundolabs.ai. Every report is read and answered.