Privacy Policy

Effective Date: March 17, 2026  ·  Last Reviewed: March 17, 2026

Contents

  1. 1. About Very Big Machine
  2. 2. Scope of This Policy
  3. 3. Information We Collect
  4. 4. Information We Do Not Collect
  5. 5. How We Use Your Information
  6. 6. Legal Bases for Processing
  7. 7. Data Retention
  8. 8. Data Storage and Security
  9. 9. Google API Services
  10. 10. Third-Party Service Providers
  11. 11. International Data Transfers
  12. 12. Your Rights
  13. 13. California Residents (CCPA)
  14. 14. Children's Privacy
  15. 15. Changes to This Policy
  16. 16. Contact Us

1. About Very Big Machine

Very Big Machine ("Very Big Machine," "we," "our," or "us") is a software company based in New York that builds productivity applications for professionals and businesses. Our products include Google Workspace Add-ons, Chrome Extensions, and web-based tools distributed through Google Workspace Marketplace, the Chrome Web Store, and our own website at verybigmachine.com.

This Privacy Policy describes how we collect, use, store, and protect personal information across all of our products and services (collectively, the "Services").

2. Scope of This Policy

This policy applies to all individuals and organizations ("users," "you") who access or use any Very Big Machine Service, including but not limited to:

  • Google Workspace Add-ons installed from the Google Workspace Marketplace
  • Chrome Extensions installed from the Chrome Web Store
  • Web applications and tools hosted at verybigmachine.com or any subdomain thereof
  • Any related websites, APIs, or communications operated by Very Big Machine

If a specific product has supplemental privacy disclosures, those are incorporated into and subject to this policy.

3. Information We Collect

3.1 Account Information

When you install or register for a Very Big Machine Service, we collect:

  • Name: Your first and last name, as provided by you or your Google account at the time of installation or registration.
  • Email Address: Your primary email address, used for account identification, licensing verification, and service communications.

We do not collect passwords. Where authentication is required, it is handled through Google OAuth 2.0 or another delegated identity provider; we receive only an authenticated identity token and the above account fields.

3.2 Usage and Technical Data

We may collect limited, non-personally identifiable technical data to operate and improve our Services, including:

  • Feature interaction counts (e.g., how often a tool is invoked), stored as aggregate metrics without linking to an individual's documents or content
  • Error and crash reports that help us diagnose and fix issues
  • Browser type, operating system, and general geographic region (derived from IP address at the time of the request; IP addresses are not stored)

3.3 Payment Information

If you subscribe to a paid tier of a Very Big Machine Service, payment is processed exclusively by Stripe, Inc. Very Big Machine does not receive, store, or process credit card numbers, bank account details, or any other raw payment instrument data. We receive only a customer identifier and subscription status from Stripe.

3.4 Communications

If you contact us by email or through a support channel, we retain the correspondence to respond to your inquiry and improve our Services. You may request deletion of this correspondence at any time.

4. Information We Do Not Collect

Our Services are designed around strict data minimization. We explicitly do not collect, store, or retain:

  • The content of any documents, files, PDFs, spreadsheets, emails, or other files you process using our Services. These remain entirely within your own Google Drive, Google Workspace environment, or local device.
  • Any data from your Google Drive, Gmail, Google Docs, or other Google Workspace services beyond what is strictly necessary to perform the specific action you initiate (e.g., reading a file you explicitly open with our tool).
  • Biometric data, health data, financial data, government IDs, or other sensitive personal information
  • Location data beyond a non-stored, general regional inference used to route service requests
  • Data from third-party websites, apps, or services that you have not explicitly connected to a Very Big Machine Service
  • Advertising identifiers or cross-site tracking identifiers

5. How We Use Your Information

We use the information we collect solely for the following purposes:

  • Service Delivery: To authenticate your account, enforce license limits, and provide the features of the Service you have installed.
  • Billing and Account Management: To verify subscription status, process upgrades or downgrades, and resolve billing inquiries in coordination with our payment processor (Stripe).
  • Communications: To send transactional messages such as account confirmations, security alerts, and material changes to this policy or our Terms of Service. We do not send marketing emails without your explicit consent.
  • Service Improvement: To analyze aggregate, anonymized usage patterns that help us improve reliability, performance, and features.
  • Legal Compliance: To comply with applicable laws, respond to lawful requests from public authorities, and enforce our Terms of Service.

We do not sell, rent, or share your personal data with third parties for advertising, marketing, or any commercial purpose unrelated to providing the Service.

6. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data on the following legal bases:

  • Performance of a Contract: Processing your name and email is necessary to create and manage your account and deliver the Services you have requested.
  • Legitimate Interests: Collecting anonymized usage telemetry and maintaining security logs are necessary for our legitimate interests in improving and securing the Services, balanced against your rights.
  • Compliance with Legal Obligations: We may process data as required to comply with applicable law.
  • Consent: Where we rely on consent (e.g., optional marketing communications), you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

7. Data Retention

We retain your name and email address for as long as your account with a Very Big Machine Service remains active. When you uninstall all Very Big Machine Services and request deletion of your account, we will delete or anonymize your personal data within 30 days, except where retention is required to:

  • Comply with a legal obligation (e.g., tax and accounting records, which may be retained for up to 7 years)
  • Resolve an open dispute or enforce an agreement
  • Maintain an audit trail required by applicable law

Anonymized aggregate usage statistics are not subject to deletion schedules as they do not constitute personal data.

8. Data Storage and Security

Very Big Machine's backend infrastructure is built on Google Cloud Platform (GCP) and Firebase, products of Google LLC. This provides several layers of enterprise-grade security:

8.1 Infrastructure Certifications

GCP and Firebase maintain the following certifications and compliance programs, among others: ISO/IEC 27001:2013 (Information Security Management), SOC 2 Type II (Security, Availability, Confidentiality), SOC 3, PCI DSS (for payment-adjacent infrastructure), and FedRAMP (moderate). Current compliance documentation is available at cloud.google.com/security/compliance.

8.2 Encryption

  • In Transit: All data transmitted between your device and our Services is encrypted using TLS 1.2 or higher. We enforce HTTPS and HSTS on all web-facing endpoints.
  • At Rest: Data stored in Firestore and other GCP storage services is encrypted at rest using AES-256, with Google-managed encryption keys. Key management is handled through Google's Key Management Service (KMS).

8.3 Access Controls

Access to production systems and user data is restricted to authorized Very Big Machine personnel on a need-to-know basis. We use GCP Identity and Access Management (IAM) with the principle of least privilege and require multi-factor authentication for all administrative accounts.

8.4 Vulnerability Management

We regularly review our codebase and dependencies for known vulnerabilities. GCP provides automated threat detection through Security Command Center and continuous vulnerability scanning of infrastructure.

Despite these measures, no method of electronic storage or transmission is 100% secure. We encourage you to report any suspected security vulnerabilities to security@verybigmachine.com.

9. Google API Services — Limited Use Disclosure

Some Very Big Machine Services request access to Google Workspace data (such as Google Drive files) via Google APIs to perform actions you explicitly initiate. The following applies to all such Services:

  • Very Big Machine's use and transfer to any other application of information received from Google APIs adheres to the Google API Services: User Data Policy, including the Limited Use requirements.
  • We access Google Workspace data only to provide or improve the user-facing features of the specific Service you are using. We do not use this data to serve advertising or for any purpose unrelated to the Service's core functionality.
  • We do not allow humans to read your Google Workspace data except as necessary to provide support you have explicitly requested, as required by law, or for security purposes.
  • Google Workspace data accessed through our Services is not transferred to third parties except as necessary to operate the Service (e.g., to a cloud translation API to perform a translation you initiate) or as required by law.

10. Third-Party Service Providers

We share data with the following categories of sub-processors, solely to operate our Services:

Provider Purpose Data Shared
Google LLC (GCP / Firebase) Infrastructure, authentication, database Name, email, usage data
Stripe, Inc. Payment processing Email (for billing), subscription status
Google Cloud Translation API Document translation (where feature is offered) Document text content (session only, not stored)

All sub-processors are contractually obligated to process data only for the purposes outlined above and to maintain security standards consistent with this policy. We do not sell your data to any third party.

11. International Data Transfers

Very Big Machine is based in the United States. Our data is hosted on Google Cloud Platform infrastructure, which may be located in multiple regions. If you are accessing our Services from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in countries that may not have data protection laws equivalent to those in your jurisdiction.

For such transfers, we rely on the following safeguards:

  • Google LLC participates in and certifies under the EU–U.S. Data Privacy Framework (EU–U.S. DPF) and the UK Extension to the EU–U.S. DPF.
  • Google's data processing agreements incorporate Standard Contractual Clauses (SCCs) approved by the European Commission.
  • We will enter into a Data Processing Addendum (DPA) with enterprise customers who require one for GDPR compliance. Contact us at hello@verybigmachine.com to request a DPA.

12. Your Rights (EEA / UK / Switzerland)

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights under the GDPR or equivalent legislation:

  • Right of Access: You may request a copy of the personal data we hold about you.
  • Right to Rectification: You may request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data, subject to our legal retention obligations.
  • Right to Restriction of Processing: You may request that we restrict how we process your data in certain circumstances.
  • Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format.
  • Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time.

To exercise any of these rights, email hello@verybigmachine.com with your request. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

13. California Residents (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and any third parties with whom it is shared.
  • Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email hello@verybigmachine.com. We will verify your identity before responding. California residents may also designate an authorized agent to make requests on their behalf.

14. Children's Privacy

Our Services are not directed to individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that a child under 13 has provided us personal information, we will promptly delete it. If you believe a child has provided us with information, please contact us at hello@verybigmachine.com.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Reviewed" date at the top of this page
  • Notify users via email (to the address on file) for material changes that affect your rights or our data practices

Continued use of our Services after a policy update constitutes acceptance of the revised policy. We encourage you to review this page periodically.

16. Contact Us

For questions, requests, or concerns about this Privacy Policy or our data practices, please contact:

Very Big Machine

New York, United States

General inquiries & data requests: hello@verybigmachine.com

Security vulnerabilities: security@verybigmachine.com