ConveyorTPRM Privacy Policy & Google Services Disclosure

Receive email notifications of sub-vendor changes






Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.
LEGAL
Terms of Service
Acceptable Use Policy
Privacy Statement
Conveyor U.S. Data Processing Addendum
Responsible Disclosure Policy
Conveyor EU/UK Data Processing Addendum
Security Policy
Subprocessor Directory
Trademark Policy
Support Policy
ConveyorTPRM Privacy Policy & Google Services Disclosure

Effective: May 26, 2026   |   Conveyor, Inc.

This Disclosure explains how Conveyor, Inc. (“Conveyor”) accesses, uses, stores, shares, and deletes Google user data obtained through Google APIs when a customer connects their Google Workspace account to the Conveyor TPRM Agent. It supplements Conveyor’s Privacy Statement. Conveyor’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

1. Scopes requested and how Conveyor uses them

  • https://www.googleapis.com/auth/gmail.modify - to ingest trust-center access notifications, vendor security questionnaires, and security documentation delivered to the connected mailbox, and, where the user directs, to send responses on the user’s behalf.
  • https://www.googleapis.com/auth/drive - to retrieve vendor security documentation (e.g., SOC 2 reports, policies, evidence files) shared with the connected user, and, where the user directs, to store completed vendor risk assessments back to the user’s Drive.

Conveyor requests only the scopes reasonably necessary to deliver these features. Conveyor does not use Google user data for advertising, retargeting, profiling, or any purpose unrelated to the features described above.

2. Storage, sharing, retention, and deletion

Storage. Google user data is stored on Conveyor’s infrastructure, encrypted in transit and at rest.

Sharing. To deliver Conveyor’s AI-powered features, Conveyor transmits portions of Google user data to Anthropic, which provides AI inference under an agreement that prohibits use of customer data to train or fine-tune Anthropic’s models and provides zero data retention for API traffic, except where retention is required for abuse monitoring or by applicable law. Conveyor does not sell Google user data and does not transfer it to any other third party except to provide or improve user-facing features, to comply with applicable law, for security purposes, or as part of a merger, acquisition, or sale of assets (in which case, with the user’s explicit prior consent). The full list of Conveyor subprocessors is available in the Subprocessor Directory.

Retention and deletion. Conveyor retains Google user data for as long as the customer maintains an active Conveyor subscription. A customer or connected user may revoke access at any time by (i) disconnecting the integration in the Conveyor application, (ii) removing Conveyor from Google Account Permissions, or (iii) emailing legal@conveyor.com. Conveyor will delete previously obtained Google user data within thirty (30) days of a deletion request or subscription termination, subject to any retention required by applicable law.

3. Human access to Google user data

Conveyor personnel access Google user data only: (i) with the customer’s affirmative consent, to support onboarding or troubleshoot a specific issue; (ii) where necessary to investigate a security incident or suspected abuse; (iii) where required to comply with applicable law; or (iv) in aggregated, anonymized, or derived form for internal operations.

Recommended practice: Conveyor recommends customers connect a dedicated, shared mailbox (for example, trust@yourcompany.com) rather than an individual employee’s personal mailbox to minimize personal data exposed to the integration.

4. AI model training

Conveyor does not use Google user data to train, fine-tune, or otherwise develop any machine-learning model. Conveyor’s agreement with its AI inference provider prohibits the provider from using Conveyor’s API traffic to train its models.

5. Limited Use commitment

In accordance with Google’s Limited Use requirements, Conveyor:

  • Limits use of Google user data to providing or improving user-facing features that are prominent in the Conveyor application;
  • Does not transfer Google user data except as necessary to provide or improve user-facing features, for security purposes, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user’s explicit prior consent;
  • Does not allow humans to read Google user data except as disclosed in Section 3;
  • Does not use or transfer Google user data for advertising, including retargeting, personalized, or interest-based advertising;
  • Does not use or transfer Google user data to determine credit-worthiness or for lending purposes; and
  • Does not sell Google user data.

6. Changes and contact

Conveyor may update this Disclosure from time to time. Material changes will be posted to this page with an updated effective date; if Conveyor changes how it uses Google user data in a manner not previously disclosed, affected users will be notified and asked to consent before the new use takes effect. Questions about this Disclosure may be directed to legal@conveyor.com.

Platform
Product OverviewGet a Trust CenterAI Security Questionnaire AutomationAI for RFP ResponseConveyorTPRM (beta)Watch 1 Min Walkthrough
Resources
CustomersPricingBlogDocumentationChangelogOpen a Ticket
Compare
Conveyor vs. SafebaseConveyor vs. WhisticConveyor vs. LoopioConveyor vs. ResponsiveConveyor vs. HypercomplyConveyor vs. SecurityPal
Company
AboutCareersLegalSecurityStatusNewsletter
Download Conveyor Browser Extension
© 2025 Conveyor Inc.
Privacy Policy