PolicyVector
Privacy Policy
Effective Date: July 14, 2026
PolicyVector is provided by Graywheel ("PolicyVector," "Graywheel," "we," "us," or "our"). PolicyVector includes the desktop study application and the native PolicyVector Reader for iOS and Android. PolicyVector helps users organize policy documents, generate study materials, import encrypted Reader bundles, create newly encrypted Reader bundle copies for user-directed sharing, and optionally import or export user-selected Google Drive and Google Docs content.
This Privacy Policy explains what information PolicyVector accesses, uses, stores, shares, retains, and deletes, including how PolicyVector handles Google user data when you connect Google Sign-In, Google Drive, or Google Docs features; how supported desktop and iOS licensing clients handle Microsoft sign-in; and how the mobile Reader handles Sign in with Apple, local data deletion, and account deletion.
1. Information We Collect
PolicyVector is designed to keep study content local whenever possible. Depending on how you use the app, we may process:
- Account and licensing information, such as your email address; Google, Apple, or Microsoft identity proof and stable provider account identifier; provider-supplied email or display-name hints; license status; app-generated device fingerprint hash; device label; payment/license metadata; and license replacement or move history.
- Local study content, including documents, outlines, flashcards, multiple-choice materials, oral board scripts, notes, encrypted Reader bundles, locally merged Reader bundles, transfer phrases, transcripts, checklist results, local practice attempts, bundled audio, and related study outputs.
- Google account information, when you connect Google features, such as your Google email address and OAuth authorization tokens.
- Google Drive and Google Docs content, only when you explicitly use Google import or export features.
- Microphone and Apple speech recognition data when you choose mobile Reader Oral Board speech practice.
- Technical information, such as app version, operating system, error messages, update status, support reports, product feedback, optional screenshots you choose to attach, and diagnostic information you choose to send.
2. Google User Data Accessed
PolicyVector uses Google APIs only for user-facing features that you explicitly start.
PolicyVector may request access to the following Google OAuth scopes:
https://www.googleapis.com/auth/drive.file: used to create, edit, and manage Google Drive files that you export from PolicyVector, and to import files you explicitly select through Google Picker or platform file-selection flows, including encrypted PolicyVector Reader bundles selected by the mobile Reader.
Depending on the Google feature you choose, PolicyVector may access or interact with:
- Your Google account email address and Google connection status.
- Google identity proof, such as an ID token, when Google Sign-In is used to verify PolicyVector license entitlement.
- Google OAuth authorization codes, access tokens, refresh tokens, and token expiration metadata.
- Google Drive file metadata for files you explicitly select, such as names, IDs, and MIME types.
- The Google Doc file that you explicitly select for import, including the exported DOCX bytes needed to create a local PolicyVector study item.
- The encrypted PolicyVector Reader bundle file that you explicitly select for import on iOS or Android.
- PolicyVector-generated study files that you explicitly export to Google Drive, such as Google Docs or Google Sheets created from your local study materials.
3. Google User Data Usage
PolicyVector uses Google user data only to provide the Google workflow you request:
- Verify your license entitlement when you sign in with Google for PolicyVector desktop or the mobile Reader.
- Show Google Drive folders, Google Docs, and likely encrypted PolicyVector Reader bundles that your account is allowed to access so you can select a document or bundle for import.
- Download the single Google Doc that you explicitly select and convert it into a local PolicyVector study item.
- Download the single encrypted PolicyVector Reader bundle that you explicitly select and unlock it locally in the mobile Reader.
- Create or update Google Drive files that you explicitly export from PolicyVector.
- Maintain local connection state so PolicyVector can complete requested import and export workflows without asking you to sign in for every action.
- Display success, error, and authorization status messages related to the Google workflow you started.
PolicyVector does not use Google user data for advertising, profiling, or unrelated analytics. PolicyVector does not sell Google user data. PolicyVector does not use Google Drive or Google Docs content to train generalized AI or machine learning models.
PolicyVector's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
4. Google User Data Sharing
PolicyVector does not sell, rent, or share Google user data with advertisers or data brokers. PolicyVector does not share Google user data with third parties except in the limited situations needed to provide the app features you request or comply with law.
Google user data may be shared or transferred only as follows:
- With Google APIs, to complete the Google Drive or Google Docs import/export action you request.
- With PolicyVector licensing systems, to verify license entitlement when you use Google Sign-In for desktop or mobile Reader access.
- With your local PolicyVector desktop app, where imported Google Doc content and exported study materials are processed as local study content on your device.
- With service providers only if necessary to operate, secure, or support PolicyVector, and only under obligations consistent with this Privacy Policy.
- With authorities or other parties if required by law, legal process, or to protect the security and integrity of PolicyVector and its users.
- With support personnel only if you deliberately provide Google-related information or files for troubleshooting, or if access is necessary for security or legal reasons.
Human review of Google Drive or Google Docs content is not part of normal app operation. We do not allow humans to read your Google Drive or Google Docs content unless you explicitly provide that content for support, it is necessary for security or legal reasons, or you otherwise give permission.
5. Google User Data Storage and Protection
Google authorization tokens are stored locally on your device and protected using the operating system's local protection mechanisms where available.
For Google Docs export, PolicyVector may store a protected refresh token locally so you can export documents without signing in every time.
For Google Drive import, PolicyVector stores only temporary access needed for the active chooser/import session.
Google authorization codes, Google tokens, selected document metadata, exported Google Doc content, and imported Google Doc content are not sold or used for advertising.
Google API requests use encrypted transport. PolicyVector limits Google access to the scopes needed for the user-facing import and export workflows and stores only the Google data needed to complete those workflows.
6. Google User Data Retention and Deletion
Google authorization tokens remain on your device until you disconnect Google features, revoke access, uninstall PolicyVector, delete the app's local data, or the tokens expire or are replaced.
Google Picker metadata and temporary Google Drive import session data are retained only as long as needed to complete the active selected-file import workflow, unless retained locally as part of normal app state needed to finish the requested action.
Imported Google Doc content becomes local PolicyVector study content after import and remains on your device until you delete it from PolicyVector or remove the app's local data. Files exported to Google Drive remain in your Google Drive until you delete them there.
You can revoke PolicyVector's Google access from your Google Account security settings. Where supported in the app, you can also disconnect Google features from within PolicyVector. To request help deleting account, license, support, or other server-side records associated with PolicyVector, contact us at privacy@graywheelhq.com.
7. Local Study Content
PolicyVector stores your study library and generated study materials locally on your device unless you choose to export, back up, share, or send content to another service.
Your local study content may include documents, outlines, flashcards, multiple-choice questions, oral board scripts, transcripts, and other study artifacts.
On iOS and Android, PolicyVector Reader imports encrypted study bundles into app-local storage and can merge imported bundles into new app-local Reader bundles. The Reader stores local flashcard progress, Multiple Choice attempts, Oral Board practice transcripts, checklist results, and attempt history on the device. The Reader does not upload imported or merged bundle contents, transfer phrases, transcripts, checklist results, bundled audio, or study progress to PolicyVector licensing servers.
On iOS, Reader-owned imported bundle data, bundled audio, flashcard progress, Multiple Choice attempts, and Oral Board attempt history are stored in app-local Application Support storage that the app marks as excluded from device backups.
When you choose to share an imported package from the iOS Reader, the Reader creates a newly encrypted copy on your device with a fresh transfer phrase and presents only the encrypted file to the iOS sharing service you select. The shared package may contain the imported study materials and valid bundled audio. It does not include your PolicyVector account or license information, Google tokens, device information, local flashcard progress, Multiple Choice attempts, Oral Board attempts or transcripts, or checklist results. PolicyVector does not receive the shared package, transfer phrase, recipient identity, selected sharing destination, or delivery status.
The transfer phrase is presented separately so you can provide it through a different channel. AirDrop, Messages, Mail, Files providers, and other services you select handle the file under their own terms and privacy practices. Anyone who obtains both the encrypted package and its transfer phrase may be able to read the package in a compatible Reader. Copies may remain with recipients or third-party services after you delete your local copy; PolicyVector cannot recall, revoke, or remotely delete a package you shared.
Mobile Reader Oral Board speech practice uses native device speech recognition after you grant microphone and speech recognition permission. On iOS, this uses Apple's Speech framework subject to Apple's system permission prompts and platform behavior. The Reader saves transcript text and checklist result data locally after practice, but PolicyVector does not save microphone audio.
8. AI Features
PolicyVector may include local AI and cloud AI features.
Local AI features run on your device when configured and do not require sending study content to a cloud AI provider.
Cloud AI features may send the specific content needed to complete the requested AI task to the configured AI provider. PolicyVector is designed to warn or restrict use of sensitive or unredacted content where applicable. You should review any third-party AI provider's privacy terms before using cloud AI features.
9. Licensing, Payments, and Updates
PolicyVector may use third-party services for licensing, payment processing, updates, and fraud prevention.
Payment information is handled by our payment processor. PolicyVector does not store full credit card numbers.
After a verified paid checkout grants or extends access, PolicyVector may send a transactional welcome email to the licensed purchase email with public desktop download, Reader, App Store, and support links. PolicyVector may retain the delivery status, provider message identifier, and a privacy-safe delivery error code associated with the Stripe event and checkout session. The welcome email does not include card details, payment method data, billing addresses, or the raw Stripe webhook payload.
Licensing systems may process your email address, license status, app-generated device fingerprint hash, device label, app version, platform, session metadata, license replacement or move history, and activation or update metadata.
Supported desktop and iOS licensing clients can use Microsoft browser sign-in alongside their other available sign-in providers. For Microsoft sign-in, PolicyVector processes signed Microsoft identity proof, a stable tenant-scoped account identifier, and Microsoft-provided email or display-name hints. Those hints do not prove which email owns a PolicyVector license. When a Microsoft identity is linked for the first time, PolicyVector separately verifies the licensed email using the email address and one-time code you enter.
Microsoft authorization codes, ID tokens, PKCE values, nonce values, and short-lived return tickets are used only to complete and verify the sign-in transaction. PolicyVector does not retain Microsoft authorization codes, ID tokens, access tokens, refresh tokens, PKCE values, nonce values, or return tickets after that transaction.
The iOS Reader can verify licensing with Google Sign-In, Sign in with Apple, or Microsoft browser sign-in. Microsoft sign-in does not request Microsoft Graph access or Microsoft 365 content. For Sign in with Apple, PolicyVector may process the Apple user identifier, Apple-provided email address or Hide My Email relay address, Apple identity token or authorization code, and the licensed email address and one-time verification code you enter when linking an Apple sign-in to an existing PolicyVector license. If Apple provides a refresh token for revocation support, PolicyVector stores it only for account-management purposes such as revoking Sign in with Apple access during account deletion.
Authorized PolicyVector administrators may view limited linked-identity metadata for account support, including the provider, provider-supplied email hint, link date, and last-use date. The administrative browser does not receive provider account identifiers or provider tokens. An authorized owner may disconnect one PolicyVector identity mapping. Disconnecting a mapping does not revoke the PolicyVector license, sign out active devices, or claim to revoke authorization in the user's Google, Apple, or Microsoft account. Administrative disconnects are recorded in PolicyVector's security audit log.
10. Sharing of Information
We do not sell your personal information.
We may share limited information only when necessary to:
- Provide app functionality you request.
- Process payments or licensing.
- Deliver updates.
- Provide support or troubleshoot problems.
- Send metadata-only support notifications to configured Graywheel support recipients.
- Comply with legal obligations.
- Protect the security and integrity of PolicyVector.
Support notification emails do not include diagnostic packages, screenshots, local logs, policy content, prompts, completions, auth tokens, license tokens, or other attachments. When you provide a valid contact email with a support request, PolicyVector may send a receipt containing the report number, request type, selected topic, and submission time. The receipt does not repeat your message or include diagnostics, screenshots, policy content, or attachments.
11. Data Retention
Local study content remains on your device until you delete it or uninstall/remove the app data.
On iOS and Android, deleting an imported or merged Reader bundle removes the bundle from the Reader library and removes associated local practice state where the app supports that cleanup. The iOS Reader includes Delete Local Data, which removes Reader-owned local bundles, flashcard progress, Multiple Choice attempts, Oral Board attempts, transcripts, checklist results, license state, and device-local account state from that device. Android local data deletion also removes imported bundles, flashcard progress, Multiple Choice attempts, Oral Board attempts/transcripts, license state, and device-local account state. Uninstalling the mobile Reader or removing its app data removes app-local Reader bundles and local study state from that device.
Google access can be disconnected from within PolicyVector where supported. You can also revoke PolicyVector's Google access from your Google Account security settings.
Google, Apple, and Microsoft identity mappings are retained while they remain linked to the PolicyVector account and as needed for account administration, security, and legal obligations. A selected identity mapping can be removed through authorized account support, and identity mappings are removed when the associated PolicyVector account is deleted where supported. Removing a PolicyVector identity mapping does not automatically remove provider-side authorization; provider-side access controls remain available in the user's Google, Apple, or Microsoft account settings.
Licensing and payment records may be retained as needed for account administration, fraud prevention, legal compliance, and business records.
Support records are retained according to report type: bug reports and support requests for 90 days, and product feedback for 180 days. Submitted report metadata and associated private support-report packages, including screenshots that you intentionally attach, follow those periods unless an active support, legal, security, billing, or abuse issue requires longer retention.
The mobile Reader includes Delete Account where supported. When you delete your account from the Reader, PolicyVector removes or revokes the account, license session, device, identity, app-entitlement, Apple token, and related licensing records that PolicyVector controls, and revokes beta website access where applicable. Payment records and records required for legal, tax, security, fraud-prevention, or dispute purposes may be retained as required or permitted by law.
12. Security
PolicyVector uses reasonable technical and organizational safeguards to protect information. These safeguards may include local token protection, secure transport for network requests, access controls, and limited data collection.
PolicyVector may maintain limited operational and security logs for account administration, support, abuse prevention, and system security. These logs may include administrator action records, timestamps, affected account, license, or support identifiers, request identifiers, and hashed network or user-agent metadata. These logs are not used for advertising.
No system can guarantee perfect security. You are responsible for protecting access to your device, connected accounts, shared Reader packages, and transfer phrases.
13. Your Choices
You can:
- Use PolicyVector without connecting Google features.
- Disconnect Google Docs export or Google Drive import.
- Revoke Google OAuth access through your Google Account.
- Stop using Sign in with Apple for PolicyVector through your Apple Account settings where Apple provides that option.
- Choose another Microsoft account during Microsoft sign-in and manage PolicyVector authorization through your Microsoft account or organization where available.
- Contact us to inspect or disconnect a Google, Apple, or Microsoft identity mapping associated with your PolicyVector license.
- Delete local study content from your device.
- Use Delete Local Data in the mobile Reader where supported to remove Reader-owned local data from that device.
- Use Delete Account in the mobile Reader where supported to request deletion of your PolicyVector account and revocation of related licensing access.
- Delete imported Reader bundles and locally saved Reader practice state from the mobile Reader where supported.
- Contact us to request help with account, license, or support data.
14. Children's Privacy
PolicyVector is not intended for children under 13, and we do not knowingly collect personal information from children under 13.
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we materially change how PolicyVector accesses, uses, stores, or shares Google user data, we will update this policy and, where required, ask users to consent before using Google user data in a new way.