Skip to content
Security & Privacy

Your data,
your control.

OnlyWorks turns your captured work into a report — and you decide who sees it. Here’s exactly what we collect, who processes it, and how to delete it.

How we protect you

Built secure
from day one.

01

Encrypted in transit and at rest

Your data is encrypted in transit (HTTPS/TLS) and at rest on our providers’ infrastructure. OnlyWorks is not end-to-end encrypted: to generate your reports, screenshots and OCR text are uploaded to our backend and processed by Google Gemini.

02

Session-based capture

Capture only runs during sessions you start and stop — it is not always-on. During a session, OnlyWorks captures screenshots, on-screen text (OCR), active app and window titles, and click/keystroke counts, then sends them to OnlyWorks and our sub-processors to produce your report. Screenshots may also be used to improve our AI.

03

Sub-processors

Your data is processed by a small set of providers: Google Gemini (AI report generation), Supabase (database and storage), Render (backend hosting), and Resend (email). Each handles only the data needed for its function.

04

Deletion and retention

You can purge the screenshots used to train our AI at any time, and delete your account from the app. There is no automatic time-based deletion: after account deletion, account data is removed within 30 days, session data is kept up to 90 days, and full deletion can take up to 90 days due to backups. Aggregated, de-identified analytics may be retained indefinitely.

Found a vulnerability?
Let us know.

Report security issues responsibly and we'll work with you to resolve them quickly.