Custom GPT Privacy Policy

1. Scope

This policy applies to Custom GPTs and GPT Actions operated or configured by GDK Digital LLC. It is written for the current Custom GPT setup, including Google Drive workspace Actions used to organize user-approved workspaces.

This policy supplements the general GDK Digital Privacy Policy. If a specific GPT or service has a product-specific policy, the product-specific policy controls for that service.

OpenAI, Google, and other third-party services may process your information under their own policies when you use ChatGPT, GPT Actions, Google Drive, or external APIs.

2. Platform Roles

3. What GDK Digital Collects

3.1 ChatGPT-only use

When you only interact with a GDK Digital Custom GPT inside ChatGPT and do not invoke a GDK-operated Action, GDK Digital does not directly receive your prompts, uploaded files, or GPT outputs. Those materials are processed by OpenAI inside ChatGPT under OpenAI's policies and your ChatGPT account or workspace settings.

3.2 Information sent to a GDK-operated Action

If you ask the GPT to use a GDK-operated Action, ChatGPT may send the specific fields needed for that Action. For current Google Drive workspace Actions, those fields may include:

• workspace identifiers, project identifiers, customer-provided reference numbers, dates, status, and workflow posture;
• optional person, company, property, project, or location information you provide when it is needed for the workspace;
• evidence index details, timeline entries, issue-to-proof matrix rows, notes, and packet purpose text;
• Google Drive URLs or other links you choose to provide as evidence references.

3.3 Information generated by an Action

• Google Drive folder URLs, Google Sheets index URLs, upload-folder URLs, and Google Docs packet or report URLs created for the requested workspace.
• Rows added to the Evidence, Timeline, IssueProofMatrix, and Notes sheets.
• Basic technical or platform metadata that Google Apps Script, Google Drive, hosting providers, or OpenAI may process to execute and secure the request.

3.4 Website and support information

• If you visit a GDK Digital website, normal website server logs may include IP address, browser, device, timestamp, referring page, and error information.
• If you contact GDK Digital for support, we collect the contact details and message content needed to respond.

4. ChatGPT Uploads and GPT Knowledge

Custom GPT workflows may depend on user-provided documents. Depending on the GPT and task, these may include policies, letters, estimates, photos, reports, timelines, worksheets, project notes, or other business documents.

• The GPT uses these documents to complete the workflow you request, such as analyzing issues, identifying evidence or documentation gaps, generating summaries, or preparing workspace-organization drafts.
• Documents uploaded directly into ChatGPT are handled by OpenAI's systems and are not directly visible to GDK Digital unless selected information is sent to a GDK-operated Action, stored in a GDK-controlled workspace, or separately shared with us.
• Builder-provided GPT knowledge files may appear as source references or source chips in ChatGPT. Do not place proprietary material in builder knowledge if you do not want users to see file names or source references.
• Users should avoid uploading sensitive personal information unless it is necessary for the workflow.

5. Google Drive Workspace Actions

Current GDK Digital Google Drive workspace Actions use Google Apps Script web apps to create and update user-approved workspaces in Google Drive. These Actions are not Google OAuth connected apps for the end user. They do not browse your personal Google Drive, search your Drive, or ask you to sign in with Google.

When you give permission for the GPT to create or update a workspace, the Action can:

• create a workspace folder and standard subfolders in the Drive account authorized for the Apps Script deployment;
• create a Google Sheets workspace index with summary, evidence, timeline, issue matrix, and notes sheets;
• append evidence, timeline, matrix, and note rows based on the fields sent by ChatGPT;
• generate a Google Docs packet or report from the recorded rows;
• return Drive, Sheets, and Docs URLs to the GPT so they can be shown to you.

The current Action code does not intentionally write a separate workspace-content log. However, OpenAI, Google Apps Script, Google Drive, and hosting or security providers may process technical request data needed to operate, secure, and troubleshoot the service.

Do not send secrets, payment card data, Social Security numbers, medical records, or unrelated personal information to the Action.

6. Other Actions or Connected Apps

Future or separate GDK Digital GPTs may use different Actions, APIs, or connected apps. If a GPT uses a different data path, the GPT or product documentation should identify what it sends, stores, retrieves, or changes.

• GPT Actions connect ChatGPT to external APIs. When an Action is used, ChatGPT may send relevant parts of the conversation, uploaded data, or generated output to the Action endpoint so the endpoint can complete the request.
• Public GPTs with Actions must include a valid privacy policy URL.
• Users may be asked to approve Actions before they run.
• OAuth-based Actions may require a user sign-in and connected-account management. Current direct Google Apps Script workspace Actions do not use end-user OAuth.

7. How We Use Information

• Provide the requested GPT workflow, analysis, workspace, evidence or document index, packet generation, lookup, save, export, or report.
• Maintain product logic, workflow quality, source routing, and error handling.
• Support users, troubleshoot problems, debug failed actions, and respond to security issues.
• Protect systems against abuse, unauthorized access, fraud, or misuse.
• Comply with legal obligations and enforce applicable terms.
• Improve GPT instructions, schemas, templates, and product documentation using de-identified or aggregated operational learnings where practical.

GDK Digital does not use your workspace data to train AI models.

8. Sharing and Service Providers

We may share information only as needed for the following purposes:

• Platform providers: OpenAI for ChatGPT and GPT Actions; Google for Google Apps Script, Google Drive, Docs, and Sheets when a Google Drive workspace Action is used.
• Infrastructure providers: hosting, storage, logging, email, payment, and security vendors used to operate GDK Digital services, if applicable to the specific workflow.
• Customer-directed sharing: when you ask the GPT or an action to create, update, email, export, or store information in a destination you choose.
• Legal and safety: when required by law or necessary to protect users, systems, rights, property, or public safety.
• Business transfer: as part of a merger, acquisition, financing, or sale of assets, subject to reasonable confidentiality and notice controls.

9. Retention

When information is no longer needed, we delete, anonymize, or de-identify it where practical and legally permitted.

10. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect information. These may include HTTPS/TLS, access controls, least-privilege permissions, encrypted secrets, logging minimization, vendor controls, and review of action schemas and endpoints.

No internet or AI system can be guaranteed to be completely secure. Users are responsible for controlling what they upload, who can access shared folders, and whether uploaded documents contain sensitive information.

11. Your Choices and Rights

• You can choose what information to provide to a GPT.
• You can avoid uploading sensitive documents unless they are necessary for the workflow.
• If a GPT uses a connected account, you can revoke that connection through OpenAI, Google, or the relevant provider settings.
• You can request access, correction, deletion, or export of personal information held by GDK Digital by contacting us.
• California residents may have rights to know, delete, correct, opt out of sale or sharing, limit sensitive personal information, and avoid discrimination for exercising rights.
• Users in the EEA or UK may have rights to access, correct, delete, restrict, object, port data, withdraw consent, and complain to a supervisory authority.

OpenAI account-level rights, ChatGPT conversation controls, and connected-app controls must be managed through OpenAI, Google, or the relevant provider.

12. Children's Privacy

GDK Digital Custom GPTs are business tools and are not directed to children under 13. We do not knowingly collect personal information from children through these GPTs. If you believe a child has provided personal information to a GDK Digital system, contact us and we will take appropriate steps.

13. AI Output Limitations

Custom GPT outputs may be incomplete, inaccurate, or based on limited source documents. Do not treat GPT output as final legal, financial, engineering, code, safety, warranty, permitting, or material-ordering advice without qualified human review. Assumptions, blockers, and source limitations should be reviewed before field use or ordering.

14. Changes

We may update this policy as GPT features, connected apps, action endpoints, vendor relationships, or legal requirements change. We will update the date above and post the revised policy at this URL. Material changes may also be communicated through product, website, or account notices where appropriate.

15. Contact