1. Who We Are
Least by Juste™ is a product of Juste LLC, a Florida limited liability company ("Juste", "we", "us", or "our"). We provide an access review tool that helps organizations identify and remediate risky account permissions in their Google Workspace environment. Contact us at kender@usejuste.com.
2. What Data We Collect
Account data: your email address and hashed password, collected when you create a Least account.
Google Workspace directory data: when you connect a Google Workspace tenant, we collect user display names, email addresses, admin status, account suspension status, and last login timestamps via the Google Admin SDK. We collect this data using read-only OAuth scopes — we never write to, modify, or delete anything in your Google Workspace.
Review decisions: the access review decisions you make (Approve, Revoke, Needs Review) and any notes you attach. These are stored as an immutable audit log.
OAuth credentials: Google OAuth access tokens and refresh tokens are stored in our database to enable ongoing access reviews. Tokens are stored in Supabase, which uses AES-256 encryption at rest.
3. How We Use Your Data
We use your data solely to provide the Least by Juste™ service:
- To authenticate you and maintain your session
- To run access risk analysis on the Google Workspace data you authorize us to read
- To generate your evidence bundle (PDF report and CSV audit log)
- To maintain an immutable audit trail of your review decisions
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in Section 4.
4. Third-Party Services
We use the following third-party services to operate Least:
- Supabase — database and authentication (SOC 2 Type II certified, data stored in US East)
- Vercel — frontend hosting
- Railway — backend API hosting
- Anthropic (Claude API) — AI-generated risk explanations. Directory data excerpts are sent to Anthropic to generate plain-language explanations for risk findings. Anthropic does not use API inputs for model training by default.
- Google APIs — directory data is pulled from Google Workspace using the Admin SDK with read-only scopes you explicitly authorize.
5. Data Retention
Directory data (users, groups, roles) is replaced each time you run a new access review. Previous scans do not persist by default. Review decisions and audit log entries are retained for the lifetime of your account as they constitute your evidence record. You may request deletion of your data at any time by emailing kender@usejuste.com.
6. Security
We use industry-standard security practices including encrypted connections (TLS), encrypted storage at rest (AES-256 via Supabase), and row-level security policies that ensure each user can only access their own data. Google OAuth tokens are stored securely and used only to execute access reviews you initiate. Least is currently in pilot phase and has not yet undergone independent SOC 2 audit. Our infrastructure providers (Supabase, Vercel, Railway) maintain their own compliance certifications.
7. Your Rights
You may request access to, correction of, or deletion of your personal data at any time. To exercise these rights, email kender@usejuste.com. You may also disconnect your Google Workspace at any time by removing Least from your Google account's authorized applications at myaccount.google.com/permissions.
8. Changes to This Policy
We may update this Privacy Policy as the product evolves. Material changes will be communicated via email to registered users. Continued use of Least after changes constitutes acceptance of the updated policy.
9. Contact
Juste LLC · Tampa, FL
kender@usejuste.com