What BPM sees about you

BPM is a workplace analytics tool installed by your Google Workspace administrator. We measure organizational adoption of communication patterns — not individual user behavior. This page tells you exactly what we collect, what we don’t, and what your admin can see.

Visibility mode

Your org’s admin picks one of four modes. The mode controls what other users in your org can see about you — /me always shows your own counts regardless. The k=5 anonymity floor applies under every mode.

Org_admins can change the mode at /admin/visibility.

Aggregate only

Everyone sees the org-wide totals; no team-level or named comparisons.

/me — your own counts
/org — org-wide totals (no leaderboard, no named users)
/teams — team names + member counts only; no chart links
Public API — aggregate series only; per-user metrics return your own row, 403 for others

Same team (recommended)

Everyone sees the org chart and their own team’s chart. Cross-team is aggregate only.

/me — your own counts
/org — org-wide totals (no leaderboard)
/teams — your own team’s chart; cross-team aggregate only
Public API — same as the dashboard

Open

Everyone sees every team chart and a top-10 leaderboard on the org page.

/me — your own counts
/org — org-wide totals + top-10 named leaderboard (when n ≥ 5)
/teams — every team chart
Public API — same as the dashboard, with the leaderboard field on the org metrics response

Custom (advanced)

Toggle individual flags. Phase 2 ships the per-flag editor; for Phase 1 the value is read-only.

/me — your own counts
/org — depends on the custom flag combination
/teams — depends on the custom flag combination
Public API — depends on the custom flag combination

What BPM sees

How many emails you sent yesterday (a count)
How many emails you received yesterday (a count)
Your name and Workspace email (so the org can group activity by team, not so a stranger can find you)

That’s the entire collection set. Three numbers per person per day. Calendar metrics return in a future release; the v1 first cut is gmail counts only.

What BPM never sees

Email subjects, recipients, or body content
Calendar event titles, attendees, or meeting bodies
Chat messages, document contents, or Drive activity
Your screen, your keystrokes, your mouse, or your webcam
Idle time, app usage, or URLs visited
Anything classified as [PII] in our public data classification document

Sources your admin can connect

BPM ingests counts (never content) from third-party tools your admin has connected. Each source is opt-in at the org level. If your admin hasn’t connected a tool, BPM has no data from it.

Asana — when your admin connects Asana, BPM reads task creation and completion counts per user per day. We never read task names, descriptions, comments, or attachments.

Counts include all projects visible to the org_admin who installed Asana — which may include private projects most teammates can’t see. We don’t disclose project names; we only count tasks created/completed inside them.

asana_tasks_completed is attributed to the task assignee, not whoever flipped the complete checkbox. Tasks with no assignee are skipped. (Design originally proposed attributing to the completer; flipped during Phase 3 to match the more intuitive “who actually did the work” reading.)

Our hard commitments

Counts only, never content. The only Google Workspace API BPM uses is the same userUsageReport your IT admin uses for license accounting. It returns counts. We do not have the OAuth scopes to read content, and we wrote it that way on purpose.

Aggregated to teams of 5+. No metric is shown for any group of fewer than 5 active users. This is the same k-anonymity threshold Microsoft Viva uses, and it’s enforced server-side. Your admin cannot click through to your inbox because no UI surface exposes it.

You can see your own row. Click the “Show me my data” link in your dashboard (available once Slice B ships) to see the exact rows BPM has stored about you. There is no shadow profile.

You can opt out. Email your admin to opt out. Once opted out, the daily ingest skips you on the next run, and existing rows are filtered from every view. Hard delete on a 30-day timer.

Your admin can purge everything. The whole BPM dataset for your org can be deleted in a single request. There is no copy outside Cloudflare and Supabase, and we don’t share with third parties. Ever.

Compliance footer

NY Civil Rights Law §52-c — admin must give you a written notice that workplace electronic monitoring is in use; this page IS that notice.
CT Gen Stat §31-48d — same.
GDPR Article 88 — if your org is in the EU, your works council should have signed off on BPM before deployment. Your admin can produce the agreement on request.
EU AI Act — BPM does not score, rank, or predict you. It counts. It is not a high-risk AI system per Annex III §4.