We record work, not people: how ScreenJournal keeps employees private
Updated on 6 July 2026
ScreenJournal is monitoring software that cannot show your boss your screen, because it keeps no footage. It records only work apps, removes PII while processing, and lets employees redact parts of their timeline before a manager sees it. Here is how the three privacy stages work.
Why is there no footage for a manager to watch?
Because ScreenJournal never keeps any. It reads on-screen work as it happens, a frontier AI model analyses that activity to derive a timeline of what was actually done, and the raw screen data is deleted immediately during processing. The transient capture is video, a short-lived recording that exists only to be read, never to be watched. What survives is understanding: plain-English entries recording what was done, in which app and for how long. There is no screenshot archive to scroll, no video to replay, no footage to secure and no footage to leak.
This design is called derive-and-discard, and it inverts the usual bargain. Traditional monitoring hands a manager a pile of evidence and leaves the interpreting to them; ScreenJournal keeps the insight and discards the footage. For how that compares with tools built the other way round, see ScreenJournal vs surveillance suites.
What does ScreenJournal capture in the first place?
Stage one is scope. It is scoped to work apps and work-related activity; personal activity is skipped in real time. And if something personal slips through anyway, it lands as an auto-hidden "Personal" entry that managers do not see, rather than in anyone's work record.
Privacy that starts at capture is different in kind from privacy applied afterwards. A blurred screenshot still exists; an unrecorded lunch break simply never became data.
Proof: the member timeline's auto-hidden "Personal" entry type.

What happens to personal information during processing?
Stage two is redaction during processing. Before anything is stored, PII is removed from the derived record: the AI model that reads the work keeps the work and drops the personal. What lands in the timeline is a description of what was done, in which app and for how long, with a score. The record is about the work, which is the whole point of the product's name.
What can employees redact before a manager sees anything?
Stage three is employee control. Every person's timeline carries a Redact control, personal entries arrive auto-hidden, and employees can redact anything before a manager sees it. Redaction erases the entry entirely, so it is gone: not visible to a manager reviewing the day, and never appearing in anyone's search of past work. And because employees see the same activity view managers do, there is no second, secret record behind the one you are shown. What a work timeline contains is exactly what everyone is looking at.
Proof: the Redact control and auto-hidden "Personal" entries in the member timeline; employees share the manager's view of their data.

What cannot be hidden?
Genuine policy violations. If a company has capture policies for data handling, for example exporting customer PII, those events are recorded as policy captures, locked in the timeline, and stay visible to compliance; redaction does not remove them. This is deliberate and disclosed. The same openness applies to one more limit: redaction is unavailable for roles a company flags as a data-leak risk. The three stages exist to protect people, not to provide cover for policy breaches, and drawing that line openly is part of what makes the rest of the privacy design credible.
Proof: the locked "Policy capture" state in the member timeline.

Why does recording work instead of people build trust?
Because every part of the design either gives something back or takes a threat off the table. Transparency: employees see exactly what managers see. Restraint: nudges are off by default, so the software never pings anyone into looking busy. Fairness: scores attach to work sessions, not people, and can be contested with "Change my score". And memory: timelines accumulate into a searchable chronicle, so the same record that gives a manager answers gives each employee their own history back, findable when they need it.
Monitoring that stores footage asks employees to accept risk for someone else's benefit. Recording work rather than people removes the risk and shares the benefit, and that is a bargain people can actually accept.
Proof: nudges off by default in Automations; contestable scores; employees share the manager's view; past activity searchable through chat and MCP, permission-scoped by role.

Privacy FAQs
Can my employer see my screen with ScreenJournal?
Not as footage. ScreenJournal keeps no screenshots or video, so there is nothing to watch back. Managers see derived insight: the timeline, timesheets and reports, with personal activity skipped and PII removed.
Does ScreenJournal log keystrokes?
No. It reads work output, not keystrokes.
If I redact an entry, can anyone else still see it?
No. A redacted entry is erased entirely, so it never appears in anyone's search. Personal activity is auto-hidden before you review anything, and you can additionally redact parts of your timeline.
How long does ScreenJournal keep raw screen data?
It is deleted immediately during processing. ScreenJournal keeps the derived timeline, not the footage, so there is no screenshot or video archive at all.
See the work itself, not screenshots of it
Timesheets, reports and answers from the work your team actually did. Available for Windows and macOS, with Linux and mobile support coming soon.