Privacy Policy
Last updated: April 2026
Short version
Sheetspin does not collect, store, or transmit any of your personal data or form submission data. We have no database, no analytics, and no server that receives your information. Your Google OAuth token exists only in your browser's memory for the duration of your session.
1. Who we are
Sheetspin is a web application that uses AI to design and provision complete website backends — forms, content modules, galleries, newsletters, and more — entirely within your own Google Drive. The service is provided as-is with no warranty.
2. Data we do not collect
Sheetspin does not operate any server-side infrastructure that processes your data. Specifically, we do not collect:
- Your name, email address, or Google account information
- Your OAuth access token or refresh token
- Your form configuration (fields, names, settings)
- Any submissions sent through forms you create
- IP addresses, device identifiers, or browser fingerprints
- Usage analytics or behavioral data
3. Google OAuth and access tokens
To create Google Sheets and Apps Script projects on your behalf, Sheetspin requests a short-lived OAuth 2.0 access token from Google. This token:
- Is stored only in your browser's memory (JavaScript variable) — never in localStorage, cookies, or any server.
- Is used exclusively to make Google API calls to create and manage your Sheet and Apps Script resources.
- Is discarded automatically when you close or refresh the page.
- Is never transmitted to any Sheetspin server or third-party service.
4. OAuth scopes requested
When you sign in, Google will show you the permissions Sheetspin is requesting. Here is exactly what each scope is used for:
Drive (app-created files only)
Create and manage the spreadsheet Sheetspin creates on your behalf. This scope cannot access any other files in your Drive.
Apps Script (projects)
Create the Apps Script project that handles incoming form submissions. The script is created as a container-bound project attached to its spreadsheet — when you delete a form, the sheet and its bound script are deleted together. When Google asks you to authorize the script, it only requests access to that one file — not all your spreadsheets.
Apps Script (deployments)
Deploy the script as a public web app to produce the form endpoint URL.
Your Google profile and email (including openid)
Display your name and avatar in the app, and pre-fill the notification email field with your address. The openid scope is required by Google's OpenID Connect protocol to verify your identity during sign-in — it does not grant access to any additional data.
Sheetspin never requests full Drive access. When you delete a form, the Google Sheet and its bound Apps Script are permanently deleted together — the script is embedded in the spreadsheet, so removing the sheet removes everything.
The Apps Script deployed to your Google Drive declares its own scopes separately from the Sheetspin web app. When you authorize the script, Google will show it requesting access to that one spreadsheet only (using the spreadsheets.currentonly scope — not all your spreadsheets) and the ability to send email on your behalf. These permissions are granted to the script running under your own Google account — not to Sheetspin.
5. AI-powered features (Gemini)
Sheetspin offers two AI-powered features that communicate with Google's Gemini API:
- Site structure proposal: your plain-English site description is sent to Gemini to propose a module layout. This text is entered by you and contains no personal data unless you choose to include it.
- Data seeding: when you request AI-generated sample rows, only the tab's column names, module type, and site slug are sent — no actual data, no form submissions, no personal information.
These requests are made via a server-side API route hosted on the Sheetspin domain — the only instance where any data passes through Sheetspin infrastructure. The route forwards the prompt to Gemini and returns the response; nothing is logged or stored. Your use of these features is also subject to Google's privacy policy.
6. Your site submissions and data
After provisioning, visitors who submit forms or query your site's API do so directly from their browser to your Google Apps Script deployment URL. That data goes directly into your Google Sheet and (for forms) is emailed to you. We never see, intercept, or store any submissions or site data.
You are responsible for the data collected through forms you create. If you collect personal information from your visitors, ensure your own site's privacy policy accurately reflects that.
6. Google's privacy policy
By signing in with Google, you are also subject to Google's own privacy policy and terms of service. The resources created in your Google Drive (Sheets, Apps Script) are governed by Google's terms, not ours.
You can revoke Sheetspin' access to your Google account at any time by visiting myaccount.google.com/permissions and removing Sheetspin from the list of connected apps.
7. Cookies and tracking
Sheetspin does not use cookies, local storage, session storage, or any tracking pixels. There are no analytics scripts or external sign-in SDKs loaded on this site. Sign-in is handled by opening a standard OAuth 2.0 popup directly to Google's authorization endpoint — no third-party scripts are injected.
8. Changes to this policy
If this privacy policy changes materially, the “Last updated” date at the top will be revised. Since we collect no personal data, changes are unlikely to affect you.
9. Contact
Questions about this privacy policy? Contact us at RG Marketing Group.