Privacy Policy

1. Who we are

Sheetspin is a web application that provisions complete website backends — forms, content modules, galleries, newsletters, and more — entirely within your own Google Drive. The service is provided as-is with no warranty.

2. Data we do not collect

Sheetspin does not operate any server-side infrastructure that processes your data. Specifically, we do not collect:

• Your name, email address, or Google account information
• Your OAuth access token or refresh token
• Your form configuration (fields, names, settings)
• Any submissions sent through forms you create
• IP addresses, device identifiers, or browser fingerprints
• Usage analytics or behavioral data

3. Google OAuth and access tokens

To create Google Sheets and Apps Script projects on your behalf, Sheetspin requests a short-lived OAuth 2.0 access token from Google. This token:

• Is stored only in your browser's memory (JavaScript variable) — never in localStorage, cookies, or any server.
• Is used exclusively to make Google API calls to create and manage your Sheet and Apps Script resources.
• Is discarded automatically when you close or refresh the page.
• Is never transmitted to any Sheetspin server or third-party service.

4. OAuth scopes requested

When you sign in, Google will show you the permissions Sheetspin is requesting. Here is exactly what each scope is used for:

Sheetspin never requests full Drive access. When you delete a site, the Google Sheet and its bound Apps Script are permanently deleted together — the script is embedded in the spreadsheet, so removing the sheet removes everything.

The Apps Script deployed to your Google Drive declares its own scopes separately from the Sheetspin web app. When you authorize the script, Google will show it requesting: access to that one spreadsheet only (spreadsheets.currentonly), read access to its Drive folder (drive.readonly — required to list files in asset storage modules), and the ability to send email on your behalf (script.send_mail). These permissions are granted to the script running under your own Google account — not to Sheetspin.

5. Google user data accessed and how it is used

When you sign in with Google, Sheetspin receives the following data from Google's APIs. All of it is accessed via your OAuth token, which lives only in browser memory and is never transmitted to Sheetspin.

Sheetspin uses Google user data solely for the purposes described above. Your data is never used for advertising, profiling, training machine-learning models, or any purpose beyond operating the features you directly request.

6. Third-party data sharing

Sheetspin does not share any Google user data with third parties — no advertising networks, analytics providers, data brokers, or other external services. Our server does not receive, process, or store any Google user data; our only server-side functionality is internal cache revalidation for our own site content.

The only external systems your data ever reaches are Google's own APIs (Drive, Apps Script, OAuth), and those interactions are governed by Google's Privacy Policy.

7. Data storage and security

Because Sheetspin has no backend, there is no Sheetspin-controlled database or server where your data could be breached. All operations run in your browser using your own OAuth token. The only data stored after provisioning lives in your own Google account — your Google Sheet and bound Apps Script project — and is protected by Google's own security infrastructure.

The Sheetspin website is served over HTTPS. No personal data, OAuth tokens, or Google user data are written to localStorage, cookies, IndexedDB, or any persistent browser storage.

8. Data retention and deletion

Because Sheetspin stores none of your personal data or Google user data on its own infrastructure, there is no Sheetspin-side retention period:

• Your OAuth access token is discarded automatically when you close or refresh the page.
• Your site configuration and any form submissions are stored exclusively in your own Google Sheet — you retain full ownership and can delete them at any time.

To delete your data:

• Revoke Sheetspin's access to your Google account at myaccount.google.com/permissions — this immediately prevents any future use of your credentials by the app.
• Delete the Google Sheets and Apps Script files Sheetspin created from your own Google Drive to remove all provisioned resources.

If you have any questions about data deletion or believe data has been retained in error, contact us using the details in Section 15 below.

9. No server-side data processing

Sheetspin has no server-side features that process or store your data. All operations — creating Drive folders, Sheets, and Apps Script projects — run entirely in your browser using your own OAuth token. Nothing passes through Sheetspin infrastructure.

10. Your site submissions and data

After provisioning, visitors who submit forms or query your site's API do so directly from their browser to your Google Apps Script deployment URL. That data goes directly into your Google Sheet and (for forms) is emailed to you. We never see, intercept, or store any submissions or site data.

Form submission data is write-only at the API level — the API endpoint does not serve submission records back to callers. Only you can read submissions, via your own Google Sheet.

You are responsible for the data collected through modules you create. If you collect personal information from your visitors, ensure your own site's privacy policy accurately reflects that.

11. Optional write password

Sheetspin gives you the option to set a write password on your site. This enables a content management API — allowing you to update and delete rows via an authenticated POST request. Here is exactly how it is handled:

• Your password is hashed in your browser before anything is sent anywhere. Only the hash is transmitted — the password itself never leaves your device.
• The hash is stored in your own _manifest tab, inside your own Google Sheet. Sheetspin does not receive, store, or have access to it.
• Sheetspin never knows your password — not during setup, not ever.
• Authentication produces short-lived session tokens that are stored only within your Apps Script deployment, under your own Google account.
• Sessions expire after one hour. Changing your password automatically invalidates all active sessions.

The write password feature is entirely optional. If you do not set one, no password data of any kind is stored anywhere.

12. Google's privacy policy

By signing in with Google, you are also subject to Google's own privacy policy and terms of service. The resources created in your Google Drive (Sheets, Apps Script) are governed by Google's terms, not ours.

You can revoke Sheetspin' access to your Google account at any time by visiting myaccount.google.com/permissions and removing Sheetspin from the list of connected apps.

13. Cookies and tracking

Sheetspin does not use cookies, local storage, session storage, or any tracking pixels. There are no analytics scripts or external sign-in SDKs loaded on this site. Sign-in is handled by opening a standard OAuth 2.0 popup directly to Google's authorization endpoint — no third-party scripts are injected.

14. Changes to this policy

If this privacy policy changes materially, the “Last updated” date at the top will be revised. Since we collect no personal data, changes are unlikely to affect you.

15. Contact

Questions about this privacy policy? Contact us.