Privacy Policy

Effective: June 2026 · This is a plain-language summary; we don't hide things in fine print.

In one paragraph

MySheetAPI lets you turn Google Sheets into APIs and AI-generated apps. Your spreadsheet data lives in your Google Drive. We store the metadata needed to run the service (your account, project list, API keys, usage counters), an encrypted copy of the OAuth token you grant us, and the structured prompt + blueprint of any AI build you create. We do not sell your data, we do not feed your spreadsheet contents into model training, and you can delete everything from your dashboard.

1. What we collect

  • Account information — name, email, profile image. Provided by Clerk when you sign up.
  • Google OAuth tokens — encrypted at rest with AES-256. Used solely to read/write the Google Sheets you authorise.
  • Project and API metadata — sheet names, column schemas, API key hashes (bcrypt — we never store the plaintext key), IP allowlists, request counters.
  • AI build records — the prompt you typed, the generated blueprint, token usage, and cost. Used to power the build history view and your cost ceiling.
  • Operational logs — request method, status code, latency, IP. Retained for 30 days for debugging and abuse detection.
  • Billing data — handled by Stripe. We store the Stripe customer ID and subscription state, not your card number.

2. What we don't do

  • We don't sell, rent, or share your data with advertisers or data brokers.
  • We don't use your sheet contents or AI prompts to train models.
  • We don't read your sheets except when you explicitly call our API.
  • We don't deploy third-party tracking pixels on the dashboard.

3. Sub-processors

We use these vendors to run the service. Each one only sees the data they need:

  • Clerk — authentication and session management.
  • Stripe — payment processing.
  • Anthropic — powers the AI builder. Prompts are sent to Claude with caching enabled; Anthropic's own policy applies to processing.
  • Google — Sheets and Drive APIs (your own account).
  • Sentry — error tracking (optional, configurable per deployment).
  • BetterStack / Logtail — log shipping (optional).

4. How long we keep things

  • Account data — until you delete your account.
  • OAuth tokens — until you disconnect Google or delete your account.
  • API request logs — 30 days.
  • AI build history — until you delete the project.
  • Stripe records — retained per Stripe's own policy for tax/audit reasons.

5. Your rights

Under GDPR, CCPA, and similar laws, you can:

  • Access or export everything we store about you (Settings → Export).
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Revoke Google access at any time from your Google account settings or our dashboard.
  • Object to specific processing.

Email privacy@mysheetapi.com for any of these. We respond within 30 days.

6. Security

All traffic is TLS 1.2+. OAuth tokens are encrypted at rest with AES-256. API keys are hashed with bcrypt before storage. We follow least-privilege access, MFA for staff, and we never log secret keys or webhook bodies. If we discover a breach affecting your data, we'll notify you within 72 hours.

7. Cookies

We use first-party cookies for authentication (Clerk session) and a single preference cookie for dark mode. No analytics or advertising cookies on the marketing site.

8. Children

MySheetAPI is not directed at people under 16. We don't knowingly collect data from minors. Contact us if you believe a minor has signed up and we'll delete the account.

9. Changes

We'll post material changes at least 30 days before they take effect and email everyone with an account. The current version is dated at the top of this page.

10. Contact

privacy@mysheetapi.com for privacy questions, support@mysheetapi.com for anything else.

Note for operators: this page is written for the MySheetAPI hosted service. If you're self-hosting, replace contact details and sub-processors with your own. Consider a legal review before relying on this as your published policy in regulated markets.