Privacy Policy

The data controller is Xline-soft (egyéni vállalkozás), registered in Hungary.
Contact: support@gsheetbridge.com

We only collect information necessary to provide our service:

• Your Google account email address (for authentication and account identification)
• Metadata from the Google Sheets you authorize for synchronization (sheet ID, sheet name)
• API usage data (request count, timestamps — for rate limiting and service monitoring)

Google Drive permissions: During registration, the system requests Google Drive access to create your personal Sheet Firewall file and organize it into a dedicated folder. Our service account (gsb-sheets-access@gsb-gsheetbridge-router.iam.gserviceaccount.com) can only access the specific Sheet(s) you have explicitly shared with it — it has no access to any other files in your Google Drive.

We do not store the contents of your Google Sheets on our servers. We do not collect or process sensitive personal data.

We process your personal data based on the following legal grounds under GDPR Article 6(1):

• Contract performance (Art. 6(1)(b)) — processing is necessary to provide the synchronization service you registered for.
• Legitimate interest (Art. 6(1)(f)) — for security monitoring, fraud prevention, and service improvement.
• Consent (Art. 6(1)(a)) — when you explicitly authorize Google Drive access via OAuth 2.0.

Your data is used solely to:

• Provide and maintain the synchronization service you requested
• Authenticate your identity and manage your account
• Monitor API usage and enforce rate limits
• Send service-related notifications (if webhook is configured)

We do not use your data for advertising, profiling, or third-party marketing.

To provide our service, we use the following third-party sub-processors:

• Google Cloud Platform / Firebase (USA) — hosting, authentication, database (Firestore)
• Google Sheets API (USA) — data synchronization

Google is certified under the EU-US Data Privacy Framework. No other third parties have access to your data. We do not sell your data to anyone.

Your data may be processed on Google Cloud servers located in the United States. These transfers are protected by Google's compliance with the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as approved by the European Commission.

We retain your personal data for as long as your account is active. Specifically:

• Account data (email, API keys, secret hash, sheet ID) — stored in Firebase Firestore, retained until you request deletion or your account is terminated
• API usage counter (totalHits) — retained as part of your account record
• Deduplication records — automatically deleted after 10 seconds (TTL-based)
• Webhook queue entries — deleted immediately after successful delivery; failed entries are retained for up to 5 retry attempts, then marked as failed
• Cloud Function logs — retained by Google Cloud Platform for 30 days (Google's default retention)
• No hidden caches — there are no additional server-side caches or backups beyond the above

Upon account deletion, all personal data is permanently removed from our Firestore database within 30 days. Google Cloud logs expire automatically per Google's retention policy.

We implement industry-standard security measures to protect your information:

• Authentication via OAuth 2.0 and Firebase ID Tokens
• All API secrets are stored as SHA-256 hashes (never in plain text)
• All data passes through our Sheet_FireWall layer for additional authentication, validation, and rate limiting
• All connections use HTTPS/TLS encryption

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — request a copy of your personal data
• Right to rectification (Art. 16) — correct inaccurate personal data
• Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten"). Please note: automated self-service account deletion is currently under development. In the meantime, deletion requests are processed manually within 30 days.
• Right to restrict processing (Art. 18) — limit how we use your data
• Right to data portability (Art. 20) — receive your data in a machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time (e.g., revoke Google OAuth access)

To exercise any of these rights, contact us at support@gsheetbridge.com. We will respond within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Hungary, the competent authority is:

Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Website: naih.hu
Email: ugyfelszolgalat@naih.hu

If you have any questions about this Privacy Policy or our data practices, please contact us at support@gsheetbridge.com.