Privacy Policy

What We Collect

• Email address — used for rate limiting, license verification, and account identification. Collected when you use the Google Sheets add-on or sign up for Pro.
• Formula prompts — the text you type to generate, explain, or debug formulas. Sent to our AI provider to generate responses. Not stored after the request completes.
• Usage counts — how many formulas you generate per day, stored to enforce free tier limits.

What We Don't Collect

• Bulk spreadsheet data — the Google Sheets add-on only reads the header row, up to three sample data rows, the locale of the active sheet, and the formula or value of the cell you currently have selected (used as context for the AI). We never store this data after the request completes, and we never read other rows, other sheets, or other files in your Drive.
• Passwords or financial data — payments are processed entirely by Lemon Squeezy. We never see your credit card details.
• Browsing activity — we don't use tracking cookies or third-party analytics that follow you across the web.

How We Use Your Data

• To generate, explain, and debug spreadsheet formulas via our AI provider (OpenRouter/Meta Llama).
• To enforce daily free usage limits and verify Pro subscriptions.
• To process payments and manage subscriptions via Lemon Squeezy.

Third-Party Services

• OpenRouter — processes formula generation requests. Subject to OpenRouter's Privacy Policy.
• Lemon Squeezy — processes payments. Subject to Lemon Squeezy's Privacy Policy.
• Upstash — stores usage counts and license data. Subject to Upstash's Privacy Policy.
• Vercel — hosts the application. Subject to Vercel's Privacy Policy.

Sharing of Google User Data

The Google Workspace add-on requests the following OAuth scopes:

• https://www.googleapis.com/auth/spreadsheets.currentonly — read/write access scoped to the spreadsheet you have open while the add-on sidebar is active. Used to (a) read the header row, up to three sample data rows, and the locale of the active sheet so the AI can generate formulas that match your data layout, (b) read the formula or value of the cell you currently have selected when you ask FormulaPad to explain or debug it, and (c) write the generated formula back into the cell you choose. We do not read other rows, other sheets in the same workbook, file metadata, named ranges, or any sheet you do not have open.
• https://www.googleapis.com/auth/userinfo.email — your Google account email address. Used to identify your account, enforce daily free-tier limits, and verify Pro entitlements.
• https://www.googleapis.com/auth/script.external_request — allows the add-on to call the FormulaPad API at formulapad.app to generate formulas.
• https://www.googleapis.com/auth/script.container.ui — allows the add-on to render its CardService sidebar.

FormulaPad does not request, receive, store, or transmit data outside what the scopes above describe — in particular no Drive file listings, no other spreadsheets, no calendar events, and no contacts.

We share Google user data only with the following sub-processors, only to the minimum extent necessary to deliver the service you requested:

• Vercel, Inc. — hosts the FormulaPad application servers that receive your add-on requests. Used to terminate TLS and execute server-side code. Privacy Policy.
• Upstash, Inc. — stores your email address (hashed-lowercased, used as a key) alongside daily usage counters and license status. Used to enforce free-tier limits and verify Pro entitlements. Privacy Policy.
• OpenRouter, Inc. — receives the formula prompt text you type and the column headers / locale you provide as context, in order to generate, explain, or debug formulas. OpenRouter does not receive your email address. Privacy Policy.
• Lemon Squeezy (Paddle, Inc.) — receives your email address only when you initiate a Pro checkout, in order to issue the license and process payment. Privacy Policy.

FormulaPad does not sell Google user data, does not use Google user data for advertising, and does not allow humans to read your data except (a) with your explicit permission, (b) to comply with applicable law, or (c) for security purposes such as investigating abuse. This is consistent with the Google API Services User Data Policy, including the Limited Use requirements.

Data Protection & Security

We protect Google user data and other personal data with the following technical and organizational measures:

• Encryption in transit. All traffic between the Google Sheets add-on, the FormulaPad website, our backend on Vercel, and every sub-processor is encrypted with TLS 1.2 or higher (HTTPS).
• Encryption at rest. Email addresses, usage counters, and license records stored in Upstash Redis are encrypted at rest by Upstash. Payment records held by Lemon Squeezy are encrypted at rest by Lemon Squeezy.
• OAuth tokens. Google OAuth access tokens are issued by Google to the Apps Script runtime and are never transmitted to or stored on FormulaPad servers. We only see the email address that the runtime exposes via Session.getActiveUser().getEmail().
• Minimal scopes. We request the narrowest OAuth scopes that allow the add-on to function (see the "Sharing of Google User Data" section above). In particular we use spreadsheets.currentonly rather than full spreadsheets access, so the add-on can only see the sheet you have open while the sidebar is active.
• No long-term prompt storage. Formula prompts and column headers are processed in real time and discarded once the response is returned. They are not written to logs, databases, or any analytics system.
• Secret management. API keys and webhook secrets are stored as encrypted environment variables in Vercel and are never committed to source control or exposed to the client.
• Access control. Production credentials and the Upstash database are accessible only to the project owner. Multi-factor authentication is enabled on all administrative accounts (Google Cloud, Vercel, Upstash, Lemon Squeezy, GitHub).
• Incident response. If we become aware of a security incident affecting your data we will notify affected users by email within 72 hours and disclose what was accessed and what we are doing about it.

Data Retention

Usage counts are automatically deleted after 24 hours. License data is retained while your subscription is active and deleted upon cancellation. Formula prompts are not stored — they are processed in real-time and discarded.

Your Rights

You can request deletion of all your data by emailing ardaduba554@gmail.com. If you're in the EU, you have rights under GDPR including access, rectification, erasure, and data portability.

Google API Services Disclosure

FormulaPad's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only access Google Sheets data that you explicitly interact with through the add-on sidebar.

Changes

We may update this policy. Changes will be posted on this page with an updated date. Continued use of FormulaPad after changes constitutes acceptance.

Contact

Questions? Email ardaduba554@gmail.com.