Privacy Policy
Effective date: June 11, 2026
This Privacy Policy explains how SheetsGate collects, uses, stores, and protects information when you use our hosted MCP platform for Google Sheets. Access to Google Drive is scoped to only the specific spreadsheets you authorize — no broad Drive access is requested or stored.
1. Information We Collect
We collect information you provide directly (such as account details and token labels), information from Google during OAuth connection, and service telemetry required to operate, secure, and improve the platform.
- Account information (email, user ID, plan and subscription status).
- Google authorization data required to access your Sheets (read/write as tools permit) and the specific spreadsheets you grant access to via the file picker — no broader Drive access.
- MCP token metadata and hashed token credentials for authentication.
- Usage and operational logs (tool called, timestamp, status code, duration, rate-limit and security events).
2. How We Use Information
- Provide the core service and execute MCP tool requests you initiate.
- Authenticate access, prevent abuse, and enforce plan limits and rate limits.
- Maintain billing, support, analytics, and fraud/security monitoring.
- Comply with legal obligations and enforce our Terms of Service.
3. Google Data and Permissions
You authorize SheetsGate to access Google Sheets data (reads and writes as tools permit) and Google Drive within read-only scope for spreadsheet discovery and file metadata, strictly as needed to provide requested features. You are responsible for ensuring you have rights to grant access to any data your account or tokens expose to AI clients.
We do not sell, rent, or transfer Google user data to third parties for advertising, profiling, or any purpose unrelated to operating the service. Google user data is accessed only by:
- Infrastructure providers — cloud hosting, database, and caching providers that store and process data on our behalf under confidentiality obligations and solely to operate SheetsGate.
- Stripe / Paddle — billing processors that handle payment information. They do not receive Google user data.
No other third party receives, processes, or has access to your Google user data. We use Google data only to provide and secure the service and for no other purpose.
4. Data Security
We apply the following technical and organizational measures to protect your data:
- Encryption at rest — Google OAuth tokens (access and refresh tokens) are encrypted using AES-256-GCM with a derived key before being stored. They are never written to disk in plaintext.
- Encryption in transit — all communication between your browser, our servers, and Google APIs is encrypted via TLS (HTTPS). Unencrypted connections are rejected.
- Credential hashing — MCP token credentials are stored as bcrypt hashes (12 rounds). The original token value is never stored and cannot be recovered by us or anyone else.
- Access controls and rate limits — each MCP token has independent permissions and per-token rate limits. Tokens can be revoked individually from the dashboard at any time.
- Audit logging — security events, authentication attempts, and tool invocations are logged to detect and respond to unauthorized or abusive usage.
No service can guarantee absolute security. You must keep your account credentials and MCP tokens confidential and rotate or revoke tokens if compromise is suspected.
5. AI Client and Third-Party Processing
When you configure an MCP token in a third-party AI client, requests and outputs may be processed by that client and its providers under their own terms and privacy policies. We do not control third-party systems, prompts, model behavior, or downstream data handling.
6. Data Retention
We retain account, token, billing, and operational records as long as reasonably required to operate the service, satisfy legal obligations, resolve disputes, and enforce agreements. We may retain limited security and audit logs after account closure where necessary.
7. Your Choices and Rights
- You can revoke MCP tokens and disconnect linked Google accounts from the dashboard.
- You can stop using the service at any time.
- If you need privacy-related support, contact us through the support channel in your dashboard.
8. International Transfers
Our providers may process data in multiple jurisdictions. By using SheetsGate, you understand that information may be transferred to countries with different data protection laws than your own jurisdiction.
9. Children
SheetsGate is not intended for children under 13 (or the minimum age required in your jurisdiction). Do not use the service if you are not legally eligible.
10. Google API Limited Use Disclosure
SheetsGate's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, we affirm that:
- Google user data is used only to provide or improve user-facing features described in this policy and visible to the user within SheetsGate.
- Google user data is not used for serving advertisements or for any advertising-related purpose.
- Google user data is not sold, rented, or transferred to third parties except as necessary to operate the service (infrastructure providers under confidentiality obligations), or as required by law.
- Google user data is not used to train general-purpose AI or machine learning models outside of the service features directly requested by the user.
- Humans do not read your Google user data unless you explicitly share it with support, it is necessary for security investigation, or required by law.
11. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. Continued use of the service after updates means you accept the revised policy.