Privacy Policy

1. Data Controller Identification

The data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (hereinafter "GDPR") is:

DataCraft s.r.o.
Company registration number (IČO): 24595675
Registered address: Korunní 2569/108, Vinohrady, 101 00 Prague 10, Czech Republic
Registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File 442963

Data protection contact: hello@datatosheets.com

Website: https://www.datatosheets.com

Personal data is processed in accordance with the GDPR and Act No. 110/2019 Coll. on Personal Data Processing (hereinafter the "Personal Data Processing Act"), as amended.

2. Personal Data We Process

Datatosheets is a Google Sheets Add-on that enables automated data transfer from various external platforms directly into the user's Google Sheets. The controller processes only personal data necessary for the operation of the Service. Personal data is not sold to third parties or used for advertising profiling purposes.

2.1 Identification and Contact Data

• Email address — primary account identifier; used for login, service communication, invoicing, and transactional emails.
• First and last name — required at registration.
• Company / organisation name — required for business and agency plans; for other users only to the extent necessary for billing.

2.2 Licence and Subscription Data

• Licence key — unique subscription identifier assigned to the account.
• Subscription status — information about active or inactive subscription, selected plan, and expiry date.
• Registration and activation date.

2.3 OAuth Credentials — External Platform Tokens

The Service connects to external platforms using the OAuth 2.0 protocol. Token storage varies by platform:

• Meta Ads — OAuth access token and refresh token: Tokens are stored on the Datatosheets backend (PostgreSQL database hosted on Railway.app in the EU West — Amsterdam region). The refresh token is used to automatically renew access without requiring re-authorisation.
• Google Analytics 4 and Google Ads — OAuth token: Tokens are passed per-request and are not stored long-term on the backend. They are processed exclusively for the duration of the specific API call.
• Sklik — API token: The token is stored in Google Apps Script User Properties on the user's side; the backend receives it per-request and does not store it long-term.

OAuth tokens are technically pseudonymised personal data — they constitute credentials enabling identification and access to the user's account on the respective platform, and are therefore processed with a level of protection appropriate to personal data.

2.4 API Usage Logs

To ensure functionality, detect errors, and protect the system, the following are recorded:

• User identifier (internal ID) — linking the log entry to an account.
• Platform and endpoint — for example "ga4 / fetch", "meta / fetch".
• Date and time of call — timestamps of API requests.
• Response status code — success or error type (not the response content).

Logs do not contain data transferred to the user's Google Sheets — this data passes through the backend in transit only and is not stored.

2.5 Billing and Payment Data

• Billing address, company registration and VAT numbers for B2B invoicing.
• Transaction history — date, amount, selected plan.
• Payment details (card numbers, banking details) are not stored by the controller — the payment gateway Stripe processes payment details directly and only provides the controller with payment confirmation and the necessary billing information.

2.6 Technical and Operational Data

• IP address — recorded at login and during API calls for security and abuse prevention purposes.
• Login records — date, time, outcome (success/failure).

The Datatosheets backend does not record user-agent information (browser type and operating system).

2.7 Communication and Marketing Data

• Email communication content — when a user contacts the Provider by email or via a contact form.
• Email address and name — when a user subscribes to a newsletter or other marketing communications. Processed on the basis of consent given (Section 4.4).
• Email engagement data — basic interactions (email opens, link clicks) may be recorded for the purpose of optimising content and communication relevance. This processing is based on consent.

2.8 What Datatosheets Does Not Process

Datatosheets has no access to data that a user transfers to their Google Sheets through the Service. Such data passes through the backend in transit only during transfer and is written directly to the user's designated destination. The controller does not access or store it.

Datatosheets also does not process:

• Personal data of the customer's end users.
• Special categories of personal data within the meaning of Article 9 GDPR (health data, racial origin, political opinions, etc.).

3. How We Collect Personal Data

3.1 Directly from the Data Subject — Registration and Licence Activation

Basic identification data (email address, first and last name) is collected upon account creation and licence activation via the registration form, or upon first login via Google Workspace.

3.2 Via the OAuth Authorisation Flow

A user may connect their account to external platforms through the Datatosheets interface via a standard OAuth 2.0 authorisation flow. The result is the acquisition of an OAuth token, processed in accordance with Section 2.3 of this Policy.

Google Analytics 4 and Google Ads tokens are not stored via an OAuth flow — they are obtained and passed per-request directly from the Google Apps Script environment each time a report is executed.

3.3 Automatically Through Use of the Service

Usage logs (Section 2.4) and technical data (Section 2.6) are generated automatically with each access to the Datatosheets backend — i.e. when a report is run, at login, or during API calls.

3.4 From Third Parties During Payment Processing

The payment gateway Stripe provides the Provider with payment confirmation and billing details necessary for issuing an invoice.

3.5 Via Email Communication and Contact Forms

When a user contacts the Provider by email or via a contact form, the content of the communication and contact details are retained for the purpose of handling the enquiry.

3.6 Through Voluntary Registration for Marketing Communications

An email address and name are also collected when a user expresses interest in subscribing to a newsletter or registers for free content. In such cases, data is processed solely on the basis of consent given (Article 6(1)(a) GDPR). Consent may be withdrawn at any time (see Section 8.7).

4. Legal Basis for Processing

All processing of personal data is carried out on the basis of at least one lawful legal ground under Article 6(1) GDPR.

4.1 Performance of a Contract — Article 6(1)(b) GDPR

Processing is necessary for the performance of a contract to which the data subject is a party (the Datatosheets Terms of Service). The following are processed on this basis:

• Email address, name, licence key, and subscription status.
• OAuth tokens of external platforms.
• API usage logs.
• Billing data.

4.2 Compliance with a Legal Obligation — Article 6(1)(c) GDPR

The following are processed on this basis:

• Billing and accounting data (Act No. 563/1991 Coll. on Accounting; Act No. 235/2004 Coll. on Value Added Tax) — for the period prescribed by applicable law (generally 10 years from the end of the tax period).
• Records of personal data processing activities as required by GDPR.

4.3 Legitimate Interests — Article 6(1)(f) GDPR

The controller has carried out an internal proportionality assessment (LIA) and determined that the following processing is justified:

• Service security and abuse prevention: Storing IP addresses and login records to detect unauthorised access and abuse.
• Service improvement and usage analysis: Pseudonymised usage statistics for the purpose of further development.
• Protection of legal claims: Retention of communications and contractual documentation.

Data subjects have the right to object to processing based on legitimate interests under Article 21 GDPR (see Section 8.6).

4.4 Consent — Article 6(1)(a) GDPR

The following are processed on the basis of freely given, informed, and unambiguous consent:

• Marketing communications (newsletter, commercial messages).
• Web analytics and performance measurement via analytics tools (Google Analytics and similar).
• Remarketing and marketing pixels (Google Ads, Meta, LinkedIn, Sklik, and others).
• Statistical processing of registered user data in pseudonymised or anonymised form.

Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal (Article 7(3) GDPR).

5. Third Parties and Processors

Datatosheets shares personal data with third parties solely to the extent necessary for the operation of the Service. Personal data is not sold to third parties. Data processing agreements in accordance with Article 28 GDPR are concluded with processors.

5.1 Infrastructure and Hosting — Railway.app

5.2 Payment Gateway — Stripe

Stripe acts as an independent controller with respect to payment data. Datatosheets receives only payment confirmation.

5.3 Google LLC — Google Workspace, Google APIs

5.4 Meta Platforms, Inc. — Meta Ads

5.5 Seznam.cz, a.s. — Sklik API

5.6 Email Marketing — Systeme.io

5.7 Analytics and Marketing Tools

Analytics and marketing tools (Google Analytics, Google Ads, Meta, LinkedIn, Sklik, and others) are used to measure website and campaign performance. These tools process visitor data on the basis of cookie consent (see Section 9). Each tool acts as an independent controller or processor under its own terms.

5.8 Public Authorities

Personal data may be disclosed to public authorities (Czech Police, courts, administrative bodies) where required by applicable law or a binding decision, and solely to the extent necessary.

6. Data Retention

Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, or for the period required by law.

7. International Data Transfers

Datatosheets prioritises processors with data centres within the European Economic Area (EEA). Where personal data is transferred outside the EEA (Google, Meta, Stripe), appropriate safeguards are ensured under Article 46 GDPR.

7.1 Standard Contractual Clauses (SCC)

Transfers to third countries are carried out using standard contractual clauses approved by the European Commission by Decision (EU) 2021/914 of 4 June 2021 ("SCC").

7.2 EU-US Data Privacy Framework

Google LLC, Meta Platforms, Inc., and Stripe, Inc. are certified under the EU-US Data Privacy Framework (DPF), approved by Commission Decision (EU) 2023/1795 of 10 July 2023.

7.3 Overview of Transfers Outside the EEA

Copies of the applicable SCC are available upon request at hello@datatosheets.com.

8. Data Subject Rights

To exercise these rights, contact the controller at hello@datatosheets.com. Requests will be responded to within 30 days of receipt (extendable by a further 60 days in exceptional cases). Exercising rights is free of charge.

8.1 Right of Access — Article 15 GDPR

A data subject has the right to obtain confirmation as to whether personal data concerning them is being processed, and if so, to access that data and information about: the purposes and categories of data processed, recipients, retention periods, and sources of data.

8.2 Right to Rectification — Article 16 GDPR

A data subject has the right to request the rectification of inaccurate personal data or the completion of incomplete data.

8.3 Right to Erasure ("Right to be Forgotten") — Article 17 GDPR

A data subject has the right to request the erasure of their personal data where the data is no longer necessary, consent is withdrawn, there are no overriding legitimate grounds, or erasure is required to comply with a legal obligation.

The right to erasure does not apply where processing is necessary for compliance with a legal obligation (e.g. retention of accounting records) or for the establishment, exercise, or defence of legal claims.

8.4 Right to Restriction of Processing — Article 18 GDPR

A data subject has the right to request restriction of processing of their personal data in the cases provided for in Article 18 GDPR.

8.5 Right to Data Portability — Article 20 GDPR

A data subject has the right to receive personal data in a structured, commonly used, and machine-readable format (JSON or CSV), where processing is based on consent or contract and is carried out by automated means.

8.6 Right to Object — Article 21 GDPR

A data subject has the right to object at any time to processing based on legitimate interests under Article 6(1)(f) GDPR. The controller will cease processing unless it demonstrates compelling legitimate grounds that override the data subject's interests.

Where personal data is processed for direct marketing purposes, the data subject may object at any time without giving reasons.

8.7 Right to Withdraw Consent — Article 7(3) GDPR

Where processing is based on consent, the data subject has the right to withdraw consent at any time. Consent to marketing communications may be withdrawn by clicking the unsubscribe link in any email or by contacting hello@datatosheets.com.

8.8 Right Not to Be Subject to Automated Decision-Making — Article 22 GDPR

Datatosheets does not carry out automated decision-making including profiling that would produce legal or similarly significant effects on the data subject.

8.9 Right to Lodge a Complaint with a Supervisory Authority

Office for Personal Data Protection (ÚOOÚ)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Tel.: +420 234 514 111 | Email: posta@uoou.cz | Web: www.uoou.cz

A complaint may also be lodged with the supervisory authority in the relevant EU member state under Article 77 GDPR.

9. Cookies and Tracking

9.1 Website datatosheets.com

The Datatosheets website uses cookies and similar tracking technologies.

Necessary cookies (no consent required): session management cookies upon login, security cookies (CSRF protection), and cookies necessary for the operation of the cookie banner.

Analytical and performance cookies (require consent): analytics tools (e.g. Google Analytics) used to measure website traffic and visitor behaviour.

Marketing cookies (require consent): marketing pixels and tags (e.g. Google Ads, Meta, LinkedIn, Sklik) used to measure advertising performance and for remarketing.

Upon the first visit, a cookie banner is displayed allowing visitors to accept or reject individual categories. Consent may be modified or withdrawn at any time via the cookie settings link on the website.

9.2 Google Sheets Add-on

The Datatosheets Add-on does not use cookies. Persistent data is stored exclusively via Google Apps Script User Properties and ScriptProperties.

9.3 Backend API

The Datatosheets backend API does not use cookies. Authentication is performed via JWT (JSON Web Token) passed in the HTTP header of each request.

10. Google API Services User Data Policy Compliance

10.1 Limited Use Statement

10.2 Google Data Access Scopes (OAuth Scopes)

10.3 Restrictions on Use of Google Data

1. Data is used exclusively to provide the Datatosheets functionality. Data is not used for any other purpose.
2. Data from Google API Services is not sold to third parties, not shared with advertising networks or data brokers, and not used for ad targeting.
3. Employees and contractors have no access to the content of data from Google API Services, except where the user has given explicit consent, for necessary internal operational needs, for security purposes, or to fulfil legal obligations.
4. Data from Google API Services is not transferred to third parties except where necessary for the provision of the Service.

10.4 Revoking Access

Access by Datatosheets to Google data may be revoked at any time at myaccount.google.com/permissions or via account settings in the Datatosheets interface.

11. Data Processing Agreement (DPA)

11.1 Business Customers — Processor vs. Controller

Where a Datatosheets customer uses the Service as a business or legal entity in connection with data relating to their own clients or employees, the customer acts as the data controller and Datatosheets acts as the processor within the meaning of Article 4(8) GDPR. The conclusion of a DPA under Article 28 GDPR is a necessary condition for lawful processing.

11.2 DPA Content

The DPA between the customer and DataCraft s.r.o. covers in particular: the subject matter, nature, purpose, and duration of processing; categories of data subjects and types of personal data; processor obligations under Article 28(3) GDPR; conditions for engaging sub-processors.

11.3 Concluding a DPA

The DPA is available at: https://www.datatosheets.com/privacy-policy
Business customers may also contact us at hello@datatosheets.com.

11.4 Sub-Processors

Datatosheets as processor uses the sub-processors listed in Section 5. By concluding the DPA, the customer grants general authorisation for the engagement of sub-processors in accordance with Article 28(2) GDPR. Customers will be notified of planned changes with reasonable advance notice.

12. Contact Information

DataCraft s.r.o.
Korunní 2569/108, Vinohrady, 101 00 Prague 10, Czech Republic
Email: hello@datatosheets.com

Requests will be responded to within 30 days of receipt. The controller reserves the right to request additional identification information to verify the identity of the requestor.

Datatosheets does not currently appoint a Data Protection Officer (DPO), as the scope of personal data processing does not meet the conditions for mandatory DPO appointment under Article 37 GDPR.

13. Version History

This Policy may be updated from time to time. In the event of material changes, data subjects will be notified with reasonable advance notice via email or a notification in the Datatosheets interface, no later than 30 days before the changes take effect. Previous versions are available upon request at hello@datatosheets.com.