Privacy Policy
This policy explains how APPS 365 LTD collects, uses, stores, and protects your personal data when you use SheetForge. We are committed to GDPR compliance.
01Overview
APPS 365 LTD ("SheetForge", "we", "us") operates appmysheet.com and the SheetForge application platform. This Privacy Policy applies to all users of our website, platform, and related services.
We act as a data controller for personal data you provide directly (account information). Where you use SheetForge to process your own data, we act as a data processor on your behalf.
Key point: Your spreadsheet data is never used by SheetForge for any purpose other than operating the service you requested. We do not sell, rent, or monetise your data.
02Data Controller
The data controller responsible for your personal data is:
APPS 365 LTD
Company Registration Number: 13955007
Registered in England and Wales
Registered Address: London N1 7GU, United Kingdom
Email: privacy@appmysheet.com
DPO: dpo@appmysheet.com
03Data We Collect
3.1 Account Data
- Full name and email address
- Password (stored as cryptographic hash โ never plain text)
- Company name and job role (optional)
- Billing name and address (paid tiers)
3.2 Usage Data
- Log data: IP address, browser type, OS, referring URL
- Pages visited, features used, session duration
- Error logs and diagnostic information
3.3 Spreadsheet & Application Data
When you connect a data source, SheetForge reads your schema and caches data to generate your application. This data is encrypted at rest, never shared commercially, and deleted upon account closure.
3.4 Payment Data
Payment processing is handled by Stripe (PCI-DSS compliant). SheetForge does not store card numbers, CVV, or authentication data โ only a Stripe token reference and billing metadata.
3.5 Communications
If you contact us via email or support, we retain that correspondence to assist you and improve our service.
04How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the platform | Account data, spreadsheet data | Contract performance |
| Processing payments | Billing data (via Stripe) | Contract performance |
| Sending transactional emails | Email address | Contract performance |
| Platform analytics & improvement | Usage data (anonymised) | Legitimate interests |
| Marketing (opt-in only) | Email, name | Consent |
| Security & fraud prevention | Log data, account data | Legal obligation / Legitimate interests |
| Support requests | Communications data | Legitimate interests |
05Legal Basis for Processing
- Contract: Processing necessary to deliver the service you've agreed to use.
- Legitimate Interests: Analytics, security, and fraud prevention, where these do not override your fundamental rights.
- Legal Obligation: Where required by applicable law (e.g., financial record-keeping).
- Consent: For optional marketing communications โ you may withdraw at any time.
06Data Sharing
We do not sell your personal data. We share data only in the following circumstances:
6.1 Sub-Processors
- Supabase โ Database and storage infrastructure
- Stripe โ Payment processing (PCI-DSS Level 1)
- Vercel / AWS / Azure โ Hosting and CDN
- Postmark / Resend โ Transactional email delivery
- Sentry โ Error monitoring (anonymised)
6.2 Microsoft 365 Integration
When you connect OneDrive, your data is processed under your Microsoft 365 tenancy. SheetForge accesses only files and permissions you explicitly authorise via Microsoft OAuth.
6.3 Legal Requirements
We may disclose personal data if required by law, court order, or a competent regulatory authority, and only to the minimum extent necessary.
6.4 Business Transfer
If APPS 365 LTD is acquired or transfers assets, personal data may be transferred. We will notify affected users in advance.
07Data Retention
- Account data: Duration of account plus 90 days after closure, then permanently deleted.
- Spreadsheet / app data: Deleted within 30 days of account closure or data source disconnection.
- Billing records: Retained 7 years under UK financial regulations.
- Log data: Retained 12 months for security purposes, then purged.
- Marketing consent records: Retained until withdrawal, plus 3 years for compliance evidence.
08Your Rights
| Right | Description |
|---|---|
| Access | Request a copy of all personal data we hold about you. |
| Rectification | Correct inaccurate or incomplete personal data. |
| Erasure | Request deletion of your personal data ("right to be forgotten"). |
| Restriction | Ask us to limit processing in certain circumstances. |
| Portability | Receive your data in a structured, machine-readable format. |
| Objection | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw Consent | Withdraw consent at any time (won't affect prior processing). |
| Lodge a Complaint | Complain to the UK ICO at ico.org.uk. |
To exercise any right, email privacy@appmysheet.com. We will respond within 30 days.
09Cookie Policy
We use cookies and similar technologies on appmysheet.com. Manage preferences via the banner on your first visit or via browser settings.
9.1 Essential Cookies
sf_sessionโ Authentication session token (expires on logout)sf_csrfโ CSRF protection token (session)sf-cookieโ Your cookie consent preference (1 year)
9.2 Analytics Cookies (with consent)
Used to understand platform usage. IP addresses are anonymised. We do not use Google Analytics and we do not track users across third-party websites.
9.3 Marketing Cookies (with consent)
Used only with explicit consent to measure campaign performance. No advertising retargeting is used on appmysheet.com.
10Security
- All data in transit encrypted via TLS 1.2 or higher
- Data at rest encrypted using AES-256
- Passwords hashed using bcrypt
- Production access restricted by role and requires multi-factor authentication
- Regular security reviews and dependency audits conducted
In the event of a data breach, we will notify affected users and the ICO within 72 hours as required by UK GDPR.
11International Data Transfers
APPS 365 LTD is a UK-registered company. Some sub-processors operate infrastructure in the US and EEA. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards including Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreements (IDTAs). Contact dpo@appmysheet.com for details on any specific transfer mechanism.
12Children's Privacy
SheetForge is not directed at children under 13. We do not knowingly collect personal data from children. Contact privacy@appmysheet.com immediately if you believe a child has provided data and we will delete it promptly.
13Changes to This Policy
We may update this Privacy Policy from time to time. For material changes we will email registered users, display a prominent notice on appmysheet.com for 30 days, and update the "Last updated" date. Continued use after notice constitutes acceptance.
14Contact & DPO
For any privacy-related queries, requests, or complaints:
Privacy & Data Protection โ APPS 365 LTD
General privacy: privacy@appmysheet.com
Data Protection Officer: dpo@appmysheet.com
Post: APPS 365 LTD, London N1 7GU, United Kingdom
UK supervisory authority (ICO): ico.org.uk โ 0303 123 1113