Info2Sheets
PricingBlogDocsLoginSign Up

Privacy Policy

Last updated: April 2, 2026

1. Introduction

Info2Sheets is a product developed, operated, and maintained by Fenqora LLC, a Delaware limited liability company ("Fenqora," "we," "us," or "our"). This Privacy Policy explains how we collect, use, store, and share information when you use our service at info2sheets.com (the "Service").

This policy complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), Canada's PIPEDA, Brazil's LGPD, and other applicable data protection laws. Where these laws grant you rights, we honor them regardless of where you are located.

2. Data Controller and Data Processor

Info2Sheets acts in two distinct capacities:

  • Data Controller for the personal data of our registered users (your account information, billing data, and usage metadata).
  • Data Processor on behalf of our users for any personal data contained in form submissions that pass through our Service. In this capacity, we act solely on your instructions and do not use that data for our own purposes. If you collect personal data from your end-users via HTML forms and route it through Info2Sheets, you are the Data Controller responsible for that data collection and for providing appropriate notices to your end-users.

3. Information We Collect

  • Account Information: First name, last name, email address, and hashed password when you create an account.
  • Billing Information: Subscription plan, billing period, and Stripe customer ID. We do not store full credit card details — payment processing is handled by Stripe.
  • Form Configuration Data: Google Sheet IDs and allowed domains you configure in your dashboard.
  • Usage Metadata: We track submission counts (not submission content) per API key for billing, rate-limiting, and analytics purposes.
  • Submission Request Logs: When your site sends a form submission, we log certain request metadata (including IP address, user agent, origin/referrer, country derived from IP, and payload size) in our database for security, abuse prevention, debugging, analytics, and operating and billing the Service. In addition, IP addresses are processed ephemerally by Cloudflare for security and DDoS protection, and access logs may be retained by our infrastructure provider.
  • Communications: If you contact us via email or the contact form, we retain the content of that communication.

Form Submission Content: We do not store the content of form submissions. Data flows transiently through our worker and is written directly to your Google Sheet. Once the write operation completes, the submission data is cleared from volatile memory.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases under GDPR Article 6:

  • Performance of a Contract (Art. 6(1)(b)): Processing your account data, form configurations, and billing information to provide the Service you have signed up for.
  • Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, rate-limiting, and service improvement. Our legitimate interests do not override your fundamental rights.
  • Legal Obligation (Art. 6(1)(c)): Retaining billing records to comply with tax and accounting obligations.
  • Consent (Art. 6(1)(a)): For marketing communications, where you have opted in.

5. How We Use Your Data

  • To create and manage your account and authenticate you.
  • To facilitate the transfer of data from your web forms to your Google Sheets.
  • To process payments and manage subscriptions via Stripe.
  • To send transactional emails (account confirmations, billing receipts, security alerts).
  • To enforce our Fair Use Policy, rate limits, and Terms of Service.
  • To prevent abuse, fraud, and unauthorized access.
  • To comply with legal obligations.

6. Third-Party Services and International Data Transfers

  • Google Cloud / Google Sheets API: We use the Google Sheets API to write your form data to your designated spreadsheet. Google may process data in the United States and other countries. Google is certified under the EU-U.S. Data Privacy Framework.
  • Stripe: Handles payment processing. Stripe is certified to PCI DSS Level 1 and complies with GDPR via Standard Contractual Clauses (SCCs). Their privacy policy is available at stripe.com/privacy.
  • Cloudflare: Our infrastructure, CDN, and security provider. Cloudflare may process IP addresses and request metadata for DDoS mitigation and performance optimization. Cloudflare complies with GDPR and participates in the EU-U.S. Data Privacy Framework.
  • Resend: We use Resend for transactional email delivery. Only your email address and name are shared for the purpose of sending account-related communications.

When we transfer personal data outside the EEA or UK, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other lawful transfer mechanisms as required by applicable law.

7. Data Retention

  • Form Submission Content: Not retained. Once successfully written to Google Sheets, data is cleared from our systems immediately.
  • Submission Counts: Retained while your account is active and for up to 90 days after account deletion for billing dispute resolution.
  • Submission Request Logs: Request metadata (IP address, user agent, referrer/origin, country, and payload size) is stored in our database to operate and secure the Service. These logs are retained while the relevant forms and your account are active. They are soft-deleted when a form is deleted, and purged along with your other account data within 30 days of account deletion, except where retention is required by law. We do not currently perform additional time-based anonymization or purging beyond this process.
  • Account Data: Retained for the duration of your account. Upon deletion, your account data (including associated Submission Request Logs) is soft-deleted and permanently purged within 30 days, except where retention is required by law.
  • Billing Records: Retained for up to 7 years to comply with tax and accounting obligations.
  • Access Logs: Retained by Cloudflare per their standard retention policies (typically up to 30 days).

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Correct inaccurate or incomplete data via your dashboard settings or by contacting us.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your account and associated personal data, subject to legal retention obligations.
  • Right to Data Portability: Request your data in a structured, machine-readable format.
  • Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
  • Right Not to Be Subject to Automated Decision-Making: We do not make legally significant automated decisions about you.

California Residents (CCPA/CPRA): You have the right to know what personal information we collect, to delete it, to correct inaccuracies, and to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising. To submit a verifiable consumer request, contact us at the address below. We will not discriminate against you for exercising these rights.

To exercise any of these rights, contact us at privacy@fenqora.com. We will respond within 30 days (or sooner as required by applicable law). We may ask you to verify your identity before acting on your request.

If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection authority (DPA). A list of EEA DPAs is available at edpb.europa.eu.

9. Cookies and Tracking

We use the following cookies:

  • Authentication Cookies (strictly necessary): HttpOnly session cookies to keep you logged in. These are essential for the Service to function and cannot be disabled.

We do not use advertising, tracking, or analytics cookies. We use privacy-focused, cookieless analytics provided by Cloudflare Web Analytics to understand aggregate usage of the Service. This involves loading a third-party script from Cloudflare, but it does not use cookies or cross-site tracking pixels to track you across other sites.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Passwords hashed using PBKDF2-SHA256 with 100,000 iterations.
  • All data transmitted over HTTPS/TLS.
  • HttpOnly cookies to prevent XSS-based token theft.
  • Rate limiting to prevent brute-force attacks.
  • Optional two-factor authentication (TOTP) for account security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law (within 72 hours for GDPR-covered breaches).

11. Children's Privacy

Our Service is not directed to children under 16 years of age (or under 13 in the United States). We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at privacy@fenqora.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on our website at least 30 days before changes take effect (where required by law). Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

Info2Sheets is operated by Fenqora LLC. For privacy-related inquiries, data subject requests, or to reach our data protection contact:

Privacy Requests: privacy@fenqora.com
General Support: support@fenqora.com
Website: fenqora.com