Privacy Policy

Last updated: April 24, 2026 · Effective date: April 24, 2026

Summary: Compliance Scanner does not store, transmit, or share your spreadsheet data. All PII scanning happens entirely within Google's infrastructure. We collect only the minimum data necessary to deliver the Pro subscription.

Table of Contents

  1. 1. Who We Are
  2. 2. Scope of This Policy
  3. 3. Your Spreadsheet Data
  4. 4. Data We Collect
  5. 5. How We Use Your Data
  6. 6. Third-Party Services
  7. 7. Data Retention
  8. 8. Security
  9. 9. Your Rights (GDPR)
  10. 10. Google API Services
  11. 11. Children's Privacy
  12. 12. Changes to This Policy
  13. 13. Contact & DPO

1. Who We Are

This Privacy Policy is published by Cadaero SARL, a French company trading as Umbra Labs, the publisher of the Compliance Scanner Google Workspace Add-on.

Data Controller

Cadaero SARL (Umbra Labs)

Email: umbra.labs.accademy@gmail.com

Société à Responsabilité Limitée de droit français

2. Scope of This Policy

This policy applies to:

  • Users of the Compliance Scanner Google Sheets Add-on (Free and Pro Plans).
  • Visitors to compliance-scanner.netlify.app.
  • Subscribers to the Pro Plan.

It does not apply to third-party services linked from our website (Google, Stripe, Resend), which have their own privacy policies.

3. Your Spreadsheet Data

🔒 Your spreadsheet data never leaves Google's infrastructure.

Compliance Scanner processes your Google Sheets data exclusively using Google Apps Script, which runs on Google's servers under your own Google account. At no point is your spreadsheet content transmitted to, stored by, or accessible to Umbra Labs or any third-party server.

Specifically:

  • Scanning: The Add-on reads cell values in your spreadsheet to detect PII patterns using regular expressions. This processing occurs entirely within Google's runtime environment.
  • Anonymization: Masking or hashing operations are applied directly to your spreadsheet cells using Google Sheets APIs. No cell content is extracted or stored externally.
  • Backups: When you anonymize data, a backup sheet is created within the same Google Sheets file, in your own Google Drive. Umbra Labs does not have access to this backup.
  • PDF Reports: Compliance reports are generated as Google Sheets documents and saved to your own Google Drive. They are not transmitted to Umbra Labs.

4. Data We Collect

We collect only the minimum data required to operate the service.

Data Source Purpose Legal basis (GDPR)
Email address Stripe (at subscription) Send license key; subscription notifications Contract performance (Art. 6.1.b)
Anonymous account identifier Generated locally in your Google account Bind license key to one Google account (anti-sharing) Legitimate interest (Art. 6.1.f)
License key Generated by our server on subscription Authenticate Pro access Contract performance (Art. 6.1.b)
Subscription status & billing events Stripe (webhooks) Activate / revoke Pro access Contract performance (Art. 6.1.b)
Browser language preference Stripe (at checkout) Send license email in your language Legitimate interest (Art. 6.1.f)
Server function logs Netlify (automated) Debugging and service reliability Legitimate interest (Art. 6.1.f)

We do not collect: your spreadsheet content, names, PII detected in your sheets, scan results, IP addresses (beyond what Netlify logs automatically), or any behavioral analytics.

5. How We Use Your Data

We use the data described in Section 4 solely to:

  • Deliver the Service: validate license keys, activate and revoke Pro access based on subscription status.
  • Communicate with you: send your license key by email, notify you of subscription changes.
  • Maintain service reliability: monitor server function logs to detect and fix errors.
  • Prevent abuse: detect unauthorized sharing of license keys using anonymous account binding.

We do not use your data for advertising, profiling, or any purpose unrelated to delivering the Service.

6. Third-Party Services

We use the following third-party services, each acting as a data processor under their own privacy policies:

Stripe Payment processing

Processes subscription payments and billing. Stores your payment method and billing history. Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy

Resend Transactional email

Sends the license key email to your address. Resend processes your email address solely to deliver this transactional email. Resend Privacy Policy

Netlify Hosting & serverless functions

Hosts our website and license server functions. Netlify may log request metadata (IP addresses, timestamps) for security purposes. Netlify Privacy Policy

Google Add-on runtime & Marketplace

Google provides the Apps Script runtime, Google Sheets API, and Workspace Marketplace. Google's own privacy policy governs the processing of your Google account data. Google Privacy Policy

We do not sell, rent, or share your personal data with any other third parties.

7. Data Retention

  • Email address & license key: retained in Stripe Customer metadata for the duration of your subscription plus 12 months, then deleted.
  • Anonymous account identifier: stored locally within your Google account's User Properties. Deleted when you uninstall the Add-on or call "Deactivate License".
  • Server logs: retained by Netlify for a maximum of 30 days.
  • Your spreadsheet data: never stored by us — not applicable.

8. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • All data transmission is encrypted via HTTPS/TLS.
  • License keys are random UUIDs with no embedded personal information.
  • Webhook payloads from Stripe are verified using cryptographic signatures (HMAC-SHA256).
  • No payment card data is processed or stored by our servers (handled entirely by Stripe).
  • Server function code is hosted on Netlify with access controls.

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority (CNIL) within 72 hours as required by Article 33 of the GDPR.

9. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:

Right of Access (Art. 15)

Request a copy of the personal data we hold about you.

Right to Rectification (Art. 16)

Request correction of inaccurate personal data.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to Object (Art. 21)

Object to processing based on legitimate interests.

Right to Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to Restrict Processing (Art. 18)

Request restriction of processing in certain circumstances.

To exercise any of these rights, contact us at umbra.labs.accademy@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority. In France, this is the CNIL.

10. Google API Services

Google API Services User Data Policy

Compliance Scanner's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

This means we only use access to your Google data (Sheets, Drive) to provide features that are visible to and requested by you. We do not use this access for advertising, to create user profiles, or to sell data to third parties.

The Add-on requests the following OAuth scopes:

  • https://www.googleapis.com/auth/spreadsheets — Read and modify spreadsheet data to perform scanning and anonymization.
  • https://www.googleapis.com/auth/script.container.ui — Display the sidebar interface within Google Sheets.
  • https://www.googleapis.com/auth/script.external_request — Contact our license server to validate Pro subscriptions.
  • https://www.googleapis.com/auth/drive — Create PDF compliance report files in your Google Drive (Pro Plan only).

11. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify active Pro subscribers by email at least 14 days before the changes take effect. We encourage you to review this page periodically.

13. Contact & DPO

For any privacy-related question, data subject request, or to reach our Data Protection contact:

Cadaero SARL (trading as Umbra Labs)

Email: umbra.labs.accademy@gmail.com

Website: compliance-scanner.netlify.app

We aim to respond to all privacy requests within 30 days.

You may also contact the French data protection authority (CNIL) at www.cnil.fr if you believe your rights have not been respected.

© 2026 Cadaero SARL (Umbra Labs). All rights reserved.
Home Terms of Service Contact