Privacy Policy
Last updated: June 29, 2026
Overview
XLKeys ("we", "our", or "the extension") is a Chrome extension that brings Excel-style keyboard shortcuts, formula auditing, and analysis and workbook health tools to Google Sheets. We are committed to protecting your privacy and being transparent about what data we access and how we use it.
Data We Access
Google Sheets Data
XLKeys accesses Google Sheets data only for spreadsheets you authorize for XLKeys, and only to provide its core functionality. This includes:
- Reading cell formulas and values for formula auditing (Trace Precedents, Trace Dependents)
- Reading and writing cell values for Goal Seek and Sensitivity Tables
- Reading formulas, values, and sheet dimensions for Workbook Health audits (Cell Capacity Audit, Performance Audit)
- Applying formatting changes (number formats, colors, borders, fonts) that you initiate via keyboard shortcuts
- Reading sheet metadata (sheet names, grid dimensions) to support navigation features
All spreadsheet data is processed locally in your browser or through direct authenticated calls to the Google Sheets API. We never send your spreadsheet data to our servers or any third party.
XLKeys uses Google's drive.file scope so API access is limited to specific spreadsheets you choose for XLKeys. If an API-powered shortcut needs access to a spreadsheet that has not been authorized yet, XLKeys prompts you to authorize that spreadsheet once.
XLKeys Account Sign-In
When you sign in from the extension, XLKeys opens xlkeyz.com in a secure browser window. You sign in on the website with Google or email and password. The website completes a PKCE-protected handoff back to the extension; OAuth tokens and session secrets are never placed in the redirect URL.
We receive your email address, display name, profile photo URL when your sign-in provider supplies one, and an opaque account identifier used for your license record and product analytics. This information is shown in the extension so you know which account is signed in.
User Preferences
Your custom shortcut configurations, color palettes, and number format preferences are stored locally in Chrome's built-in storage (chrome.storage.sync) and synced across your Chrome browsers via your Google account. This data never touches our servers.
Data We Send Off Device
The extension communicates with our servers at https://xl-keys.vercel.app for license verification and XLKeys session management. When checking your license status, we send a short-lived XLKeys access token that identifies your account. We do not send Google OAuth tokens to our servers for license checks.
During sign-in, the extension sends a one-time authorization code and PKCE verifier to exchange for XLKeys session tokens. Sign-out sends the extension refresh token so we can revoke that session.
Product Analytics
We use Google Analytics to understand whether XLKeys is working well and which features are useful. Analytics events may include:
- A randomly generated extension installation identifier
- An opaque account identifier after sign-in, used to connect pre-sign-in and post-sign-in activity
- Extension version, Chrome version, and operating system
- Shortcut and feature identifiers, onboarding steps, sign-in entry point, paywall views, and trial events
We do not send your email address, Google OAuth token, spreadsheet contents, formulas, cell values, or file names to Google Analytics.
Data We Store
We store the following on our servers (in a Supabase Postgres database) for every user who signs in:
- Email address — your account identifier
- Opaque account identifier — used to link your website sign-in to your license record
- Subscription status (free, trialing, pro, or canceled) and trial / billing period end dates
- Billing and subscription information (only if you subscribe to Pro) — needed to manage your subscription
- Extension session records — hashed refresh-token identifiers, extension ID, and expiry, used to refresh and revoke signed-in extension sessions
- Account created / updated timestamps
When you first sign in, we automatically create your account with a 30-day Pro trial. No payment information is collected for the trial; if you don't subscribe, your account simply reverts to the free tier when the trial ends.
In your browser, we store user preferences, cached license status, and XLKeys session tokens (a short-lived access token and rotating refresh token) using Chrome's extension storage APIs. Google OAuth tokens for Drive may also be cached by Chrome for API-powered features.
Data Protection and Security
We use technical and organizational safeguards designed to protect the data XLKeys accesses and stores:
- Spreadsheet API access is limited to spreadsheets you explicitly authorize for XLKeys.
- Spreadsheet data is processed locally in your browser or through direct authenticated calls to Google Sheets APIs.
- Spreadsheet contents, formulas, and cell values are not sent to XLKeys servers.
- Google OAuth tokens are used only for authenticated Google API requests and are not sent to or stored on XLKeys servers.
- Google Drive authorization is separate from XLKeys account sign-in, so Pro shortcuts that do not use the Sheets API do not require Drive access.
- Data sent between your browser, Google APIs, XLKeys servers, Supabase, and Stripe is transmitted using HTTPS/TLS.
- Account and license data stored in Supabase is protected by access controls and limited to what is needed to operate XLKeys.
- Payment information is processed by Stripe; XLKeys does not store credit card numbers or card security codes.
- You can request deletion of your account and license records by contacting us at the email address below.
Google Workspace API Limited Use
XLKeys' use and transfer of information received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Third-Party Services
- Google APIs: We use the Google Sheets API and Google Identity API to provide core functionality. Google's privacy policy applies to data processed by their services.
- Stripe: If you subscribe to Pro, payment processing is handled entirely by Stripe. We never see or store your credit card information. See Stripe's privacy policy.
- Supabase: Our backend uses Supabase for user account and license data storage.
Permissions Explained
- activeTab: Allows the extension to interact with the current Google Sheets tab when you use it.
- storage: Stores your preferences, cached license status, and XLKeys session locally in Chrome.
- scripting: Allows the extension to inject the keyboard shortcut handler and UI into Google Sheets pages.
- identity: Opens the xlkeyz.com sign-in flow and requests Google Drive access separately when an API-powered feature needs spreadsheet authorization.
- Host permissions (docs.google.com, sheets.googleapis.com): Required to inject keyboard shortcut handling into Google Sheets and to call the Sheets API.
Data Retention & Deletion
If you uninstall the extension, all locally stored data (preferences, caches) is automatically removed by Chrome. To delete your account data from our servers, email us at the address below and we will remove your records within 30 days.
Children's Privacy
XLKeys is not directed at children under 13. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the extension after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this privacy policy or your data, please contact us at: jake@xlkeyz.com