Privacy Policy

Last updated: April 29, 2026

Overview

XLKeys ("we", "our", or "the extension") is a Chrome extension that brings Excel-style keyboard shortcuts, formula auditing, and analysis tools to Google Sheets. We are committed to protecting your privacy and being transparent about what data we access and how we use it.

Data We Access

Google Sheets Data

XLKeys accesses Google Sheets data only for spreadsheets you authorize for XLKeys, and only to provide its core functionality. This includes:

  • Reading cell formulas and values for formula auditing (Trace Precedents, Trace Dependents)
  • Reading and writing cell values for Goal Seek and Sensitivity Tables
  • Applying formatting changes (number formats, colors, borders, fonts) that you initiate via keyboard shortcuts
  • Reading sheet metadata (sheet names, grid dimensions) to support navigation features

All spreadsheet data is processed locally in your browser or through direct authenticated calls to the Google Sheets API. We never send your spreadsheet data to our servers or any third party.

XLKeys uses Google's drive.file scope so API access is limited to specific spreadsheets you choose for XLKeys. If an API-powered shortcut needs access to a spreadsheet that has not been authorized yet, XLKeys prompts you to authorize that spreadsheet once.

Google Account Information

When you sign in with Google, we request the userinfo.email scope, which allows us to access:

  • Your email address — displayed in the extension popup so you know which account is signed in, and used as the identifier for your license record
  • Your Google account ID — a stable, opaque identifier Google assigns to your account, used to link your sign-in to your license record

We do not request the userinfo.profile scope, so we do not have access to your profile photo, gender, birthday, or other profile fields.

User Preferences

Your custom shortcut configurations, color palettes, and number format preferences are stored locally in Chrome's built-in storage (chrome.storage.sync) and synced across your Chrome browsers via your Google account. This data never touches our servers.

Data We Send to Our Servers

The only communication between the extension and our servers is for license verification. When checking your license status, we send:

  • Your Google OAuth token (used to identify your account)

When checking license status, we use your Google authentication token only for that request to verify your account and return your current license tier and expiration date. We do not store the token.

Data We Store

We store the following on our servers (in a Supabase Postgres database) for every user who signs in:

  • Email address — your account identifier
  • Google account ID — used to link your Google sign-in to your license record
  • Subscription status (free, trialing, pro, or canceled) and trial / billing period end dates
  • Billing and subscription information (only if you subscribe to Pro) — needed to manage your subscription
  • Account created / updated timestamps

When you first sign in, we automatically create your account with a 30-day Pro trial. No payment information is collected for the trial; if you don't subscribe, your account simply reverts to the free tier when the trial ends.

In your browser, we store user preferences, cached license status, and a short-lived OAuth token cache — all via Chrome's built-in extension storage APIs.

Data Protection and Security

We use technical and organizational safeguards designed to protect the data XLKeys accesses and stores:

  • Spreadsheet API access is limited to spreadsheets you explicitly authorize for XLKeys.
  • Spreadsheet data is processed locally in your browser or through direct authenticated calls to Google Sheets APIs.
  • Spreadsheet contents, formulas, and cell values are not sent to XLKeys servers.
  • OAuth tokens are used only for authenticated Google API requests and license checks.
  • OAuth tokens are not stored on XLKeys servers.
  • Data sent between your browser, Google APIs, XLKeys servers, Supabase, and Stripe is transmitted using HTTPS/TLS.
  • Account and license data stored in Supabase is protected by access controls and limited to what is needed to operate XLKeys.
  • Payment information is processed by Stripe; XLKeys does not store credit card numbers or card security codes.
  • You can request deletion of your account and license records by contacting us at the email address below.

Google Workspace API Limited Use

XLKeys' use and transfer of information received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Third-Party Services

  • Google APIs: We use the Google Sheets API and Google Identity API to provide core functionality. Google's privacy policy applies to data processed by their services.
  • Stripe: If you subscribe to Pro, payment processing is handled entirely by Stripe. We never see or store your credit card information. See Stripe's privacy policy.
  • Supabase: Our backend uses Supabase for user account and license data storage.

Permissions Explained

  • activeTab: Allows the extension to interact with the current Google Sheets tab when you use it.
  • storage: Stores your preferences and cached license status locally in Chrome.
  • scripting: Allows the extension to inject the keyboard shortcut handler and UI into Google Sheets pages.
  • identity: Enables Google OAuth sign-in for license verification and one-time spreadsheet authorization.
  • Host permissions (docs.google.com, sheets.googleapis.com): Required to inject keyboard shortcut handling into Google Sheets and to call the Sheets API.

Data Retention & Deletion

If you uninstall the extension, all locally stored data (preferences, caches) is automatically removed by Chrome. To delete your account data from our servers, email us at the address below and we will remove your records within 30 days.

Children's Privacy

XLKeys is not directed at children under 13. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the extension after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this privacy policy or your data, please contact us at: jake@xlkeyz.com