Privacy Policy

Effective date: April 3, 2026

Convrt Sheet is a workout tracking web application operated by Convrt. This policy explains what data we access, how we store it, and your rights regarding that data.

1. Data We Access Through Google

When you sign in with your Google account, Convrt Sheet requests access to:

Your profile information (name, email address, profile picture) — used to identify you within the app and display your account details.
Google Sheets (read and write) — to load your workout programming and save your training data (such as RPE ratings and notes) back to sheets you select.
Google Drive file metadata (read-only) — to let you browse and select a workout spreadsheet from your Drive using the file picker.

We never access any Google data beyond these specific permissions.

2. How Your Data Is Stored

Your workout data stays in your own Google Sheets. We never copy, replicate, or store your workout data on our servers.
Encrypted authentication tokens are stored in Cloudflare KV (a secure cloud key-value store) to keep you signed in. These tokens are encrypted with AES-256-GCM and automatically expire after 30 days of inactivity.
Browser cache — exercise data and app settings are cached in your browser's localStorage for offline access and faster loading. This data never leaves your device.
No database — we do not operate any database that stores your personal data or workout information.

3. Third-Party Services

Google APIs (Sheets, Drive, OAuth) — governed by Google's Privacy Policy.
Cloudflare — hosts the application and provides cookie-free, anonymous page view analytics via Cloudflare Web Analytics. No personal data is collected by the analytics.

No other third-party services, advertising networks, or tracking tools are used.

4. Data Sharing

We do not sell, rent, or share your data with any third party. Your workout data is only transmitted between your browser and Google's APIs — never to any other server.

5. Data Retention & Deletion

Encrypted authentication tokens expire automatically after 30 days of inactivity.
Signing out immediately deletes your token from our servers and revokes app access at Google.
Browser cache can be cleared at any time via your browser settings.
You can revoke Convrt Sheet's access at any time via your Google Account security settings.

6. Security

All connections use HTTPS (TLS encryption in transit).
Refresh tokens are encrypted with AES-256-GCM before server-side storage.
Session cookies are HttpOnly, Secure, and SameSite to prevent XSS and CSRF attacks.
Access tokens are stored only in browser memory and are never persisted to disk or sent to our servers.
We support Google's Cross-Account Protection (RISC) program to proactively respond when your Google account's security status changes.

7. Children's Privacy

Convrt Sheet is not directed at children under 13. We do not knowingly collect personal information from children.

8. Changes to This Policy

We may update this privacy policy from time to time. The effective date at the top of this page indicates when it was last revised. Continued use of Convrt Sheet after changes constitutes acceptance of the updated policy.

9. Contact

If you have questions about this privacy policy or your data, contact us at [email protected].