Privacy Policy

Gravity Prime (“we”, “us”, “our”) operates the website gravityprime.io and develops the Prime Sheets WordPress plugin. This Privacy Policy explains how we collect, use, and protect information when you use our products and services.

1. What We Collect

When you visit our website

We collect standard web server logs (IP address, browser type, pages visited) and may use analytics tools to understand how visitors use our site. We do not sell this data to third parties.

When you purchase a license

License purchases are processed through Freemius, our licensing partner. Freemius collects your name, email address, and payment information. We receive your name, email, license key, and site URL — but never your payment card details. See Freemius’s Privacy Policy for details on their data handling.

When you use the Prime Sheets plugin

The Prime Sheets plugin operates on your WordPress site. Here is exactly what data is involved:

• Form submission data: The plugin reads Gravity Forms entry data on your server and sends it to Google Sheets via the Google Sheets API. This data travels directly from your server to Google. We never receive, store, or have access to your form submission data.
• OAuth tokens: When you connect your Google account, OAuth tokens (access token and refresh token) are stored encrypted on your WordPress site’s database using sodium_crypto_secretbox. We never store your tokens on our servers.
• License validation: The plugin sends your license key and site URL to our OAuth proxy server to authenticate requests. This is used solely for rate limiting and license verification.

2. Our OAuth Proxy Server

Key point: Our proxy server is stateless. It brokers the OAuth token exchange between your WordPress site and Google, then immediately discards all data. It never stores tokens, form data, or any personally identifiable information.

The Prime Sheets OAuth proxy (hosted on Cloudflare Workers) serves a single purpose: to securely exchange OAuth authorization codes for tokens without exposing Google Cloud credentials in the plugin source code. During this process:

• Your license key and site URL are sent in request headers for authentication and rate limiting.
• Authorization codes and tokens pass through the proxy during the exchange but are never stored or logged.
• The proxy holds only Google Cloud OAuth credentials (Client ID and Client Secret) as encrypted secrets. These are never exposed to the plugin or end users.

Paid users who configure their own Google Cloud credentials bypass the proxy entirely.

3. Google API Services — Use Disclosure

Google API Services User Data Policy compliance: Prime Sheets’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Prime Sheets requests only the drive.file OAuth scope. This is the most restrictive Google Drive scope that allows spreadsheet creation. It means Prime Sheets can only access:

• Spreadsheets that Prime Sheets creates.
• Spreadsheets that you explicitly select via the Google Picker.

Prime Sheets cannot list, browse, read, modify, or delete any other files in your Google Drive. We do not use Google user data for advertising, and we do not share Google user data with third parties except as necessary to provide the service (i.e., writing data to Google Sheets on your behalf).

4. Data Storage and Security

• OAuth tokens are encrypted at rest on your WordPress database using sodium_crypto_secretbox with a plugin-generated 256-bit key.
• Form data never leaves your server except to travel directly to Google Sheets via HTTPS.
• Retry queue data (if a sync fails) is stored in your WordPress database and contains only the row data that would have been sent to Google Sheets. It is deleted after successful retry or on plugin uninstall.
• No data is stored on our servers. The proxy is stateless, and we do not operate any database that stores user data.

5. Third-Party Services

Prime Sheets integrates with the following third-party services:

• Google APIs (Google Sheets API v4, Google Drive API v3) — to create, read, and write spreadsheets. Subject to Google’s Privacy Policy.
• Cloudflare Workers — hosts our OAuth proxy. Subject to Cloudflare’s Privacy Policy.
• Freemius — handles licensing and plugin updates. Subject to Freemius’s Privacy Policy.

6. Data Retention

• OAuth tokens: Stored until you disconnect your Google account or uninstall the plugin.
• Retry queue: Successful items are automatically cleaned up after 24 hours. Failed items persist until manually retried or the plugin is uninstalled.
• Sync logs: Stored as Gravity Forms entry notes. Deleted when the entry is deleted or the plugin is uninstalled.
• On uninstall: All plugin data (tokens, retry queue, entry notes, settings, encryption keys) is permanently deleted from your WordPress database.

7. Your Rights

You have full control over your data:

• Disconnect: Revoke Google access at any time via the plugin settings. This deletes stored tokens and attempts to revoke them with Google.
• Uninstall: Removing the plugin deletes all associated data from your database.
• Google account: You can also revoke Prime Sheets’s access directly from your Google Account permissions page.
• Data export/deletion: Contact us at support@gravityprime.io for any data-related requests.

8. Children’s Privacy

Our products are not directed at children under 16. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Continued use of our products after changes constitutes acceptance of the updated policy.

10. Contact

For questions about this Privacy Policy or your data, contact us at:
Email: support@gravityprime.io
Website: gravityprime.io