1. Who We Are
SalesSheet ("SalesSheet," "we," "us," or "our") is an AI-powered customer relationship management platform operated by SalesSheet Inc.
If you have questions about this policy, contact us at andres@salessheets.ai.
2. Scope of This Policy
This Privacy Policy describes how SalesSheet collects, uses, stores, and shares information when you use our web application at salessheets.ai and any related services (collectively, the "Service"). It applies to all users regardless of location.
Google API Disclosure. SalesSheet's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We request access only to the data we need to provide the features described in this policy.
3. Information We Collect
3a. Account and Identity Information
When you create an account, we collect:
- Email address and name — provided during sign-up or imported from your Google profile
- Profile picture — imported from your Google account (optional)
- Google Account ID (sub) — used to link your Google identity to your SalesSheet account
- Password — if you register with email/password; stored as a one-way cryptographic hash (we never store plaintext passwords)
3b. Gmail Data
When you connect a Gmail account, SalesSheet uses the Gmail API to sync emails related to your CRM contacts. Specifically:
- What we read: Full email messages including subject, body (plain text and HTML), sender and recipient addresses (To, Cc, Bcc), date, Gmail labels, and read/importance status
- Attachments: We download and store inline images and image attachments. For all other attachment types we store only metadata (filename, MIME type, file size) — the file contents are not downloaded
- What we store: Synced emails and their metadata are stored in our database and remain until you delete them or delete your account
- Why we need it: To display email history alongside your CRM contacts, enable email search, power AI-assisted email features (summarization, reply suggestions), and help you track communication history without switching between apps
gmail.readonly scope is used to read and sync emails from your inbox.
gmail.compose scope is used to compose and send emails on your behalf directly from SalesSheet, and to create draft emails in your Gmail account.
We do not delete emails from your Gmail account, and we do not read emails unrelated to contacts stored in your CRM unless you explicitly trigger a full account import.
3c. Google Contacts
When you choose to import contacts from Google, SalesSheet uses the Google People API to read:
- Name, email addresses, phone numbers
- Organization name and job title
- Physical address
- Profile URLs (LinkedIn, website, etc.)
This is a one-time import at your direction — we do not continuously sync your Google Contacts. Imported contact data is stored in your SalesSheet account as CRM contacts.
contacts.readonly scope is used solely for this import feature.
3d. Google Calendar
When you connect your calendar, SalesSheet uses the Google Calendar API to:
- Read your calendar events to display them alongside your CRM activity timeline
- Create and update calendar events on your behalf when you schedule meetings from within SalesSheet
Calendar events are displayed in the SalesSheet interface but are not stored in our database. All calendar data remains in your Google Calendar.
calendar.events scope is used to read, create, and update calendar events.
3e. CRM Data You Enter
We store the data you and your team enter into SalesSheet:
- Contacts: name, email, phone, company, job title, address, custom fields, notes, and any files you attach
- Opportunities/Deals: name, value, stage, close date, associated contacts, custom fields, and notes
- Tasks and Activities: task name, description, due date, assignee, completion status, and linked records
- Email Compositions: emails you write and send via SalesSheet are stored as activity records alongside contacts
This data is scoped to your organization — other members of your SalesSheet organization can view it.
3f. AI Features and Voice DNA
SalesSheet offers AI-powered features including email summarization, reply suggestions, and a CRM chat assistant. To power these features:
- Email content and CRM context (contact names, notes, email snippets) are sent to third-party AI providers (see Section 5) on a per-request basis. We do not permanently store your data on AI providers' systems.
- Voice DNA: To help AI suggestions match your writing style, SalesSheet stores a rotating sample of up to 500 of your sent emails (capped at 15,000 characters each). This data is stored in our database and used only to provide writing-style context in your AI prompts. You can disable this feature in Settings.
- Audio transcription: If you use voice-to-text features, the audio clip is sent to OpenAI for transcription. Audio files are not retained by SalesSheet after transcription.
3g. Usage Data and Analytics
- Error tracking (Sentry): We automatically collect error reports, stack traces, and session replays (10% of sessions, 100% of error sessions) to diagnose and fix bugs. Reports include your user ID and organization ID but not email message content.
- Product analytics (PostHog): Only with your explicit consent (via the cookie banner), we track anonymized product usage events such as page views and feature interactions. We do not include your name or email in these events. You can withdraw consent at any time in Settings → Cookie Preferences.
- Core Web Vitals: Performance metrics are collected to monitor application performance.
3h. Cookies and Local Storage
- Authentication cookie: A secure, HttpOnly session cookie set by our authentication provider (Supabase) to keep you logged in
- Browser local storage: Application preferences (column layout, filters, theme) and your cookie consent choice
- Session storage: Temporary OAuth state parameters used during Google sign-in; cleared immediately after sign-in completes
- No third-party advertising cookies: We do not use Google Analytics, Facebook Pixel, or any advertising or retargeting cookies
4. How We Use Your Information
| Data | Purpose |
|---|---|
| Account identity | Authenticate you, associate your data with your account, display your profile |
| Gmail data | Display email history in your CRM, enable email search, power AI email features, track contact communication history |
| Google Contacts | Populate your CRM contacts on import |
| Google Calendar | Display upcoming meetings in context, create calendar events from CRM |
| CRM data | Provide the core CRM functionality — pipeline management, contact management, task tracking |
| Voice DNA samples | Generate AI reply suggestions that match your writing style |
| Error logs | Diagnose and fix product bugs and crashes |
| Analytics events (opt-in) | Understand how features are used to prioritize improvements |
We do not use your data to train AI models. Data sent to AI providers (Claude, Gemini, OpenAI) for in-app features is processed on a per-request basis under their API terms and is not used to train their foundation models.
5. Third-Party Services and Data Sharing
We share data with the following third-party providers only to the extent necessary to operate the Service:
| Provider | Data Shared | Purpose |
|---|---|---|
| Google (Gmail, Calendar, Contacts APIs) | OAuth tokens, API calls | Accessing your Google data with your permission |
| Supabase | All app data | Database and authentication infrastructure |
| Vercel | Application request logs | Hosting and content delivery |
| Anthropic (Claude) | CRM contact context, email snippets, voice samples | AI chat assistant |
| Google (Gemini API) | Email text, contact info | AI email summarization and reply suggestions |
| OpenAI | Audio clips | Voice-to-text transcription only |
| Stripe | Organization name, billing email, plan tier | Payment processing and subscription management |
| Sentry | Error reports, user ID, session replays | Bug tracking |
| PostHog | Anonymized usage events, user ID (opt-in only) | Product analytics |
| Slack (optional) | Event notifications | If you connect Slack; only if you choose to enable it |
We do not sell, rent, or trade your personal data to any third party. We do not share your Gmail content or CRM data with advertisers.
6. Google API Limited Use Disclosure
SalesSheet's use of information received from Google APIs is limited to the practices disclosed in this Privacy Policy. We comply with the Google API Services User Data Policy, including its Limited Use requirements:
- We use Google user data only to provide or improve the features described in this policy
- We do not transfer Google user data to third parties except as necessary to provide the Service (e.g., AI features as described above), with your consent, or as required by law
- We do not use Google user data for advertising purposes
- We do not allow humans to read your Google user data unless you have given explicit permission, it is necessary for security purposes, or we are required by law
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Until you delete your account |
| Synced Gmail emails | Until you delete individual emails or delete your account. Disconnecting Gmail stops future syncing but previously synced emails remain in your CRM until you delete your account. |
| CRM contacts, opportunities, tasks | Until you delete them or delete your account; soft-deleted contacts are permanently removed after 30 days |
| OAuth tokens | Deleted immediately when you disconnect a Gmail account |
| Voice DNA samples | Automatically capped at 500 samples; oldest samples pruned as new ones are added; deleted when you delete your account |
| Error logs (Sentry) | 30 days (Sentry platform default) |
| Analytics events (PostHog) | 90 days |
| Audio transcription files | Not retained after transcription completes |
8. Your Rights and Choices
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal data we hold about you
- Correction: Request that we correct inaccurate data
- Deletion (Right to Erasure): Request deletion of your account and all associated data. You can do this from Settings → Account → Delete Account. Deletion removes your profile, all CRM data, synced emails, and OAuth tokens. If you are the last member of your organization, the organization and all its data are also permanently deleted.
- Portability: Request your CRM data in a structured, machine-readable format
- Withdraw Google Authorization: You can revoke SalesSheet's access to your Google account at any time via Google Account Permissions. This will stop future syncs; previously synced data remains until you delete your account or request deletion.
- Opt out of analytics: Toggle analytics off in Settings → Cookie Preferences
- Disable Voice DNA: You can disable voice sample collection in Settings → AI Features
To exercise any of these rights, contact us at andres@salessheets.ai.
GDPR (EEA/UK users): If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR/UK GDPR including the right to object to processing and the right to lodge a complaint with your local supervisory authority. Our legal basis for processing Google user data is your explicit consent (granted during the OAuth flow). Our legal basis for processing CRM data you enter is the performance of our contract with you.
CCPA (California users): California residents may request disclosure of the categories of personal information we collect and our purposes for collecting it. We do not sell personal information as defined by the CCPA.
9. Data Security
We implement the following technical and organizational measures to protect your data:
- All data is transmitted over HTTPS/TLS
- OAuth tokens (including Gmail refresh tokens) are stored server-side only and never exposed to your browser
- Database access is protected by Row Level Security (RLS) policies that ensure users can only access data belonging to their organization
- Authentication uses industry-standard JWT tokens managed by Supabase
- Our OAuth flow implements PKCE (Proof Key for Code Exchange) to protect against authorization code interception
- Supabase encrypts data at rest
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at andres@salessheets.ai.
10. Children's Privacy
SalesSheet is a business productivity tool intended for users aged 18 and older. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If you believe we have inadvertently collected such information, contact us and we will delete it promptly.
11. International Data Transfers
SalesSheet is operated in the United States. Your data is processed and stored on servers located in the United States (Supabase infrastructure) and, for AI features, may be processed by providers with servers in the United States. If you are located outside the United States, by using the Service you consent to the transfer of your information to the United States. We rely on Standard Contractual Clauses where required for transfers from the EEA/UK.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via an in-app notification at least 14 days before the changes take effect. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact Us
Privacy inquiries and data subject requests:
Email: andres@salessheets.ai
Company: SalesSheet Inc.
For issues related to our use of Google user data specifically, you may also contact Google at support.google.com.
This privacy policy was last reviewed against the application codebase on April 2026.