PRIVACY POLICY

GoSheet

Effective Date: July 31, 2025

SCOPE AND APPLICABILITY

This Privacy Policy (the „Policy„) constitutes a legally binding agreement between you, the User („you,” „your,” „User„) and GoSheet, a company incorporated under the laws of Poland, with its registered in Poland („GoSheet,” „Company,” „we,” „us,” „our„). This Policy governs our collection, processing, and handling of personal data in connection with the following GoSheet-branded assets (collectively, the „Platform„):

The public website https://go-sheet.com (the „Site„);
The GoSheet Software-as-a-Service web application;
API endpoints exposed under api.go-sheet.com and any successor hostnames;
The Chrome browser extension „Email Finder by GoSheet”;
Ancillary mobile applications published under GoSheet’s developer accounts.

PLEASE READ THIS POLICY CAREFULLY BEFORE USING THE PLATFORM

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Policy.

CONTROLLER STATUS

Depending on factual circumstances, GoSheet may function in any of the following capacities:

An independent data controller when determining the purposes and means of processing (e.g., operating the Platform, billing, analytics);
A joint controller alongside certain business customers in respect of prospect datasets uploaded or enriched on the Platform; or
A data processor acting on documented instructions from a customer (e.g., when sending drip-campaign emails).

For U.S. privacy statutes, GoSheet is deemed a „business” (California/CPRA) and „controller” (Virginia, Colorado, Connecticut). For Brazilian law (LGPD), we are the „controller.”

USER ROLES

Your relationship with us may fall into one or more of the following categories:

Role	Definition
Website Visitor	An individual who merely browses the Site and/or submits data via on-page forms or chat widgets.
Client / User	A natural person acting on behalf of a legal entity who registers an account, subscribes to a paid plan, connects email or social networks, or otherwise utilizes the Platform.
Prospect	A third party whose business-related data is processed within GoSheet at the request of a Client (e.g., email, job title, LinkedIn URL).
Related Person	An individual whose business information appears in publicly available sources and is incorporated into the Platform’s business data indices.

DEFINITIONS AND INTERPRETATIONS

Throughout this Policy, the following terms shall have the meanings ascribed to them below:

Data Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor means the natural or legal person which processes personal data on behalf of the controller.
Personal Data means any information relating to an identified or identifiable natural person (’data subject’).
Processing means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Services means the sourcing, lead-generation, contact-enrichment, email-delivery and sales-automation functionality offered via the Platform.

Capitalized terms not otherwise defined herein shall have the meanings ascribed to them under the General Data Protection Regulation (EU) 2016/679 („GDPR”).

CATEGORIES OF PERSONAL DATA

GoSheet collects three overarching classes of data: (1) Client & Website-Visitor Data, (2) Prospect Data, and (3) Business Data.

1. Client & Website-Visitor Data

Ref	Category	Typical Elements	Collection Method
(a)	Registration Information	Email, first & last name, company, phone (optional), unique User-ID	Signup form / OAuth token
(b)	Authentication Token	OAuth refresh/access token, token metadata
(c)	Automatically Collected Information	IP address, user-agent, referral URL, timestamps, account balance, browser language	JS SDK / server logs
(d)	Workplace Information	Company size, industry, role, intended use-case	Onboarding questionnaire
(e)	Payment Information	Order-ID, billing address, last-4 card digits, payment processor ID, VAT/TAX IDs, IP at checkout	Stripe / Paddle checkout
(f)	Connected-Account Data	SMTP credentials, social-media login, social-selling index, geo (city/country)	Account settings
(g)	Drip-Campaigns Data	Recipient list, message content, send schedule, engagement metrics	Drip builder UI
(h)	Tracker & Warm-Up Data	Message-IDs, subject, sender, recipient, spam-placement stats	Browser extension & IMAP
(i)	API Tokens	Customer-generated API keys, third-party OAuth tokens	API dashboard
(j)	Support & Contact	Name, email, chat transcripts, call notes	Intercom / email / phone
(k)	Cookie / Device Data	GA4 client-ID, preference cookies	Cookies / localStorage

2. Prospect & CRM Data

Ref	Category	Elements
(s)	Prospect Data	Business email, first & last name, job title, company, location (city/country), social URLs, notes
(t)	CRM Data	Deal pipeline, task notes, meeting records
(u)	Synchronized Data

3. Business Data

Ref	Category	Elements
(v)	Business Data	Company name, domain, HQ phone, founding year, industry, headcount, generic emails

No Special Categories of Data

GoSheet does not intentionally collect or process special categories of personal data (e.g., health data, biometric data, political opinions) as defined in GDPR Article 9, nor does it knowingly collect or process data of children under 18 years of age.

LEGAL BASES FOR PROCESSING

In accordance with applicable data protection law, particularly Article 6 of the GDPR, we rely on the following legal bases for processing personal data:

Consent (Art. 6(1)(a)): Explicit opt-in consent for newsletters, analytics cookies, push notifications, and certain marketing communications.
Contract Performance (Art. 6(1)(b)): Processing necessary to perform our contractual obligations under the Terms of Service (e.g., account creation, payment processing, feature delivery).
Legal Obligation (Art. 6(1)(c)): Processing necessary for compliance with legal obligations to which we are subject (e.g., invoicing, tax bookkeeping, fraud screening, KYC/AML where applicable).
Legitimate Interests (Art. 6(1)(f)): Processing necessary for the purposes of legitimate interests pursued by GoSheet or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. This includes network security, product analytics, prospect discovery, B2B marketing to existing customers, enforcement of Terms, and defense of legal claims.

A documented Legitimate Interest Assessment (LIA) supports each Article 6(1)(f) purpose to ensure proper balancing of interests and data-subject rights.

DATA PROCESSING ACTIVITIES

As a Data Controller

Purpose	Data Categories	Legal Basis	Principal Processors / Recipients
Account registration & login	(a)(b)(c)(d)	Contract	Supabase (EU), AWS (EU)
Platform operation & bug fixing	(a)(c)(r)	Contract	Supabase
Customer support & communications	(a)(j)(c)	Contract / Consent	Google Workspace, Intercom
Analytics & product improvement	(c)(d)(k)	Legitimate interest / Consent	Google Analytics 4
Marketing & newsletters	(a)(j)(k)	Consent / Legitimate interest
Payment processing & fraud prevention	(e)(c)(h)(k)	Contract / Legitimate interest
Drip campaign execution	(f)(g)(s)(u)	Contract
Email warm-up & tracker	(h)(f)	Contract	internal algorithms
AI email generation	(l)	Contract / Legitimate interest	OpenAI API
Regulatory compliance & dispute resolution	All categories as required	Legal obligation	External counsel, courts

A detailed Record of Processing Activities (RoPA) is maintained pursuant to GDPR Article 30.

As a Data Processor

When a Client instructs GoSheet to process third-party contact information (e.g., sending drip emails), GoSheet acts as a processor and the Client remains the controller. A Data Processing Agreement (DPA) incorporating the EU Standard Contractual Clauses forms part of our Terms of Service.

GOOGLE USER DATA (GMAIL / G-SUITE)

GoSheet’s use of Gmail scopes complies with the Google API Services User Data Policy and its Limited Use requirements. Specifically:

Access is restricted to composing, sending, and analyzing Client-initiated emails.
No Gmail data are used for advertising.
Human access to Gmail content is prohibited unless: (i) user explicitly consents; (ii) necessary for security or legal reasons; or (iii) aggregate, de-identified metrics are generated.
Tokens may be revoked at any time in Settings ▸ Integrations. Revocation disables Gmail-based campaign delivery.

EXTENSIONS, INTEGRATIONS & PERMISSIONS

Chrome Extension Permissions – The „Email Finder” and „Email Verifier” extensions request limited Chrome API scopes (tabs, storage, cookies, notifications) solely to execute user-initiated scraping and verification tasks. Permission rationale is displayed in-store and in our knowledge-base.

Third-Party Integrations – The Platform offers optional connectors to services. Enabling an integration authorizes bidirectional data sync; you may revoke authorization at any time within the Integrations console.

AI Features – Email AI utilizes OpenAI’s API. Input and generated text may be retained by OpenAI for up to 30 days for abuse monitoring (per their policy). Clients may disable AI features at any time.

MARKETING COMMUNICATIONS

Opt-in: A clearly labeled checkbox is provided during sign-up for promotional emails/SMS. Pre-existing Clients receive marketing under legitimate interest with an easy opt-out link in every message.

Opt-out: Users may withdraw consent via the unsubscribe link, account preferences, or by emailing privacy@go-sheet.com.

GoSheet does not engage in cold B2C marketing; communications are B2B and relevant to the role of the recipient.

DATA SECURITY, INTEGRITY & RETENTION

Data Category	Standard Retention Period	Deletion Trigger
Registration & profile	Lifetime of account + 90 days grace period	Account deletion request
Payment & invoices	6 years (statutory retention period)	Legal expiry
Prospect & CRM data	Until Client deletion or 90 days post-account closure	Controller instruction
Logs & telemetry	30 days	Rolling overwrite
AI prompts & outputs	60 days	Automatic purge

Security controls include ISO 27001-aligned policies, encryption (TLS1.2+/AES-256), multi-factor authentication for staff, quarterly penetration tests, and a 24/7 incident-response plan. Breach notifications are issued within 72 hours in accordance with GDPR Article 33.

THIRD-PARTY DATA RECIPIENTS

A non-exhaustive roster of sub-processors is published at https://go-sheet.com/sub-processors and incorporated herein by reference. GoSheet executes Data Processing Agreements and, where required, Standard Contractual Clauses with each supplier. Transfers to the United States rely on Standard Contractual Clauses or certification under the EU–US Data Privacy Framework.

INTERNATIONAL DATA TRANSFERS

Transfers of personal data to third countries or international organizations that do not ensure an adequate level of data protection are safeguarded by:

2021 EU Standard Contractual Clauses (modules 2 & 3);
Transfer Impact Assessments (TIA) evaluating local surveillance laws and practices;
Technical measures such as at-rest encryption and key management in the European Economic Area.

CHILDREN’S PRIVACY

The Platform is not directed to persons under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete such information from our systems.

DATA SUBJECT RIGHTS

Pursuant to applicable data protection laws, data subjects may exercise the following rights (subject to identity verification):

Access: The right to obtain confirmation as to whether personal data are being processed and, where that is the case, access to the personal data (GDPR Article 15)
Rectification: The right to obtain rectification of inaccurate personal data (GDPR Article 16)
Erasure: The right to obtain the erasure of personal data in certain circumstances (GDPR Article 17)
Restriction: The right to obtain restriction of processing in certain circumstances (GDPR Article 18)
Portability: The right to receive personal data in a structured, commonly used and machine-readable format (GDPR Article 20)
Objection: The right to object to processing based on legitimate interests (GDPR Article 21)
Withdrawal of Consent: The right to withdraw consent at any time (GDPR Article 7)
Non-discrimination, access, deletion, correction, opt-out of sale/share (California Consumer Privacy Act/California Privacy Rights Act)
Additional rights under Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Brazilian General Data Protection Law (LGPD) as applicable.

Requests should be submitted to privacy@go-sheet.com or via the in-app Privacy Portal. We will respond within 30 days (45 days for CCPA requests).

DATA DELETION PROCEDURES

Users may:

Self-delete contacts, campaigns, or the entire account via Settings; or
Email privacy@go-sheet.com requesting erasure. We will execute the request within 30 days and provide confirmation.

AMENDMENTS TO THIS POLICY

We reserve the right to amend this Policy from time to time to reflect changes in data protection laws, regulatory requirements, or our data processing activities. Material modifications will be notified via email and an in-app banner at least 15 days prior to taking effect. The revision date appears at the top of this document.

GOVERNING LAW

This Policy shall be governed by and construed in accordance with the laws of Poland, without regard to its conflict of law principles.

CONTACT INFORMATION

Data Protection Officer (DPO): Not applicable at this time
Email: privacy@go-sheet.com
Postal Address: GoSheet, Poland

IN WITNESS WHEREOF, this Privacy Policy has been duly implemented by GoSheet.