Privacy Policy
This policy explains how we collect, use, and protect your personal information when you use thodigital.com.
Last updated: May 22, 2026
Last updated: May 22, 2026
1. Who We Are
ThoDigitals ("we", "us", or "our") operates shop.thodigitals.com (the storefront) and thodigitals.com (the brand site) and the following Google Workspace add-ons. This Privacy Policy covers all our products — both website and add-ons.
Contact: support@thodigitals.com
2. Products Covered by This Policy
| Product | Type | Where it runs |
|---|---|---|
| thodigitals.com / shop.thodigitals.com | Website / shop | Cloudflare + Supabase |
| THO Alerts — Google Sheets alerts add-on | Google Workspace Add-on | Inside your Google account (Apps Script) |
| WebhookFlow — Google Sheets webhook automation | Google Workspace Add-on | Inside your Google account (Apps Script) |
| THO Git Sync — GitHub ↔ Apps Script sync | Google Workspace Add-on | Inside your Google account (Apps Script) |
| Google Sheets templates & planners | Digital files | Static download |
3. OAuth Scopes Requested by Our Add-ons
When you install one of our Google Workspace Add-ons, Google asks you to consent to specific OAuth scopes. Each add-on requests only what it needs to function:
3.1 THO Alerts
| Scope | Why we need it |
|---|---|
userinfo.email | To bind your Pro license to your Google email |
userinfo.profile | To display your name in the add-on UI |
spreadsheets.currentonly | To watch only the active spreadsheet — no access to other sheets in your Drive |
script.send_mail | To send email alerts through your own Gmail/Workspace account |
script.scriptapp | To create/manage the trigger that watches cell changes |
script.container.ui | To show the sidebar UI inside Google Sheets |
script.external_request | To POST webhook alerts to Slack, Discord, Telegram, etc. |
3.2 WebhookFlow
| Scope | Why we need it |
|---|---|
userinfo.email | License binding |
spreadsheets.currentonly | Read the active sheet only |
script.scriptapp | Manage triggers |
script.container.ui | Sidebar UI |
script.external_request | Send webhook payloads to your endpoints |
3.3 THO Git Sync
| Scope | Why we need it |
|---|---|
userinfo.email | License binding |
script.scriptapp | Read/write your Apps Script projects to sync with GitHub |
script.external_request | Communicate with the GitHub API |
script.container.ui | Sidebar UI |
⚠️ Important — what our add-ons DO NOT do:
- ❌ We do not read or store the content of your spreadsheets on our servers.
- ❌ We do not have access to other files in your Google Drive.
- ❌ We do not share, sell, or transfer your data to advertisers or any third party for marketing.
- ❌ We do not use any human or AI to read your data; we have no automated processing of your spreadsheet contents on our infrastructure.
4. How Data Flows in Our Add-ons
Our add-ons run entirely inside your Google account using Google Apps Script. When you create a rule (e.g. "alert me when A3 contains DONE"), the following happens:
- Your rule definition is stored in
PropertiesService— Google's own private storage scoped to your spreadsheet, never reaching our servers. - Google's native
onEdittrigger watches cell changes; this runs inside your Google account. - When a match is found, the add-on calls the webhook URL (Slack/Discord/etc.) you configured — the request goes directly from Google's servers to your webhook URL, never via ours.
- For email alerts, the add-on uses Google's
MailAppto send from your own Gmail/Workspace address.
The only data that reaches our servers is your license key during activation (see Section 5).
5. Information We Actually Collect
5.1 On the website (thodigitals.com)
- Account info: Email + display name when you register or place an order.
- Order info: Products purchased, amounts, payment method, status.
- Technical: IP, browser, device — by our hosting provider (Cloudflare).
- Payment: We never see or store card details. All card payments are processed by Lemon Squeezy, our Merchant of Record.
5.2 From our add-ons
- License activation: Your license key + Google account email are sent to
shop.thodigitals.com/api/licenses/validateonce during activation, then stored locally inside your add-on properties. - That's it. No telemetry, no usage data, no spreadsheet content.
6. How We Use Information
- Order fulfillment (delivering download links + license keys via email)
- Account management (purchase history, license keys)
- Customer support (responding to inquiries, refund requests)
- Legal compliance (retaining transaction records)
We do not use your data for advertising and do not sell it to third parties.
7. Third-Party Services
- Supabase — Database + authentication; data encrypted at rest, RLS on every table.
- Cloudflare — Website hosting, CDN, DNS, serverless workers (license validation API).
- Lemon Squeezy — Payment processor & Merchant of Record (international card payments, VAT, tax compliance).
- Resend — Transactional email (order confirmations, license keys, refund notifications).
- Google (Apps Script, Workspace) — Hosts our add-ons inside your Google account. Subject to Google's Privacy Policy.
8. Cookies and Local Storage
- Session cookies: Set by Supabase to keep you logged in.
- Cart storage: Browser local storage; no personal data.
We do not use tracking or advertising cookies.
9. Data Retention
- Account data: While your account is active. Contact us to delete.
- Order records: Minimum 5 years for legal compliance (tax records).
- License keys: Retained for the lifetime of the lifetime license.
- Download tokens: Expire within 5 minutes.
- Add-on local data (in your Google account): Persists until you uninstall the add-on; you can clear it any time from THO Alerts → Settings → Reset.
10. Your Rights (GDPR / CCPA)
You may request: access, correction, deletion, portability, or restriction of processing of your data. You also have the right to object to processing and to lodge a complaint with your local data protection authority. Contact support@thodigitals.com — we respond within 30 days.
11. Limited Use Disclosure (Google API Services)
Our add-ons' use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use the OAuth scopes listed above solely to provide and improve user-facing features of the add-on visible to users.
- We do not transfer Google user data to third parties except as necessary to provide the add-on's user-facing features, comply with applicable law, or as part of a merger/acquisition with appropriate notice.
- We do not use Google user data for serving ads, including retargeting, personalized, or interest-based advertising.
- We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security or to comply with law, or the data is aggregated and used for internal operations per Google's policy.
12. Data Security
- All data transmitted over HTTPS/TLS.
- Database protected by Row Level Security (RLS).
- Files stored in private buckets, served only via short-lived signed URLs.
- Service-role credentials never exposed to the browser.
- License keys hashed at rest in our license database.
13. Children's Privacy
Our services are not directed to children under 13. Contact us if you believe we have collected data from a child.
14. Changes to This Policy
We may update this policy. Material changes will update the "Last updated" date at the top and, for substantive changes affecting your rights, we will notify active customers by email.
15. Contact
Email: support@thodigitals.com