Privacy Policy

Last updated: 25 November 2025

Mail2Sheets (“we”, “us”, “our”) is owned and operated by Manta Ray Creative Ltd. We act as the data controller for the purposes of the UK GDPR and EU GDPR. This policy is publicly available and linked from our homepage, footer and OAuth consent screen. For acceptable use and billing rules, please see our Terms of Service.

What Google data we access and why

Google account profile data (email, name, basic profile)

Used only to sign you in and link your account, credits and settings. Stored as simple account records.

Gmail data (gmail.readonly)

We access limited email information to extract contact details. This includes email headers, sender details and small portions of message bodies. We do not send, modify, delete or alter any emails. Gmail message content is processed in memory and discarded after the extraction completes. We do not retain Gmail message bodies or metadata on our servers.

Google Drive/Sheets data (drive.file)

We use the non-sensitive drive.file scope to create or access only the specific Google Sheet you choose. We do not access or modify any other Google Drive files. All data written to your Google Sheet remains owned and controlled by you.

Usage and billing data

We store credit balances, audit logs and Stripe metadata as needed to provide the service and support billing. This does not include Gmail content.

How we use and store data

Gmail data

Gmail message content is processed temporarily in memory to extract contact fields. This may include email address, full name, organisation, website, job title, phone number and date last contacted. Once processed, the Gmail data is discarded and not stored on our servers.

Extraction and storage of contact fields

Extracted contact details are stored only in the Google Sheet you authorised. They are not stored in our database.

Use of OpenAI

To generate structured contact data, we send only the minimum required email text (short excerpts) to the OpenAI API. We do not transmit entire email bodies. We do not allow OpenAI to use this data for training. OpenAI states that API data is not used for training their models. No other third parties receive Gmail data. We operate under zero-retention for AI processing and explicitly send a zero-retention opt-out header on API requests.

OpenAI security and privacy

We rely on OpenAI's published security and privacy controls for API usage. Key points:

• No training on your data
• Zero data retention available on request (we request zero-retention for API calls)
• SOC 2 Type 2 compliance; BAAs available for HIPAA-covered workloads
• Data encryption at rest (AES-256) and in transit (TLS 1.2+)
• Data residency controls
• IP allowlist and mTLS options for network control
• SSO and MFA options

See OpenAI's security and privacy overview: https://openai.com/security-and-privacy/.

Human access

No human staff can access Gmail message content unless you request direct support that requires temporary access. Any such access is logged and limited.

Account data

Profile information, authentication tokens and billing records are stored for as long as you have an account or as required by law.

No selling or sharing

We do not sell personal data. We do not share data with third parties except as required by law.

No secondary use of Gmail data

We do not build user profiles, perform behavioural analysis or use Gmail data for any purpose other than extracting contact information requested by you.

Data flow

Gmail (read-only, date window you choose) → temporary parsing on our server → short excerpts sent to OpenAI → structured rows written to your selected Google Sheet → parsed emails deleted. No other outbound data flows.

Processors and infrastructure

• Hostinger VPS (application hosting and database)
• Google APIs (OAuth, Gmail read-only, Drive/Sheets via drive.file)
• OpenAI API (zero-retention, short excerpts only)
• Stripe (payments and credit purchases)

Data retention

• Gmail message bodies and metadata are not retained after processing (ephemeral in memory only).
• Parsed excerpts in the app database are removed after export to your Google Sheet.
• Extracted contact fields remain only in your chosen Google Sheet (under your control).
• Account and authentication data: retained for the life of the account.
• Billing and transaction records: retained for up to 7 years to satisfy accounting and tax obligations.
• Support requests: retained for up to 12 months.
• Operational logs: size-capped and typically retained for up to 90 days for troubleshooting and security review.

How to delete your data

You can delete your account and revoke tokens from your account page (Account → Delete account). This deletes your account, tokens, jobs, parsed emails, and credit records stored by us. Data already written to your Google Sheet remains under your control. You may also request deletion via the support form.

How to revoke Google access

You may revoke the app’s access to your Google Account at any time by visiting https://myaccount.google.com/permissions.

Legal basis for processing

• Article 6(1)(b) UK GDPR and EU GDPR (contract): to deliver the Mail2Sheets service at your request.
• Article 6(1)(f) UK GDPR and EU GDPR (legitimate interests): to secure our service, prevent abuse and maintain reliable operation.

Security

We use HTTPS for all data in transit. Access to operational systems is strictly limited, logged and granted only to staff who require it to support or maintain the service.

Children

The service is not intended for anyone under 18. We do not knowingly collect personal data from minors.

Contact

Manta Ray Creative Ltd
30 Engate St, London SE13 7HA
Please use our support form for any privacy or account requests.