Privacy Policy — WebiSheet

1. Introduction

WebiSheet (“we”, “us”, or “our”) provides mobile applications on the Apple App Store and Google Play, the website webisheet.com, and related APIs (collectively, the “Service”). This Privacy Policy describes our practices in plain language and is designed to meet the transparency requirements of:

Google Play — Developer Program Policies, User Data policy, and Data safety form disclosures
Apple App Store — App Store Review Guidelines (Section 5: Privacy), App Privacy details, and Sign in with Apple requirements
Applicable privacy laws — including India’s Digital Personal Data Protection Act, 2023 (DPDPA), GDPR/UK GDPR where applicable, and U.S. state laws such as CCPA/CPRA

By registering, signing in, or using the Service, you acknowledge this Privacy Policy. If you disagree, do not use the Service.

2. Who we are (data controller)

For purposes of data protection law, WebiSheet is the data controller for personal information processed through the Service.

Product: WebiSheet — biodata, business sheet, and CV/resume builder
Privacy contact: support@webisheet.com
Support: support@webisheet.com
Website: https://webisheet.com

3. Scope

This policy applies to:

WebiSheet iOS and Android apps distributed via official app stores
Web dashboards, admin tools, and authenticated user areas
Public render pages (e.g. /bio-data/<slug>, /business-sheet/<slug>, /cv/<slug>)
API endpoints at api.webisheet.com used by our apps

Third-party websites, social networks, or payment processors linked from your sheets or the Service are governed by their own policies—not this one.

4. App Store & Google Play compliance

Our disclosures in Google Play Console (Data safety) and App Store Connect (App Privacy) are intended to match this policy. If you notice any inconsistency, contact us and we will correct it promptly.

4.1 Google Play (Data safety & User Data policy)

We publish this Privacy Policy URL in our Play Store listing and keep it publicly accessible without login.
We declare data types collected, shared, and security practices in the Play Console Data safety section consistent with this policy.
We do not sell your personal information to third parties for advertising or data broker purposes.
Apps that allow account creation must offer account deletion—we provide in-app Delete Account (see Section 15).
Sensitive permissions (camera, photos, storage) are requested only when needed for features you use, with in-app/system disclosures.
We handle personal and sensitive user data securely and limit collection to what is necessary for app functionality.

4.2 Apple App Store (Privacy & Sign in with Apple)

Our App Privacy “nutrition label” in App Store Connect describes data linked to you and used for app functionality, analytics (if any), and account management.
Where we offer Google Sign-In, we also offer Sign in with Apple on iOS as required by Apple’s guidelines.
Permission purpose strings (camera, photo library, etc.) in Info.plist explain why access is requested.
Users can delete their account within the app, satisfying Apple’s account-deletion requirement for apps with account creation.
Subscription and in-app purchase data is processed by Apple; we receive entitlement status, not full payment card numbers.
We do not use Apple’s frameworks to track you across other companies’ apps or websites for advertising without consent where required.

4.3 Your store-managed choices

You can manage app permissions in iOS Settings → WebiSheet or Android Settings → Apps → WebiSheet → Permissions. Subscription management and refunds are handled through Apple or Google account settings per their policies.

5. Data we collect (summary table)

This table summarizes categories aligned with store privacy questionnaires. “Optional” means you provide it only when using related features.

Category	Examples	Linked to you?	Purpose	Shared with
Account / contact	Name, email, profile photo, user ID	Yes	Registration, login, support	Auth & cloud providers (Firebase, Google, Apple)
User content	Biodata fields, CV text, business details, uploaded images	Yes	Core app functionality, hosting, PDF export	Cloud storage (e.g. AWS S3); public if you publish
Photos / files	Camera captures, gallery picks, PDF downloads	Yes	Profile & sheet images, save/export	Storage provider; device local storage when you save
Purchase / subscription	Product ID, renewal status, transaction ID (from store)	Yes	Unlock premium features	Apple, Google, RevenueCat (if enabled)
Device / diagnostics	OS version, app version, IP address, crash logs	May be	Security, debugging, performance	Hosting / infrastructure providers
Usage	Feature interactions, API logs (aggregated where possible)	May be	Improve Service, abuse prevention	Internal; service providers under contract

Data we do not intentionally collect: precise GPS location, contacts address book, SMS content, health data, or government ID numbers unless you voluntarily type them into your sheets.

6. Detailed data categories

6.1 Account and authentication

Full name and email address
Email verification status, OTP/verification codes (temporary)
OAuth tokens and provider IDs from Google Sign-In and Sign in with Apple
Session tokens / access tokens issued by our backend after authentication
Account timestamps (created, updated, last login where logged)

6.2 Content you create (biodata, business sheet, CV)

Depending on templates and fields you complete, this may include:

Identity: name, gender, date/time/place of birth, photos, height, weight, religion, caste (if entered)
Contact: mobile numbers, email, postal address, map links
Family: parents’ names, siblings, family occupation, maternal/paternal details
Education and career: schools, degrees, employers, skills
Business sheet: company name, services, location links, social URLs
Preferences: themes, fonts, colors, margins, publish/draft state, unique URL slug

Sensitive information: Marriage biodatas may include religious, community, or family information. You choose what to enter and whether to publish. We do not require sensitive categories beyond what you provide for your document.

6.3 Files and media

Images from camera or photo library (profile, gallery, backgrounds)
PDF files generated or downloaded to your device
File metadata (name, size, MIME type) for uploads

6.4 Payments and subscriptions

Subscription tier, expiry, and entitlement flags
Store transaction identifiers from Apple/Google (not full card numbers)
RevenueCat customer ID and receipt validation metadata (where subscriptions are enabled)

6.5 Technical and usage data

IP address, user agent, request timestamps (server logs)
Device model, OS version, app build number
Network connectivity state (for offline/online sync features)
Error stack traces and diagnostic logs when the app crashes or API errors occur

6.6 Support communications

Email content and attachments you send to support
Information you provide when reporting bugs or requesting data access/deletion

6.7 Cookies and web storage (website only)

Our web properties may use cookies, JWT/session storage, or local storage for login sessions, admin dashboards, and security. You can clear cookies via browser settings; signing out invalidates session tokens on the server where applicable.

7. Device permissions

We request OS permissions only for features you use. You may deny permissions; related features may not work.

Permission	Platform	Why we ask
Camera	iOS, Android	Capture profile photos and images for your sheets
Photo library / storage	iOS, Android	Select existing images; save PDFs or exports to device (where supported)
Internet / network	iOS, Android	Sync data, sign in, load templates, publish and preview sheets
Network state	Android	Detect connectivity for offline-aware features

Apple: Purpose strings appear in the permission dialog (e.g. camera and photo library usage in Info.plist). Google Play: Dangerous permissions are declared in the manifest and requested at runtime where required by Android version.

8. How we use your information

Provide the Service: account creation, authentication, document editing, preview, PDF generation, trash/restore
Hosting & delivery: store uploads, render public pages, serve assets via CDN/cloud
Personalization: remember themes, fonts, and layout choices for your documents
Subscriptions: verify purchases and unlock premium templates or features
Security: fraud detection, abuse prevention, rate limiting, audit logs
Support: respond to inquiries and resolve technical issues
Legal compliance: respond to lawful requests and enforce our Terms
Improvement: aggregated analytics and performance monitoring (not sold to advertisers)

We do not use your biodata content to train third-party AI models for unrelated products.

9. Legal bases (EEA/UK/India)

GDPR / UK GDPR: Contract (service delivery); Legitimate interests (security, improvement); Consent (where required); Legal obligation.

India (DPDPA): We process personal data for permitted uses including provision of service, security, and compliance. You may have rights to access, correction, erasure, and grievance redressal through our contact below.

11. Public sheets and sharing

Publishing generates a unique URL (e.g. https://webisheet.com/bio-data/your-slug). Slugs are long and unguessable but not confidential once you share the link. Search engines may index public pages.

Draft/unpublished sheets are not listed publicly; access is tied to your account and API authentication for previews
You may move items to Trash and delete permanently from the app
Copies shared externally (screenshots, forwarded PDFs) remain outside our control

12. Data security (detailed)

Protecting your data is a core requirement for App Store and Play distribution. We implement administrative, technical, and organizational safeguards aligned with industry practice for consumer SaaS applications.

12.1 Encryption

In transit: All API and web traffic uses HTTPS/TLS (TLS 1.2+) between your device and our servers
At rest: User uploads stored on AWS S3 use server-side encryption (SSE-S3 or SSE-KMS per bucket configuration)
Credentials: Passwords are not stored in plain text; social login relies on OAuth tokens from Apple/Google
Session tokens: API access tokens are transmitted only over TLS and can be revoked on logout or account deletion

12.2 Infrastructure and network security

Production servers run behind firewalls with restricted inbound ports
Database and admin interfaces are not publicly exposed without authentication
Secrets (API keys, database credentials) are stored in environment variables, not in source code
Regular security updates to server OS, Node.js runtime, and dependencies
DDoS and abuse mitigation via hosting provider and application rate limits where applicable

12.3 Access control

Role-based access for administrative tools; production data access limited to authorized personnel
Multi-factor authentication encouraged for admin accounts
Audit logging of administrative actions where implemented
User data is scoped by account ID; API endpoints require valid authentication tokens

12.4 Application security

Input validation and size limits on uploads (e.g. request body limits, file type checks)
Helmet and security headers on API responses; CORS configured for known clients
Parameterized database queries to reduce injection risk
Android: android:allowBackup="false" to reduce backup-based data leakage on devices

12.5 Data minimization and retention

We collect only data needed for features you use
Logs are retained for a limited period for security and debugging, then rotated or deleted
Backups are retained for disaster recovery, then purged on schedule (see Section 13)

12.6 Incident response

If we become aware of a personal data breach that poses a risk to your rights, we will investigate promptly, mitigate harm, notify affected users and regulators where required by law, and document remedial actions.

12.7 Your role in security

Use a device passcode/biometric lock
Do not share your account or publish links you want to keep private
Log out on shared devices
Report suspicious activity to support@webisheet.com

No system is 100% secure. We cannot guarantee absolute security but continuously work to maintain protections appropriate to the sensitivity of data we process.

13. Data retention

Data type	Typical retention
Active account & sheets	Until you delete content or your account
Trash	Until you empty trash or automatic purge (per app settings)
Deleted account	Primary data removed within 30 days; backups up to 90 days
Server logs	Typically 30–90 days unless needed for security investigations
Support emails	Up to 24 months for quality and legal purposes
Billing records (from stores)	Per Apple/Google statutory requirements

14. Your rights and choices

Depending on your location, you may have the right to:

Access — request a copy of personal data we hold about you
Rectification — correct inaccurate data (also editable in-app for profile and sheets)
Erasure — delete your account and associated data
Restriction / objection — limit certain processing where legally applicable
Portability — receive data in a structured, commonly used format where feasible
Withdraw consent — where processing is consent-based, without affecting prior lawful processing
Complaint — lodge a complaint with your supervisory authority (EEA/UK) or Data Protection Board (India)

Submit requests to support@webisheet.com with subject “Privacy Request”. We respond within 30 days (or as required by law). We may verify identity before processing requests.

California (CCPA/CPRA): Right to know, delete, correct, and opt out of “sale”/“sharing” (we do not sell personal information).

15. Account deletion (required by Apple & Google)

Apps with account creation must let users delete their account. WebiSheet provides:

Open the app → Profile or side menu
Select Delete Account
Confirm deletion in the dialog

Deletion removes your account, authentication credentials, and associated biodatas, business sheets, and CVs from active systems, subject to backup retention described in Section 13. You must create a new account to use the Service again.

If you cannot access the app, email support@webisheet.com from your registered email with subject “Account Deletion Request”.

16. Children's privacy

The Service is not directed to children under 13 (or under 16 in the EEA/UK without parental consent). We do not knowingly collect personal information from children. If you believe a child has provided data, contact us and we will delete it. Google Play “Designed for families” and Apple Kids Category policies apply only if we explicitly target those programs.

17. Tracking and advertising

We do not sell your personal information to data brokers
We do not display third-party interest-based advertising inside the app based on cross-app tracking
We do not request Apple’s App Tracking Transparency (ATT) for cross-app tracking because we do not engage in that practice
Firebase/Google SDKs may collect device identifiers for authentication and crash reporting—see third-party section

18. Third-party SDKs and services

These providers process data under their own privacy policies and our data processing agreements where applicable:

Provider	Purpose	Privacy policy
Google / Firebase	Authentication, infrastructure	policies.google.com/privacy
Apple	Sign in with Apple, App Store billing	apple.com/legal/privacy
Amazon Web Services	Cloud storage (S3), hosting	aws.amazon.com/privacy
RevenueCat	Subscription management (if enabled)	revenuecat.com/privacy
Google Play / App Store	In-app purchases	Respective store policies

19. International transfers

Data may be processed in India, the United States, the European Union, or other countries where our providers operate. Where required, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other lawful transfer mechanisms.

20. Changes to this policy

We may update this policy for legal, technical, or business reasons. We will post the new version here with an updated date. Material changes may be notified in-app or by email. Continued use after the effective date constitutes acceptance. For Google Play and Apple, we will update store disclosures when data practices change materially.

21. Contact us

WebiSheet — Privacy & Data Protection
Email: support@webisheet.com
Subject line: “Privacy Request” or “Account Deletion Request”
Website: https://webisheet.com
Related: Terms and Conditions