Privacy Policy
Effective April 3, 2026
This Privacy Policy explains how Threaded Pixel Studios, LLC ("Threaded Pixel Studios," "we," "us," or "our") collects, uses, and protects your information when you use Sheetuation and any other web applications we operate (collectively, the "Services"). Threaded Pixel Studios is run by Isaac, a solo indie developer.
I believe in being straightforward about data practices. I collect what's needed to make the apps work, and nothing more.
1. What Data I Collect
1.1 Information You Provide
- Account information: When you sign in via Google OAuth, I receive your name, email address, and profile picture from Google. I don't receive or store your Google password.
- User content: Tasks, projects, calendar entries, and any other data you create within the Services.
- Communications: If you contact me at support@threadedpixelstudios.com, I retain the contents of that communication solely to respond and improve the Services.
*Note: The Services do not currently offer paid features. If a paid tier is introduced in the future, this section will be updated to describe what payment data is collected and how it is handled.*
1.2 Information Collected Automatically
- Basic request data: IP address, browser type, operating system, and referring URL. This is standard server-level information logged by the hosting provider (Vercel).
- Session data: Essential session cookies to keep you logged in. That's it — no tracking cookies, no advertising cookies.
1.3 Information I Do NOT Collect
- I do not run third-party analytics trackers (yet — see Section 5).
- I do not serve ads or share data with ad networks.
- I do not use fingerprinting or hidden tracking techniques.
- I do not sell your data. Ever.
2. How I Use Your Data
Your data is used to:
- Provide the Services: Store your tasks, projects, and calendar data so the app functions as expected.
- Authenticate you: Verify your identity via Google OAuth and maintain your session.
- Communicate with you: Respond to support requests and notify you of important changes to these policies via in-app notices.
- Improve the Services: Understand usage patterns in aggregate to fix bugs and prioritize features. I'm not profiling you — I'm trying to figure out if a feature is broken.
I do not use your data for advertising, profiling, or sale to third parties.
3. Third-Party Services
The Services rely on the following third-party providers, each with their own privacy practices:
| Provider | Purpose | Their Privacy Policy |
|---|---|---|
| Vercel | Hosting and deployment | vercel.com/legal/privacy-policy |
| Neon | PostgreSQL database hosting | neon.tech/privacy-policy |
| OAuth authentication | policies.google.com/privacy |
Additional providers (such as a payment processor) may be added as the Services evolve. Your data may pass through these providers in the course of using the Services. I choose providers with strong privacy practices, but I recommend reviewing their policies for full details.
4. Cookies
I keep cookies minimal:
- Session cookies: Required to keep you logged in. These are essential and cannot be disabled without breaking authentication.
- No advertising cookies.
- No third-party tracking cookies.
That's the full list. No cookie banner needed because there's nothing optional to consent to.
5. Analytics
As of the effective date, no third-party analytics are in use. If I add analytics in the future (likely a privacy-respecting tool such as Plausible or PostHog), I will:
- Update this Privacy Policy before activating any analytics.
- Choose tools that respect user privacy and do not sell data.
- Notify users of the change where practical.
6. Data Storage and Security
6.1 Where Your Data Lives
Your data is stored on servers in the United States, operated by Vercel (hosting) and Neon (database). If you are accessing the Services from outside the US, your data will be transferred to and processed in the US.
6.2 Security Measures
I take reasonable measures to protect your data, including:
- HTTPS encryption for all data in transit, enforced via HSTS (HTTP Strict Transport Security).
- Content-Security-Policy headers to prevent cross-site scripting and code injection.
- Secure database connections with encryption.
- Per-user data isolation enforced at the database layer — your data cannot be accessed by other users.
- Request validation on all API inputs to prevent injection and malformed data.
- Rate limiting to protect against abuse and automated attacks.
- Audit logging on destructive actions for traceability.
- Hashed/tokenized authentication (no plaintext passwords are stored — Google handles authentication).
- Limited access — I'm the only person with access to production infrastructure.
No system is perfectly secure. I'm honest about that. If a breach occurs, I will notify affected users promptly and take immediate steps to mitigate harm.
7. Data Retention
- Account data: Retained as long as your account is active. If you delete your account, your data is removed from active systems within 30 days. Backup copies may persist for up to 90 days before being purged.
- Server logs: Basic request logs are retained by Vercel per their standard retention periods (typically 30 days or less).
*Note: If paid features are introduced in the future, billing and payment records may be retained as required by tax and financial regulations.*
8. Your Rights
Regardless of where you live, I believe you should have control over your data. Here's what you can do:
8.1 Access Your Data
You can view your data within the Services at any time. The Services also provide a snapshot/export API that lets you download a copy of your data in a portable format.
8.2 Correct Your Data
You can edit your content directly within the Services. For account information sourced from Google (name, email, profile picture), updates are reflected when your Google profile changes.
8.3 Delete Your Data
You can delete individual items (tasks, events, etc.) within the Services. To delete your entire account and all associated data, email support@threadedpixelstudios.com and I'll process it within 30 days.
8.4 Export Your Data
Use the built-in export/snapshot feature to download your data at any time. Your data is yours — I want you to be able to take it with you.
8.5 Withdraw Consent
If you withdraw consent for data processing, I will stop processing your data. Note that this may mean you can no longer use the Services, since the Services need your data to function.
9. GDPR (European Users)
If you are located in the European Economic Area (EEA), the UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
- Legal basis for processing: I process your data based on (a) your consent when you create an account, (b) contractual necessity to provide the Services, and (c) legitimate interests in improving and securing the Services.
- Right to object: You can object to processing based on legitimate interests.
- Right to restriction: You can request that I restrict processing of your data in certain circumstances.
- Right to portability: You can request your data in a structured, machine-readable format (see the export/snapshot feature).
- Right to lodge a complaint: You have the right to file a complaint with your local data protection authority.
- Data transfers: Your data is transferred to and stored in the US. By using the Services, you consent to this transfer. I rely on standard contractual clauses and the privacy practices of my infrastructure providers to safeguard international transfers.
To exercise any of these rights, email support@threadedpixelstudios.com.
10. California Residents (CCPA)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):
- Right to know: You can request details about what personal information I collect and how it's used.
- Right to delete: You can request deletion of your personal information.
- Right to opt out of sale: I do not sell your personal information. There is nothing to opt out of.
- Non-discrimination: I will not discriminate against you for exercising your CCPA rights.
To exercise these rights, email support@threadedpixelstudios.com.
11. Children's Privacy (COPPA)
The current Services are not directed at children under 13. I do not knowingly collect personal information from children under 13 without verifiable parental consent.
Future apps by Threaded Pixel Studios may be designed for younger audiences. If and when that happens, those apps will:
- Comply with the Children's Online Privacy Protection Act (COPPA).
- Include parental consent mechanisms.
- Minimize data collection to only what is necessary.
- Have their own dedicated privacy disclosures.
If you believe a child under 13 has provided personal information through the Services, contact me immediately at support@threadedpixelstudios.com and I will delete it.
12. Do Not Track
Some browsers send a "Do Not Track" (DNT) signal. Since I don't track you with advertising or analytics cookies in the first place, your DNT preference is respected by default.
13. Changes to This Policy
I may update this Privacy Policy from time to time. When I do:
- The "Last Updated" date at the top will change.
- For significant changes, I'll notify you through the Services.
- Continued use of the Services after changes take effect constitutes acceptance of the updated policy.
I won't sneak in material changes without telling you.
14. Contact
If you have questions about this Privacy Policy, want to exercise your data rights, or just want to know more about how your data is handled:
Email: support@threadedpixelstudios.comI'm one person, not a faceless corporation. I read every email and I care about getting this right.
Thanks for trusting Threaded Pixel Studios with your data. I take that seriously.
— Isaac