HeyDB Privacy Policy
Last updated: 1 March 2026
This policy explains the planned data handling model for HeyDB. HeyDB is not yet publicly launched, so this page documents the intended privacy posture for roadmap, review, and future implementation planning.
What data we access
HeyDB is expected to access the following data when the product is launched:
- Google Sheet structure — sheet names, column headers, and data types. Used to understand your data schema for query generation.
- Sheet cell data — the content of cells in the active spreadsheet. Read to execute queries and return results.
- Your Google account email address — used for authentication.
- Natural language queries — the questions you type into the HeyDB sidebar. Sent to an AI API for SQL translation.
Why we access it
| Data type | Purpose |
|---|---|
| Sheet structure | Understand column names and data layout to generate accurate SQL queries |
| Cell data | Execute the generated query against your actual data and write results back |
| Your email address | Authenticate you and manage your licence |
| Natural language queries | Translate your plain-English question into a SQL query via an AI API |
What OAuth scopes we request and why
| Scope | Type | Purpose | What happens if revoked |
|---|---|---|---|
spreadsheets.currentonly | Non-sensitive | Read sheet structure and data, write query results to the active Google Sheet | HeyDB cannot read your data or write results |
script.external_request | Non-sensitive | Connect to the AI API for query translation and Stripe for licence validation | HeyDB cannot translate natural language to SQL |
How data is processed
HeyDB is intended to run as a Google Apps Script add-on with an external AI provider for query translation:
- You type a question in the HeyDB sidebar.
- The script reads your sheet’s column headers and data types (not the full dataset).
- This schema information and your question are sent to an AI API to generate a SQL query.
- The generated SQL is shown to you for review before execution.
- On confirmation, the script executes the query against your sheet data locally on Google’s servers.
- Results are written to your Google Sheet.
Planned approach: only your sheet’s schema and question text should be sent to the external AI provider. If implementation constraints require broader processing, this page will be updated before launch.
What data is stored and where
- Query history and configuration are expected to be stored in Google’s environment.
- No Gallium Technologies-hosted user database is planned for the core product flow.
- The AI API provider is still to be finalised. We intend to choose a provider with an acceptable retention and training posture before launch.
What data is shared
Your data is never sold, rented, or shared with third parties for advertising or marketing.
- AI API provider is expected to receive your sheet schema and natural language question for SQL translation. The final provider and privacy notice will be linked here before launch.
- Stripe is expected to process billing details if paid plans are introduced. See Stripe’s privacy policy.
- No other third parties receive your data.
Data retention and deletion
- Uninstall the add-on from the Google Workspace Marketplace to remove all HeyDB functionality and configuration from your Google account.
- Revoke permissions at myaccount.google.com/permissions to remove all OAuth access.
- Gallium Technologies does not retain any user data after uninstallation.
Your rights
You have rights over your personal data regardless of where you are located. Depending on your jurisdiction, these may include the right to:
- Access your personal data and obtain a copy of it.
- Correct inaccurate or incomplete personal data.
- Delete your personal data (also known as the ‘right to be forgotten’).
- Restrict or object to certain processing of your data.
- Data portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time where processing is based on consent.
- Opt out of sale — we do not sell your personal data to any third party.
These rights are provided under frameworks including the Australian Privacy Principles, the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), among others.
To exercise any of these rights, contact us at privacy@galliumtech.dev. We will respond within 30 days, or sooner if required by your local law.
Legal basis for processing
If you are in the EU, EEA, or UK, we process your personal data on the following legal bases under GDPR:
| Processing activity | Lawful basis |
|---|---|
| Accessing your Google Sheet structure to understand your data schema | Contract performance — necessary to deliver the service you installed |
| Reading sheet cell data to execute queries and write results | Contract performance — core functionality you configured |
| Sending your query and sheet schema to the AI API for SQL translation | Contract performance — translating your query is the core service |
| Billing or licence validation, if introduced | Legitimate interest — verifying authorised access to paid functionality |
International data transfers
HeyDB runs on Google’s infrastructure. Google’s Data Processing Terms include Standard Contractual Clauses for transfers of personal data outside the EU/EEA.
When you submit a natural language query, the planned design is to send only your sheet’s column headers, data types, and your question text to the AI provider. The provider-specific privacy notice will be linked here before public launch.
Stripe processes payment data in accordance with its own privacy policy and maintains compliance with international data transfer requirements. See Stripe’s privacy policy.
Data breaches
In the event of a personal data breach:
- We will notify affected users without undue delay.
- We will notify the Office of the Australian Information Commissioner (OAIC) within 30 days, in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988.
- For users in the EU/EEA or UK, we will notify the relevant supervisory authority within 72 hours where required under GDPR.
- We will provide details of the breach, likely consequences, and measures taken.
Contact the OAIC: oaic.gov.au Contact the UK ICO: ico.org.uk
Contact
For privacy enquiries or to exercise your rights under any applicable privacy law:
Email: privacy@galliumtech.dev
Gallium Technologies Pty Ltd Australia