Effective Date: June 29, 2026
Last Updated: June 29, 2026
1. Introduction
Grid Tools for Smartsheet ("Grid Tools," "We," "Us," or "Our") provides a browser extension (the "Browser Extension") and related website, services, and support (collectively, the "Service") that adds bulk grid operations, column management, dark theme, and workflow tools to the Smartsheet interface.
This Privacy Policy describes how We collect, use, disclose, and protect Your information when You use the Service. It applies to:
- The Grid Tools website at gridtools.app (the "Website")
- The Grid Tools Browser Extension for Chrome, Edge, Firefox, and other supported browsers
- Any related services, tools, or support communications
Please read this Privacy Policy carefully. By accessing or using the Service, You acknowledge that You have read and understood this Privacy Policy. If You do not agree with the practices described in this Privacy Policy, please do not access or use the Service.
2. Definitions
- "Account" means Your registered Grid Tools account.
- "Browser Extension" means the Grid Tools for Smartsheet browser extension distributed through browser extension stores.
- "Device" means the computer, tablet, or other device You use to access the Service.
- "Personal Data" means any information that identifies or could reasonably be used to identify You.
- "Sensitive Personal Data" means data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, sex life or sexual orientation, or other categories defined as sensitive under applicable law.
- "Service" means the Website, Browser Extension, and any related services, tools, or support.
- "Smartsheet" means the Smartsheet project management platform operated by Smartsheet Inc.
- "You" or "Your" refers to the individual accessing or using the Service.
3. Information We Collect
3.1 Account Information
When You create an Account, We collect:
- Name (first and last)
- Email address
- Organization name (if provided)
- Billing address (for paid subscriptions)
3.2 Browser Extension Data
What We Collect:
The Browser Extension collects and processes minimal data necessary to provide, secure, license, and improve the Service:
- Authentication and Account Data: Account identifiers such as email address, name, user ID, authentication/session tokens, and token expiration timestamps used to authenticate You, keep You signed in, refresh Your session, and verify Your subscription status.
- License and Entitlement Data: License tier, usage totals, usage limits, entitlement status, feature availability, cache timestamps, and grace-period timestamps used to verify license status and enforce usage limits.
- Feature and Operational Usage Data: Limited operational data such as feature/action names, timestamps, request IDs, response status information, and browser/runtime information used for license enforcement, usage limits, support, abuse prevention, administrative reporting, diagnostics, and product improvement.
What We Do NOT Collect:
Grid Tools does not collect, transmit, or store Your Smartsheet customer content. This includes:
- Sheet data, cell contents, or formulas
- Report data or dashboard content
- Form submissions or responses
- Comments, attachments, or proofs
- DataMesh, Data Shuttle, or Bridge data
- Dynamic View or WorkApps content
- Any other Smartsheet customer content or object-level business data
Your Smartsheet content remains within Your browser and is never sent to Grid Tools servers.
3.3 Local Extension Storage
The Browser Extension stores certain data locally in Your browser using browser extension storage or similar browser storage mechanisms. This may include:
- Settings and preferences, such as feature preferences, UI customizations, and local feature configurations
- Authentication/session data, such as access tokens, refresh tokens, token expiration timestamps, email address, and user ID
- License cache data, such as license tier, usage totals, usage limits, feature entitlements, cache timestamps, and grace-period timestamps
This data:
- Is stored only on Your Device
- Is used by the Browser Extension to keep You signed in, verify license status, enforce usage limits, and preserve Your preferences
- Is normally deleted by the browser when You uninstall the Browser Extension, subject to Your browser's storage behavior, sync settings, managed-browser policies, and backup configuration
Your local settings and feature configurations are not transmitted to Our servers unless a specific feature clearly requires server-side processing and this Privacy Policy describes that processing. Authentication/session data and license-related data may be transmitted to Our servers as necessary to authenticate You, refresh Your session, verify license status, enforce usage limits, process billing, and provide support.
3.4 Usage Data
We automatically collect certain information when You access the Service:
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Pages visited on Our Website
- Time and date of access
- Time spent on pages
- Referring website addresses
- Clickstream data
- Feature/action names and timestamps generated by the Browser Extension
- Request IDs and server response status information used for diagnostics, security, and support
- License status, license tier, usage totals, usage limits, and entitlement information
3.5 Information from Third Parties
We may receive information about You from:
- Smartsheet or Your Smartsheet Session: Basic account/profile information, such as email address, first name, and last name, when You use the Browser Extension with Smartsheet or sign in to Grid Tools using a Smartsheet-associated account
- Payment Processors: Transaction status and billing information from Stripe
4. How We Use Your Information
We use Your information for the following purposes:
- Providing the Service: Operating, maintaining, and delivering Grid Tools features
- Authentication and Session Management: Signing You in, maintaining Your session, refreshing tokens, and verifying Your identity
- License Verification and Enforcement: Verifying subscription status, enforcing usage limits, managing feature entitlements, and processing billing
- Customer Support: Responding to inquiries, troubleshooting issues, and providing technical assistance
- Security and Abuse Prevention: Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity
- Service Improvement: Analyzing usage patterns to improve features, performance, and user experience
- Communications: Sending transactional notifications, service updates, and marketing communications (with Your consent where required)
- Legal Compliance: Meeting applicable legal, regulatory, and tax obligations
5. Legal Basis for Processing (GDPR)
If You are located in the European Economic Area (EEA), United Kingdom, or Switzerland, We process Your Personal Data based on the following legal grounds:
5.1 Processing Activities Table
The table below summarizes the primary legal bases for common processing activities:
| Processing Activity | Data Used | Legal Basis |
|---|---|---|
| Account creation and sign-in | Name, email address, authentication/session data | Contract performance |
| License verification and entitlement enforcement | Account identifiers, license tier, usage totals, usage limits, feature/action names, timestamps | Contract performance; legitimate interests |
| Billing and subscription management | Name, email address, billing address, transaction IDs, payment status, subscription status | Contract performance; legal obligations |
| Customer support | Contact information, message content, support history, attachments You provide | Contract performance; legitimate interests |
| Security, fraud prevention, and abuse detection | IP address, request IDs, server logs, authentication events, browser/runtime information | Legitimate interests; legal obligations |
| Product improvement and operational analytics | Limited feature/action data, timestamps, browser/runtime information | Legitimate interests or consent where required by law |
| Marketing communications | Name, email address, marketing preferences | Consent where required by law; legitimate interests where permitted |
The applicable legal basis may vary by jurisdiction and the specific Service activity. Where consent is required by law, We will request consent before processing for that purpose.
5.2 Contract Performance
We process Personal Data as necessary to perform Our contract with You, including providing the Service, managing Your Account, verifying Your license, and processing payments.
5.3 Legitimate Interests
We process Personal Data based on Our legitimate interests in operating, securing, and improving the Service, provided those interests are not overridden by Your rights. Our legitimate interests include:
- Maintaining Service security and preventing abuse
- Analyzing Service usage to improve features and performance
- Providing customer support
- Enforcing Our Terms of Use
5.4 Legal Obligations
We process Personal Data to comply with applicable laws, including tax and financial record-keeping requirements.
5.5 Consent
Where required by law, We obtain Your consent before:
- Sending marketing communications
- Using certain cookies and tracking technologies
- Processing Sensitive Personal Data, if We ever intentionally collect or process such data
You may withdraw consent at any time by contacting Us at [email protected].
Grid Tools does not intentionally collect Sensitive Personal Data as part of the Service.
6. Cookies and Tracking Technologies
6.1 Essential Cookies
- Purpose: Enable core Service functionality, such as authentication and session management
- Duration: Session or up to 12 months
- Required: Yes (cannot be disabled without affecting Service functionality)
6.2 Functional Cookies
- Purpose: Remember Your preferences and settings
- Duration: Up to 12 months
- Required: No
Grid Tools does not currently use a separate website analytics cookie provider. If We add a website analytics cookie provider, We will update this Privacy Policy to describe the provider, data collected, retention period, and available opt-out mechanism.
Note: Browser Extension usage events may be sent directly to Grid Tools servers for license verification, usage-limit enforcement, security, support, and product improvement. These extension usage events are separate from Website cookies.
6.3 Managing Cookies
You can manage cookie preferences through Your browser settings. Disabling essential cookies may affect Service functionality. Most browsers allow You to block or delete cookies, though this may affect Your experience.
7. Data Sharing and Disclosure
We do not sell Your Personal Data. We may share Your information with:
7.1 Service Providers
Third-party companies that help Us operate the Service, subject to contractual data protection obligations:
- Stripe - Payment processing and subscription management
- Cloudflare - Hosting, content delivery, DDoS protection, DNS, and serverless compute
- Zoho Mail - Business email mailboxes and support communications
- Resend - Transactional email delivery (authentication, account, billing, and support notifications)
7.2 Legal Requirements
We may disclose Your information if required by law, regulation, legal process, or governmental request.
7.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, Your information may be transferred to the acquiring entity. We will notify You of any such change.
7.4 With Your Consent
We may share Your information with other parties when You have given Us explicit consent to do so.
8. Data Retention
We retain Your information only as long as necessary for the purposes described in this Privacy Policy or as required by law.
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of Account + 2 years after deletion |
| Grid Tools Payment/Billing Records | 7 years (legal/tax requirements), or as required by applicable law |
| Third-Party Payment Processor (Stripe) Records | Retained by Stripe according to Stripe's legal, regulatory, operational, and fraud-prevention obligations. Stripe may retain some transaction, payment, and related records after customer deletion or redaction where legally required or permitted. |
| Website/Product Analytics | No separate website analytics provider is currently active. If deployed later, the provider and retention period will be described in this Privacy Policy. |
| Backend Action Audit Logs | 90 days |
| Stripe Webhook Event Deduplication Records | 30 days |
| Support Communications | 3 years |
| Marketing Preferences | Until You unsubscribe or Account deletion |
| Browser Extension Settings | Stored locally; normally deleted by the browser when You uninstall the Browser Extension, subject to browser behavior, sync settings, managed-browser policies, and backups |
| Local Authentication/Session Data | Stored locally until logout, token expiration, Account deletion, manual browser data deletion, or Browser Extension uninstall, subject to browser behavior, sync settings, managed-browser policies, and backups |
| Local License Cache Data | Stored locally and refreshed periodically; normally deleted by the browser when You uninstall the Browser Extension, subject to browser behavior, sync settings, managed-browser policies, and backups |
Some retention periods depend on third-party service configuration, legal requirements, and operational needs. Where a third-party service retains information under its own legal or regulatory obligations, that provider's retention practices also apply.
When You delete Your Account, We will delete or anonymize Your Personal Data within a reasonable timeframe, except where retention is required by law or where third-party processors retain data under their own regulatory obligations (see Stripe retention above).
9. Third-Party Services
The Service integrates with or relies on the following third-party services. Each provider operates under its own privacy policy.
9.1 Payment Processing
Stripe
- Purpose: Process payments, manage subscriptions, and handle billing
- Data Shared: Name, email address, billing address, payment method details (processed directly by Stripe), transaction identifiers, and subscription status
- Privacy Policy: https://stripe.com/privacy
- Note: Grid Tools does not store full credit card numbers. Payment information is processed directly by Stripe. Stripe retains transaction and payment records as required by financial regulations, even after a customer record is deleted.
9.2 Infrastructure and Security
Cloudflare
- Purpose: Website and API hosting, content delivery, DDoS protection, DNS, and serverless compute (Cloudflare Workers)
- Data Shared: Web traffic data, IP addresses, and request metadata as part of normal web traffic routing
- Privacy Policy: https://www.cloudflare.com/privacypolicy/
9.3 Business Email and Support
Zoho Mail
- Purpose: Business email mailboxes and support correspondence
- Data Shared: Email address and communication content when You contact support
- Privacy Policy: https://www.zoho.com/privacy.html
9.4 Transactional Email
Resend
- Purpose: Delivery of transactional emails, such as authentication codes, account notices, billing notifications, and support messages
- Data Shared: Email address and the content of transactional messages
- Privacy Policy: https://resend.com/legal/privacy-policy
10. Browser Extension
10.1 Extension Overview
The Grid Tools Browser Extension operates within Your browser to enhance the Smartsheet interface. It is distributed through browser extension stores (Chrome Web Store, Firefox Add-ons, and others as available) and executes packaged extension code.
10.2 Extension Permissions
The Browser Extension requires certain permissions to function. The exact permission names and structure may vary by browser and manifest version.
| Permission | Purpose |
|---|---|
storage | Save local extension settings, authentication/session data, license cache data, and feature preferences in Your browser |
tabs | Identify the active Smartsheet tab, communicate with extension content scripts, and confirm that Grid Tools actions run only on supported Smartsheet pages |
scripting | Execute packaged extension code in supported Smartsheet pages when needed to provide Grid Tools functionality |
alarms | Run periodic extension tasks, such as license refresh or session maintenance, where supported by the browser |
Host permissions for app.smartsheet.com | Interact with Smartsheet web pages to provide Grid Tools features |
Host permissions for workapps.smartsheet.com | Support Grid Tools features and display behavior inside Smartsheet WorkApps |
Host permissions for integration-smartsheet.brandfolder-svc.com | Support Grid Tools display behavior on Smartsheet-integrated Brandfolder surfaces where applicable |
10.3 Data Flow
What stays in Your browser:
- Your Smartsheet content, including sheet data, cell contents, formulas, reports, dashboards, workflow contents, comments, attachments, and proofs
- Your Grid Tools settings and preferences, except where a specific feature clearly requires server-side processing
- Local feature configurations
- Authentication/session data used by the Browser Extension to keep You signed in
- Cached license and entitlement information used to support offline/grace-period behavior
What is sent to Grid Tools servers:
- Account identifiers, such as email address and user ID, for authentication and license verification
- Authentication/session data, such as access tokens or refresh tokens, when needed to authenticate requests, refresh sessions, or log out
- License and entitlement data, such as license tier, usage total, usage limit, and feature availability
- Feature/action usage events, such as action name and timestamp, for license enforcement, usage limits, support, abuse prevention, administrative reporting, and product improvement
- Request IDs, response status information, and diagnostic data needed for security, debugging, and support
What is NOT sent:
- Smartsheet customer content, including sheet data, cell contents, formulas, reports, dashboards, workflow contents, comments, attachments, proofs, and object-level business data
- Your local feature settings or configurations, except where a specific feature clearly requires server-side processing and this Privacy Policy describes that processing
- Information about Your sheets, reports, dashboards, or workflows beyond the limited operational data described above
10.4 Source Code Transparency
The Browser Extension is distributed through browser extension stores and executes packaged extension code. Browser extension stores generally restrict remotely hosted executable code and may review extension code as part of their submission process. Users and administrators can inspect installed extension files through browser developer tools or browser extension management tools, subject to each browser's capabilities.
10.5 No Remote Code Execution
Grid Tools does not remotely inject executable code into Your browser. The Browser Extension is distributed through browser extension stores and executes packaged extension code rather than remotely hosted executable code. Browser extension stores generally restrict remotely hosted executable code and may reject extensions that violate those requirements.
10.6 Browser Store Privacy Disclosures
For browser extension store publication, Grid Tools maintains privacy and permission disclosures intended to align with this Privacy Policy and the Browser Extension's manifest. These disclosures include the extension's single-purpose description, permission justifications, data-use disclosures, privacy policy URL, and remote-code declaration.
11. Your Rights
Depending on Your location, You may have some or all of the following rights regarding Your Personal Data:
- Right to Access: Request a copy of the Personal Data We hold about You
- Right to Rectification: Request correction of inaccurate or incomplete Personal Data
- Right to Erasure: Request deletion of Your Personal Data, subject to legal retention requirements and third-party processor obligations (for example, Stripe retains transaction records for regulatory compliance even after a customer record is deleted)
- Right to Restrict Processing: Request that We limit how We use Your Personal Data
- Right to Data Portability: Request Your Personal Data in a structured, commonly used, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
- Right to Lodge a Complaint: File a complaint with Your local data protection authority
To exercise any of these rights, contact Us at [email protected]. We will respond within the timeframe required by applicable law (generally 30 days, with extensions where permitted).
We may need to verify Your identity before fulfilling a privacy request. Some requests may be fulfilled through manual support processes or through third-party provider tools, and some information may be retained where required by law, security obligations, dispute handling, or third-party processor obligations.
12. Security
12.1 Technical Safeguards
We implement appropriate technical and organizational measures to protect Your Personal Data:
- Encryption in Transit: All data transmitted between Your browser and Our servers is encrypted using TLS 1.2 or greater
- Encryption at Rest: Data stored in Our databases is encrypted using AES-256 encryption
- Access Controls: Logical access controls for all servers, systems, and databases
- DDoS Protection: All traffic is proxied through Cloudflare's DDoS protection
- Secure Development: Regular security reviews and code audits
- Extension Storage Minimization: The Browser Extension stores authentication/session and license data locally only as needed to operate the Service, maintain sessions, verify licenses, and support usage-limit behavior
- Request Tracing: Requests to Grid Tools servers include request IDs to support diagnostics, support, abuse detection, and incident investigation
12.2 Incident Response
In the event of a data breach that affects Your Personal Data, We will notify You and any applicable regulatory authorities in accordance with applicable law.
13. International Data Transfers
13.1 Processing Locations
Grid Tools is operated from the United States. Your Personal Data may be processed in the United States and in other jurisdictions where Our service providers operate.
13.2 Transfer Mechanisms
Where required by applicable law, We use appropriate transfer mechanisms to ensure adequate protection for international data transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements (DPAs) with service providers
- Other transfer mechanisms recognized under applicable law
13.3 International Processing Notice
If You are located outside the United States, Your Personal Data may be transferred to and processed in the United States. Where required, We rely on appropriate transfer mechanisms, such as Standard Contractual Clauses and data processing agreements. You acknowledge that data protection laws in the United States may differ from those in Your country.
14. California Privacy Rights (CCPA/CPRA)
If You are a California resident, You have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
14.1 Categories of Personal Information Collected
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address | Yes |
| Customer Records | Billing address, payment info | Yes |
| Commercial Information | Subscription history, purchases | Yes |
| Internet/Network Activity | Browsing history, feature usage | Yes |
| Approximate Location | General region inferred from IP address | Yes |
| Professional Information | Organization name | Yes |
| Sensitive Personal Information | Precise geolocation, government identifiers, financial account credentials, contents of private communications, or other sensitive categories defined by applicable law | No |
14.2 Your California Rights
- Right to Know: Request disclosure of the categories and specific pieces of Personal Information We have collected
- Right to Delete: Request deletion of Your Personal Information, subject to legal exceptions and third-party processor retention obligations
- Right to Correct: Request correction of inaccurate Personal Information
- Right to Opt Out of Sale/Sharing: We do not sell or share Your Personal Information for cross-context behavioral advertising
- Right to Non-Discrimination: We will not discriminate against You for exercising Your privacy rights
To exercise Your rights, contact Us at [email protected].
15. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect Personal Data from children under 16. If We become aware that We have collected Personal Data from a child under 16, We will delete that information promptly. If You believe a child under 16 has provided Us with Personal Data, please contact Us at [email protected].
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When We make material changes, We will:
- Update the "Last Updated" date at the top of this page
- Notify active Account holders by email where required by applicable law
- Post the updated Privacy Policy on the Website
Your continued use of the Service after any changes indicates Your acceptance of the updated Privacy Policy. We encourage You to review this Privacy Policy periodically.
17. Contact Us
If You have questions about this Privacy Policy or wish to exercise Your privacy rights, contact Us:
- Email: [email protected]
- Support: [email protected]
- Website: https://gridtools.app
18. Governing Entity
The legal entity responsible for the Service is:
- Legal Entity Name: GT4SS, LLC
- Registered Address: 1405 Lavoy Ct, Lancaster, SC 29720
- Jurisdiction of Formation or Registration: South Carolina
- Primary Business Address, if different: Not applicable
- Privacy Contact: [email protected]
- Support Contact: [email protected]
- Data Protection Officer, if applicable: Not appointed. Privacy requests may be sent to [email protected].