Privacy Policy

Last Updated: November 18, 2025

1. Introduction

SwiftSoft ("we", "our", or "us") operates productivity add-ons for Google Workspace, including our application CertifyForms. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our applications and services.

This Privacy Policy applies to all SwiftSoft applications, including but not limited to:

CertifyForms: Google Workspace add-on for automated certificate generation
Other SwiftSoft productivity tools for Google Workspace

2. What Google User Data We Collect

When you use our applications, we collect the following types of data:

2.1 Information You Directly Provide

Google Account Information: Your email address, name, and basic Google profile information when you authenticate with Google
Google Forms Data: Form structure, questions, settings, and response data from Google Forms that you explicitly choose to process with CertifyForms
Google Sheets Data: Spreadsheet content that you explicitly choose to process or link with our applications
Google Drive Files: Only files that you explicitly create with our app or that you explicitly open with our app
Account and Billing Information: Payment information, subscription details, and organization information you provide

2.2 Automatically Collected Information

Usage Data: Information about how you interact with our applications, including features used and actions performed
Log Data: Application usage logs, error reports, and performance metrics
Device Information: Browser type, operating system, IP address, and timezone settings
Authentication Tokens: OAuth tokens to maintain your authenticated session with Google services

3. How We Use Your Google User Data

We use the collected information exclusively for the following purposes:

Service Delivery: To provide and improve the functionality of our add-ons, including generating certificates from Google Forms responses and managing your form workflows
AI Processing: To process your forms and spreadsheets using AI services (such as OpenAI) only when you explicitly request it through our application features. AI processing is used solely to enhance functionality like generating personalized certificates
Authentication and Account Management: To authenticate your identity, maintain your session, and manage your account and subscription
Communication: To send you service-related notifications, updates about your subscription, and responses to your support requests
Technical Support: To respond to your inquiries, troubleshoot issues, and provide customer assistance
Service Analytics: To understand usage patterns, improve our services, and develop new features that benefit our users
Security and Fraud Prevention: To detect, prevent, and respond to abuse, fraud, security issues, and violations of our terms of service
Legal Compliance: To comply with applicable laws and legal obligations

We do NOT use your Google user data for:

❌ Serving advertisements or targeted advertising
❌ Selling to data brokers or information resellers
❌ Determining credit-worthiness or lending purposes
❌ Creating user profiles for advertising
❌ Training AI models outside of providing our service functionality
❌ Any purpose unrelated to providing or improving user-facing features of our applications

4. Google API Services User Data Policy

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4.1 Specific Google API Scope Usage

Our application uses the following Google API scopes to provide certificate generation functionality. Each scope is used exclusively for the purposes described below:

Form Response Analysis Scope:

https://www.googleapis.com/auth/forms.responses.readonly: CertifyForms reads quiz responses from your Google Forms to determine certificate eligibility. We evaluate responses against passing thresholds you configure (e.g., "generate certificates for scores ≥ 80%"). This allows us to automatically identify respondents who qualify for certificates and extract their scores and names for personalization

User Interface Scope:

https://www.googleapis.com/auth/script.container.ui: This scope displays the CertifyForms sidebar interface within Google Forms, allowing you to configure certificate generation settings without leaving the form. The sidebar provides options to set passing thresholds, select templates, and manage certificate preferences directly in the Forms environment

Backend Communication Scope:

https://www.googleapis.com/auth/script.external_request: CertifyForms uses this scope to securely communicate with our backend API servers for subscription verification, quota tracking, and QR code validation. All communications are encrypted via HTTPS. This scope enables us to verify your subscription status, enforce fair usage limits, and provide premium features based on your subscription tier

Background Processing Scope:

https://www.googleapis.com/auth/script.scriptapp: This scope enables automatic certificate generation triggers and manages stored settings. When you configure rules like "automatically generate certificates when quiz is submitted," we use this scope to manage background processes that execute these workflows. We also use it to persistently store your configuration settings across sessions

Important: We request only the minimum scopes necessary to provide certificate generation functionality. Each scope is used exclusively for the purposes described above and never for advertising, data resale, or any unrelated activities.

5. How We Share, Transfer, and Disclose Google User Data

5.1 We DO NOT:

❌ Sell your personal information or Google user data to third parties
❌ Sell data to data brokers or information resellers
❌ Share your form or spreadsheet content with advertisers
❌ Transfer your data to third parties for targeted advertising, personalized advertising, retargeted advertising, or interest-based advertising
❌ Use or share your data for determining credit-worthiness or lending purposes
❌ Store your Google Drive files on our servers permanently beyond what is necessary to provide the service
❌ Share your data for any purpose unrelated to providing or improving our application's functionality

5.2 We DO Share With (Only to Provide Services):

We may share your data with the following third parties, but only to the extent necessary to provide and improve our services:

AI Service Providers (e.g., OpenAI): We share only the specific data you choose to process through our AI-powered features (such as form responses for certificate generation). This data is transmitted securely and used solely to deliver the requested functionality
Cloud Infrastructure Providers (e.g., AWS, Google Cloud): We use cloud hosting services to store and process data. These providers have strict security measures and data protection agreements in place
Payment Processors (e.g., Paddle): We share billing information with our payment processor to handle subscription payments and invoicing
Analytics Services: We share only anonymized and aggregated usage data for service improvement. No personally identifiable information or Google user data is shared
Legal Requirements: We may disclose information when required by law, court order, or governmental authority, or when necessary to protect our legal rights, prevent fraud, or ensure user safety

5.3 Data Transfer Safeguards:

When we transfer data to third-party service providers:

All transfers are protected by encryption and secure protocols
Service providers are contractually bound to protect your data and use it only for the specified purposes
We conduct regular reviews of our service providers' security and privacy practices
Data is transferred only to providers that comply with applicable data protection regulations

6. Data Security and Protection Mechanisms

We implement comprehensive security measures to protect your Google user data and personal information:

6.1 Technical Security Measures

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS 1.3 protocols with strong cipher suites
Encryption at Rest: All sensitive data stored in our databases is encrypted using industry-standard AES-256 encryption
Secure Authentication: We use OAuth 2.0 for Google authentication and implement secure session management with encrypted tokens
Access Control: Strict role-based access controls (RBAC) ensure that only authorized personnel can access systems containing user data
Network Security: Firewalls, intrusion detection systems, and network segmentation protect our infrastructure
Regular Security Updates: We maintain up-to-date software and apply security patches promptly

6.2 Organizational Security Measures

Limited Access: Only essential personnel have access to user data, and access is logged and monitored
Background Checks: All employees with data access undergo background verification
Security Training: Regular security awareness training for all team members
Incident Response: Documented incident response procedures to quickly address any security events
Regular Audits: Periodic security audits and vulnerability assessments of our systems
Vendor Management: All third-party service providers are vetted for security compliance

6.3 Data Protection Best Practices

Minimal Data Collection: We collect only the data necessary to provide our services
Data Minimization: We process and retain only the minimum amount of data required
Anonymization: Where possible, we anonymize data used for analytics and service improvement
Secure Deletion: When data is deleted, it is securely removed from all systems including backups
Logging and Monitoring: Comprehensive logging of data access and system activities for security monitoring

7. Your Rights and Choices

You have the right to:

Access: Request a copy of your personal data
Correction: Update or correct your information
Deletion: Request deletion of your data
Revoke Access: Remove our app's access to your Google account at any time
Export: Download your data in a portable format
Opt-Out: Unsubscribe from promotional communications

8. Data Retention and Deletion

We retain your data only for as long as necessary to provide our services and fulfill the purposes outlined in this Privacy Policy.

8.1 Retention Periods

Account Data: Retained while your account is active and for up to 30 days after account closure to allow for account recovery
Google Forms and Sheets Data: Processed in real-time and not permanently stored on our servers unless explicitly saved by you within the application. Temporary processing data is automatically deleted within 24 hours
Generated Certificates: Stored in your Google Drive and retained according to your own Google Drive retention settings. We do not store copies on our servers
Usage and Log Data: Retained for 90 days for security monitoring, debugging, and service improvement purposes, then automatically deleted
Billing Records: Retained for 7 years to comply with tax and accounting regulations
Support Communications: Retained for 2 years to provide ongoing support and improve our services
Backups: Deleted within 30 days after the source data is deleted from production systems

8.2 Data Deletion

You have the right to request deletion of your data at any time. When you delete your data:

Account Deletion: You can delete your account at any time through your account settings or by contacting us at hello@swiftsoft.io
Immediate Deletion: Upon account deletion, your personal data is immediately removed from our production systems
Backup Deletion: Data in backup systems is permanently deleted within 30 days
Google Access Revocation: You can revoke our access to your Google account at any time through your Google Account settings at https://myaccount.google.com/permissions
Partial Deletion: You can request deletion of specific data categories by contacting our support team
Legal Retention: Some data may be retained longer if required by law (e.g., billing records for tax purposes) but will be securely stored and access-restricted

8.3 Automatic Data Expiration

Temporary processing data expires automatically after 24 hours
Authentication tokens expire and are deleted according to security best practices
Inactive accounts (no login for 2 years) receive deletion warnings and may be automatically deleted after 30 days notice

9. Children's Privacy

Our services are not directed to individuals under 13 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with this privacy policy.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via:

Email notification to your registered address
In-app notification
Updated "Last Updated" date at the top of this policy

12. Third-Party Links

Our apps may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

13. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. You can control cookies through your browser settings.

14. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your data rights, please contact us:

Email Support: hello@swiftsoft.io
Website: https://apps.swiftsoft.io
Support Center: https://apps.swiftsoft.io/support
Application Name: CertifyForms and other SwiftSoft productivity add-ons
Developer: SwiftSoft.io

We will respond to your privacy-related inquiries within 30 days.

15. Compliance

We comply with:

Google API Services User Data Policy
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
Other applicable data protection laws