Privacy Policy for Order Form

1. Introduction

This Privacy Policy describes how Order Form ("we", "our", or "the Service") collects, uses, stores, and protects your information when you connect your Google Account to our application. We are committed to protecting your privacy and being transparent about our data practices.

By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Data We Access from Google

2.1 Google User Information We Collect

2.2 Google API Scopes We Request

Our application requests the following specific permissions from Google:

• https://www.googleapis.com/auth/userinfo.email - To read your email address for account identification
• https://www.googleapis.com/auth/drive.file - A restricted scope that grants access ONLY to files that our application creates

3. How We Use Google User Data

3.1 Account Creation and Authentication

Purpose: To create and maintain your account in our system.

How we use the data:

• Your email address is used as your unique identifier in our database
• We use it to authenticate you when you log in
• We may use it to send you order notifications (if you enable this feature)
• We store your email in our Supabase database

3.2 Creating Your Order Management Sheet

Purpose: To create a centralized location for storing your order data.

How we use the data:

• When you first sign in, our application creates ONE Google Sheet in your Google Drive
• The sheet is automatically named "Orders for [Your Email]"
• This sheet remains in YOUR Google Drive and is owned by YOU
• We store the ID of this sheet (a unique identifier like "1abc...xyz") in our database
• This ID allows us to know which sheet to update when orders are submitted

3.3 Adding Order Data to Your Sheet

Purpose: To automatically record customer orders in your Google Sheet.

How we use the data:

• When a customer submits an order through your form, we add a new row to your Google Sheet
• The data added includes: customer name, email, phone, order details, product selections, quantities, prices, and any comments
• We use your stored Google Refresh Token to authenticate this action
• We format the data (bold headers, borders) for better readability
• All order data goes directly to YOUR Google Sheet - we do not store customer order details on our servers

3.4 Sheet Recovery (Error Handling)

Purpose: To ensure your orders are never lost if your Google Sheet is accidentally deleted.

How we use the data:

• If we detect that your Google Sheet no longer exists (HTTP 404 error), we automatically create a new one
• We update the stored Sheet ID in our database to point to the new sheet
• This ensures continuous order processing without interruption

4. Data Storage and Security

4.1 What We Store in Our Database

We store the following information in our Supabase database:

• Your Email Address: Stored in plain text for account identification
• Google Refresh Token: Stored securely and used to authenticate API requests to Google on your behalf
• Google Sheet ID: The unique identifier of your order sheet (e.g., "1abc...xyz")
• Form Settings: Your form configuration (colors, products, labels, etc.)
• API Keys: Internal access keys for using our service

4.2 Security Measures

• All data is stored in Supabase, a secure, SOC 2 Type II certified database provider
• All connections use HTTPS encryption
• Google Refresh Tokens are stored securely and never exposed to client-side code
• We follow Google's best practices for OAuth 2.0 implementation
• Access to our database is restricted and logged

4.3 What We Do NOT Store

• We do NOT store customer order details (they go directly to your Google Sheet)
• We do NOT store your Google password
• We do NOT store any files from your Google Drive
• We do NOT store payment information (payments are processed by PayPal if enabled)

Note on Usage Limits: While we aim to provide generous storage for your form settings and product images, our service operates under a Fair Use Policy as defined in our Terms of Service. This policy helps us ensure system stability for all users.

5. Data Sharing and Third Parties

5.1 We Do NOT Sell Your Data

We do not sell, trade, or rent your personal information or Google user data to third parties.

5.2 Third-Party Services We Use

Our application integrates with the following third-party services. We only share the minimum information necessary for them to perform their function.

• Google Drive API: To create and update your Google Sheets.
• Supabase: To store your account information and form settings.
• Cloudflare R2: To store product images you upload.
• FormSubmit.co: To send order notification emails to you.
• Resend: We use Resend to send "magic link" emails for password-free login.
• Netlify: Our website is hosted on Netlify, which may collect standard server logs, including IP addresses.
• PayPal (Optional): If you enable payments, customer payment data is processed directly by PayPal - we never see or store payment card details.

5.3 Legal Requirements

We may disclose your information if required by law, such as to comply with a subpoena or similar legal process.

6. Data Retention and Deletion

6.1 How Long We Keep Your Data

• Your account data (email, tokens, settings) is stored as long as your account is active
• Your Google Sheet remains in YOUR Google Drive indefinitely (it's your file)
• Product images you upload are stored in Cloudflare R2 until you delete them or close your account

6.2 Your Right to Delete Your Data

You can request deletion of your account and associated data at any time by contacting us at admin@lumaxdesign.com

When you request deletion, we will:

• Remove your account information from our database
• Delete stored Google Refresh Tokens
• Delete your form settings
• Delete uploaded product images from our storage

Note: Your Google Sheet will remain in your Google Drive (since you own it). You can delete it manually at any time.

6.3 Revoking Google Access

You can revoke our application's access to your Google account at any time by visiting:

https://myaccount.google.com/permissions

After revocation, we will no longer be able to add orders to your Google Sheet.

7. Your Rights and Choices

• Access: You can view all your account data by logging into the Service
• Correction: You can update your form settings and data at any time
• Deletion: You can request account deletion as described in Section 6.2
• Export: Your order data is always accessible in your own Google Sheet, which you can download or export at any time
• Revoke Access: You can revoke Google permissions as described in Section 6.3

8. Children's Privacy

Our Service is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete it immediately.

9. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by:

• Updating the "Last Updated" date at the top of this page
• Sending you an email notification (if we have significant changes)

We encourage you to review this Privacy Policy periodically for any changes.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: admin@lumaxdesign.com

Service URL: https://forms.lumaxdesign.com

11. Compliance

This Privacy Policy complies with:

• Google API Services User Data Policy
• Google APIs Terms of Service