Privacy policy

Effective date: June 7th, 2026

Last updated: June 7th, 2026

This Privacy Policy explains how we collect and use personal data when you use Spreadsheet Center. We've tried to write it in plain language. If anything is unclear, email us at privacy@spreadsheetcenter.com and we'll explain.

1. Who we are

Spreadsheet Center is operated by Mancato, registered with the Dutch Chamber of Commerce (KvK) under number 76898415.

For all privacy matters, contact us at privacy@spreadsheetcenter.com.

2. Scope

This policy covers personal data we process through:

  • Our website at spreadsheetcenter.com and any subdomains
  • User accounts you create with us
  • Communications you send us (e.g., contact form, email)

If we add a feature that materially changes what we collect or how we use it, we'll update this policy and note it under "Changes to this policy" below.

3. What we collect, why, and on what legal basis

The table below summarises the categories of personal data we collect, what we use them for, the legal basis under the GDPR, and how long we keep them.

Data category What it includes Why we collect it Legal basis (GDPR) Retention
Account data Email address, hashed password, account creation date, timezone (used for streak calculation), and any technical metadata required to maintain the account To create and operate your account, authenticate you, and run features such as streak tracking Performance of a contract (Art. 6(1)(b)) Until you delete your account, plus a short period in backups
Profile data (optional) Username, display name, public profile setting To let you optionally make a public profile that shows your username and stats Consent (Art. 6(1)(a)) — you choose to make this public Until you remove it or delete your account
Progress data Completed exercises, current and longest streak, last-completed timestamp, and similar usage data tied to your account To track and display your progress and operate progress-related features Performance of a contract (Art. 6(1)(b)) Until you delete your account, plus a short period in backups
Anonymous progress (no account) Exercise progress stored in your browser's local storage To let you use exercises without an account Not personal data we control — stored only on your device Until you clear your browser storage
Optional survey responses Answers to optional questions we may ask at signup or elsewhere in the product Internal product research, to understand who uses the service and how they engage Legitimate interest (Art. 6(1)(f)). You can skip these questions Until you delete your account
Inbound communications Messages you send us (e.g., via the contact form), including any optional fields you fill in, plus technical metadata such as the page the message was sent from and your browser's user-agent string To respond to your message and, where you've reported a bug, reproduce the issue Legitimate interest (Art. 6(1)(f)) Up to 24 months, then deleted
Profile moderation records Reports filed about public profiles, including the reporter's account ID, the reported profile, and the reason given To review and act on reports about inappropriate public profiles Legitimate interest (Art. 6(1)(f)) — keeping public profiles free of abuse Reports are deleted within ~30 days of resolution, unless we need to keep a record of action taken
Communication preferences Whether you've opted in to product update emails, and similar preferences To respect your choices about what we send you Consent (Art. 6(1)(a)) — withdrawable at any time Until you withdraw consent or delete your account
Server and access logs IP address, request timestamp, requested URL, response status, user-agent — collected by our hosting and infrastructure providers Security, abuse prevention, and operational diagnostics Legitimate interest (Art. 6(1)(f)) Per the providers' default retention; typically a few days to several weeks
Analytics Page views, referrer, approximate country, device type — collected without cookies and without an identifier that follows you across sites To understand which pages are visited and how the site performs in aggregate Legitimate interest (Art. 6(1)(f)) Aggregate data retained for as long as it's useful for trend analysis; the underlying request data is not retained

If we collect a category of personal data that isn't listed above, that's an oversight on our part — please let us know at privacy@spreadsheetcenter.com and we'll correct the policy.

4. Cookies

We use a small number of strictly necessary cookies that are essential for the service to function — primarily authentication cookies that keep you signed in. We don't rely on cookies for analytics or marketing.

Because the only cookies we use are strictly necessary for a service you've actively asked for, the law does not require us to obtain consent for them. We show an information notice the first time you visit so you know they're there.

5. Affiliate links

Some links on our site may be affiliate links, meaning that if you click through and make a purchase on the destination site, we may receive a small commission at no extra cost to you. When you click such a link, you leave our site and the destination site can tell that you arrived from us — but we don't share any personal data with the affiliate partner. We mark affiliate links and disclosures where they appear, separately from this policy.

6. Service providers (sub-processors)

We rely on the following service providers to operate Spreadsheet Center. Each is bound by a data processing agreement and processes personal data only on our instructions or as set out in their own service contracts.

Provider Role Where data is processed Transfer safeguard
Supabase Authentication and database United States, on AWS infrastructure EU Standard Contractual Clauses; AWS is certified under the EU-US Data Privacy Framework
Cloudflare Hosting, content delivery, network security Global edge network, including locations outside the EEA EU Standard Contractual Clauses; Cloudflare is certified under the EU-US Data Privacy Framework
Brevo Email delivery for transactional and operational messages European Union None required — within the EU/EEA
Hetzner Hosting for our self-hosted analytics Germany None required — within the EU/EEA

If we add or replace a sub-processor, we'll update this list.

7. International transfers

Some of our service providers are based outside the European Economic Area, primarily in the United States. When personal data is transferred outside the EEA, we rely on one of the following safeguards under Chapter V of the GDPR:

  • Adequacy decisions issued by the European Commission;
  • Standard Contractual Clauses approved by the European Commission, where adequacy is unavailable;
  • The EU-US Data Privacy Framework, where the US recipient is certified under it.

On request, we'll point you to the relevant safeguards — typically the European Commission's published Standard Contractual Clauses, and the relevant provider's Data Processing Agreement. Email privacy@spreadsheetcenter.com.

8. How we keep your data secure

We rely on the security measures of our infrastructure providers (encrypted connections, encryption at rest, isolated authentication infrastructure) and on basic operational practices (least-privilege access, no unnecessary data collection, no plaintext password storage). We don't claim that any service is fully immune to security incidents. If a breach occurs that puts your rights at risk, we'll notify the Dutch supervisory authority within 72 hours and inform affected users where the GDPR requires us to.

9. Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access — ask us for a copy of the personal data we hold about you.
  • Rectification — ask us to correct data that's inaccurate or incomplete. You can update most of your account information directly from your account settings.
  • Erasure ("right to be forgotten") — you can delete your account directly from your account settings, which removes the personal data tied to your account. You can also email us if you'd prefer.
  • Restriction — ask us to stop processing your data in certain circumstances.
  • Portability — ask us for your data in a machine-readable format, where technically feasible.
  • Objection — object to processing based on legitimate interest, including direct marketing (for direct marketing, your objection is absolute).
  • Withdraw consent — where we rely on consent (e.g., marketing emails, public profile), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal. You can manage most consent settings directly from your account.

To exercise any right that isn't available as a self-serve setting, email us at privacy@spreadsheetcenter.com. We'll respond within one month, as required by Article 12(3) GDPR. We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with a data protection supervisory authority. In the Netherlands, that is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). You can also complain to the supervisory authority in the EU/EEA country where you live or work.

10. Children

Spreadsheet Center is intended for users aged 16 or older. We don't knowingly create accounts for children under 16 without parental authorization, and our Terms of Service set 16 as the minimum age. If you're a parent or guardian and believe your child under 16 has created an account, contact us at privacy@spreadsheetcenter.com and we'll delete the account and associated personal data.

11. Marketing communications

If you've opted in to product update emails, we may email you about new features, paid plans, changes to the service, or other matters we think may be relevant to you. You can withdraw consent at any time by clicking the unsubscribe link in any such email or by emailing us. Withdrawing consent for marketing emails does not affect transactional emails.

12. Information for users in California

If you're a resident of California, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights:

  • The right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties we share it with — all of which are set out in this policy.
  • The right to delete personal information we hold about you (subject to exceptions).
  • The right to correct inaccurate personal information.
  • The right to opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising. We do not sell or share personal information in this sense.
  • The right not to be discriminated against for exercising any of these rights.

To exercise these rights, email us at privacy@spreadsheetcenter.com.

We have not "sold" personal information in the preceding 12 months, and we don't intend to.

13. Changes to this policy

If we make material changes to this policy — for example, adding a new category of data, a new processing purpose, or a new type of recipient — we'll update the "Last updated" date at the top and, where the change is significant, give existing account holders advance notice by email. Routine updates (clarifications, typo fixes, replacing a sub-processor with another doing the same thing) won't trigger a notice but will still be reflected in the version on this page.

14. Contact

For any privacy-related question, request, or complaint:

Email: privacy@spreadsheetcenter.com
Controller: Mancato, KvK 76898415