RG App Store logoRG App Store
Legal

Privacy Policy

Last updated: June 2026

Short version

RG App Store does not collect, store, or transmit any of your personal data or form submission data. We have no database, no analytics, and no server that receives your information. Your Google OAuth token exists only in your browser's memory for the duration of your session.

1. Who we are

RG App Store is a web application that provisions apps — each its own Google Sheet + Apps Script — entirely within your own Google Drive. The service is provided as-is with no warranty.

2. Data we do not collect

RG App Store does not operate any server-side infrastructure that processes your data. Specifically, we do not collect:

  • Your name, email address, or Google account information
  • Your OAuth access token or refresh token
  • Your form configuration (fields, names, settings)
  • Any submissions sent through forms you create
  • IP addresses, device identifiers, or browser fingerprints
  • Usage analytics or behavioral data

3. Google OAuth and access tokens

To create Google Sheets and Apps Script projects on your behalf, RG App Store requests a short-lived OAuth 2.0 access token from Google. This token:

  • Is stored only in your browser's memory (JavaScript variable) — never in localStorage, cookies, or any server.
  • Is used exclusively to make Google API calls to create and manage your Sheet and Apps Script resources.
  • Is discarded automatically when you close or refresh the page.
  • Is never transmitted to any RG App Store server or third-party service.

4. OAuth scopes requested

When you sign in, Google will show you the permissions RG App Store is requesting. Here is exactly what each scope is used for:

Drive (app-created files only)

Create and manage the spreadsheet RG App Store creates on your behalf. This scope cannot access any other files in your Drive.

Apps Script (projects)

Create the Apps Script project that runs each app you provision. The script is created as a container-bound project attached to its spreadsheet — when you delete a form, the sheet and its bound script are deleted together. When Google asks you to authorize the script, it only requests access to that one file — not all your spreadsheets.

Apps Script (deployments)

Deploy the script as a public web app to produce the form endpoint URL.

Your Google profile and email (including openid)

Display your name and avatar in the app, and pre-fill the notification email field with your address. The openid scope is required by Google's OpenID Connect protocol to verify your identity during sign-in — it does not grant access to any additional data.

RG App Store never requests full Drive access. When you delete a form, the Google Sheet and its bound Apps Script are permanently deleted together — the script is embedded in the spreadsheet, so removing the sheet removes everything.

The Apps Script deployed to your Google Drive declares its own scopes separately from the RG App Store web app. When you authorize the script, Google will show it requesting access to that one spreadsheet only (using the spreadsheets.currentonly scope — not all your spreadsheets). If you enable email notifications, it also requests the ability to send email on your behalf (script.send_mail). If you enable spam protection, it also requests the ability to make outbound requests (script.external_request), used only to verify captcha tokens with Cloudflare. Both are optional — chosen when you create the project — and these permissions are granted to the script running under your own Google account, not to RG App Store.

5. Spam protection (Cloudflare Turnstile)

Spam protection is optional and off by default. If you enable it, your form uses Cloudflare Turnstile, a privacy-focused CAPTCHA alternative. The Turnstile widget on your own page obtains a token from Cloudflare in the visitor's browser; when the form is submitted, your Apps Script verifies that token directly with Cloudflare before saving the row.

  • When the Turnstile widget runs in the visitor's browser, it contacts Cloudflare directly, so Cloudflare receives the visitor's IP address to assess whether they are human — as described in Cloudflare's privacy policy.
  • The resulting token is then verified by the script in your own Google account — not by any RG App Store server — and that verification sends only the token and your secret key, never the visitor's IP address or your form-field values.
  • Your Turnstile secret key is stored in your own private Google Sheet (the hidden manifest tab) and is never exposed to the browser or to RG App Store.
  • If you turn protection off, no tokens are sent and Cloudflare is not contacted.

Cloudflare is an independent third party. Its handling of the data it receives is governed by Cloudflare's privacy policy.

6. Your site submissions and data

After provisioning, visitors who submit forms or query your site's API do so directly from their browser to your Google Apps Script deployment URL. That data goes directly into your Google Sheet and (for forms) is emailed to you. We never see, intercept, or store any submissions or site data.

You are responsible for the data collected through forms you create. If you collect personal information from your visitors, ensure your own site's privacy policy accurately reflects that.

7. Google's Privacy Policy

By signing in with Google, you are also subject to Google's own privacy policy and terms of service. The resources created in your Google Drive (Sheets, Apps Script) are governed by Google's terms, not ours.

You can revoke RG App Store' access to your Google account at any time by visiting myaccount.google.com/permissions and removing RG App Store from the list of connected apps.

8. Cookies and Tracking

RG App Store does not use cookies, local storage, session storage, or any tracking pixels. There are no analytics scripts or external sign-in SDKs loaded on this site. Sign-in is handled by opening a standard OAuth 2.0 popup directly to Google's authorization endpoint — no third-party scripts are injected.

9. Changes to this policy

If this privacy policy changes materially, the “Last updated” date at the top will be revised. Since we collect no personal data, changes are unlikely to affect you.

10. Contact

Questions about this privacy policy? Contact us.