Privacy Policy
1. Introduction
This Privacy Policy ("Policy") describes how INNIT LLC ("we", "us", "our") collects, uses, stores, shares, and protects personal information when you use the GAS Agent Chrome Extension and the associated backend services (collectively, the "Service").
By installing or using the Service, you agree to the practices described in this Policy. If you do not agree, please do not install or use the Service.
2. Who We Are
- Company name: INNIT LLC (合同会社INNIT)
- Registered address: 12-12, Osaka Ekimae Dai-2 Bldg., 1-2-2 Umeda, Kita-ku, Osaka, Japan
- Contact: gasagent26@gmail.com
3. Information We Collect
We collect only the minimum information necessary to operate the Service.
3.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Google account identifiers | Email address, display name, profile photo URL, Google User ID (sub) | Account creation, authentication, and plan management |
| Payment information | Stripe customer ID, subscription status, billing period | Subscription management (card numbers are handled exclusively by Stripe and never reach our servers) |
| User prompts and code context | Text you type into the extension, Google Apps Script (GAS) source files open in your editor, filenames of your GAS project | Generating AI responses |
| Spreadsheet context (on request) | When you ask the AI to inspect a bound Google Sheet, the extension temporarily reads header rows, row count, and a small sample of cell values | Enabling the AI to generate accurate code against your actual data |
| Saved conversation sessions (paid plans only) | On Pro and Pro Max, the sequence of messages and tool results from your conversation — including any prompts and code context described above — together with the Apps Script project ID and title | Allowing you to resume a previous conversation from the same or a different device |
3.2 Information Automatically Collected
| Category | Examples | Purpose |
|---|---|---|
| Usage metrics | Request timestamp, model tier used, input/output token counts, request duration | Rate limiting, billing enforcement, service reliability |
| Diagnostic logs | HTTP status codes, error messages, anonymized request IDs | Debugging and abuse prevention |
| Device information | Browser user agent, extension version | Compatibility and support |
3.3 Information We Do Not Collect
- We do not collect browsing history outside of
https://script.google.com/*. - We do not collect or read content from websites other than the Google Apps Script editor.
- We do not collect payment card numbers, CVV, or expiration dates (all handled by Stripe).
- We do not use tracking cookies for advertising purposes.
4. How We Use Information
We use the information collected to:
- Provide the core functionality — send your prompts and code context to our AI provider (OpenAI) and return the response.
- Authenticate users and manage user accounts via Google OAuth and Firebase Authentication.
- Enforce plan limits — count daily and monthly usage against the applicable plan (Free, Pro, Pro Max).
- Process subscriptions — create and manage Stripe customers, subscriptions, and billing events.
- Save and restore conversations (paid plans only) — on Pro and Pro Max, store your conversation sessions in our Firestore database so that you can resume them later. Sessions are stored per Google Apps Script project. Free accounts do not have their conversations saved to our backend.
- Maintain the Service — detect bugs, prevent abuse, and monitor reliability, using only non-content operational data (usage metrics, HTTP status codes, error messages, anonymized request IDs).
- Comply with legal obligations — respond to lawful requests from competent authorities.
INNIT LLC does not use your User Content (prompts, GAS source code, spreadsheet data) to train AI models, to improve the Service, to perform analytics, or for any purpose other than returning the AI response to the specific request you initiated. User Content is never reviewed by humans at INNIT LLC except (a) with your affirmative consent, (b) to investigate a specific security incident or suspected abuse, or (c) where required by law.
Third-party AI provider. Your prompts and code context are transmitted to our AI provider (currently OpenAI) so that responses can be generated. Once received by OpenAI, handling is governed by OpenAI's own policies, which are outside INNIT LLC's direct control. As of the effective date, OpenAI's API terms state that API inputs and outputs are not used to train OpenAI's models by default and are retained only briefly for abuse monitoring. For current details, see OpenAI's API data policy. We cannot guarantee the practices of third-party providers, but we will disclose material changes that affect your data.
5. Legal Basis (for users in the EEA/UK)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
- Performance of a contract — to deliver the Service you subscribed to.
- Legitimate interests — to maintain security, prevent fraud, and operate the Service reliably (using non-content operational data only; not applied to User Content).
- Consent — for optional features that require explicit opt-in.
- Legal obligation — to comply with applicable law.
6. How We Share Information
We share your information only with the following categories of third parties, and only to the extent necessary:
| Recipient | Purpose | Location | Link |
|---|---|---|---|
| OpenAI, L.L.C. | AI model inference. Prompts, code context, and spreadsheet samples are transmitted to OpenAI's API. | United States | https://openai.com/policies/privacy-policy |
| Google LLC | OAuth authentication (chrome.identity), Firebase Authentication, Firestore, Cloud Run, Cloud Functions | United States / global | https://policies.google.com/privacy |
| Stripe, Inc. | Payment processing and subscription management | United States / global | https://stripe.com/privacy |
We do not sell, rent, or trade your personal information to data brokers, advertisers, or any other third party.
7. Chrome Web Store Limited Use Disclosure
GAS Agent's use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.
Specifically:
- We use data obtained via
chrome.identity(email, profile, OpenID) only to create and authenticate your GAS Agent account. - We use data read from Google Apps Script projects only to generate AI responses that you explicitly request.
- We do not transfer this data to third parties except as strictly necessary to provide or improve the user-facing features (i.e., to the AI provider OpenAI solely for the request you initiated).
- We do not use this data for serving advertisements, including personalized or retargeted ads.
- We do not allow humans to read this data, except (a) with your affirmative consent, (b) for security investigations, (c) to comply with applicable law, or (d) in aggregated/anonymized form for internal operations.
8. Data Retention
| Data category | Retention period |
|---|---|
| Account data (email, display name, plan) | Until account deletion, then removed within 30 days |
| Individual request logs (prompt, response, tokens) | 30 days, then automatically deleted via Firestore TTL |
| Saved conversation sessions (Pro / Pro Max only) | Up to 90 days after creation (automatically deleted via Firestore TTL), and never more than the most recent 20 sessions per Apps Script project — older sessions are automatically pruned. Users may delete individual sessions at any time via the in-extension /sessions delete command. If you downgrade to Free, saved sessions become inaccessible from the extension but remain stored until the 90-day TTL expires (so that re-upgrading within that window restores access); you may also request immediate deletion by emailing us. Deleting your account removes all saved sessions. |
| Monthly aggregate usage statistics (no prompt content) | 24 months, for billing and analytics |
| Payment/subscription metadata | Retained as required by tax and accounting law (up to 7 years under Japanese law) |
| Diagnostic logs | 90 days |
9. Data Security
We use industry-standard safeguards, including:
- TLS 1.2+ encryption in transit.
- Encryption at rest for Firestore and Google Cloud Storage.
- Firebase Authentication with short-lived ID tokens (1-hour TTL).
- Least-privilege access control on service accounts.
- API keys stored as Cloud Run secrets, never exposed to the extension.
No system is perfectly secure. We cannot guarantee absolute security and will notify affected users and authorities of any data breach as required by law.
10. International Transfers
Your information is processed in the United States and other countries where our service providers operate. By using the Service, you acknowledge that your information will be transferred outside of your country of residence and processed under the safeguards described below.
10.1 Transfers from Japan — APPI §28 disclosure
Under the Act on the Protection of Personal Information of Japan (as amended 2022), the following information is disclosed before obtaining your consent to cross-border transfers:
(a) Destination countries
- United States (OpenAI, Stripe, and certain Google data centers)
- Global data centers operated by Google LLC (may include Ireland, Netherlands, Taiwan, Singapore, etc.)
(b) Information on the personal-data protection regime in each destination country
The United States does not have a single, comprehensive federal personal-data protection law comparable to APPI or GDPR. Sector-specific federal laws (HIPAA, GLBA, COPPA) and state laws (CCPA/CPRA in California, VCDPA in Virginia, etc.) apply. The Personal Information Protection Commission of Japan publishes a country report for the United States; please refer to the PPC website for the latest information.
Countries in the EEA where Google may process data are subject to the GDPR, which is generally recognized as providing an equivalent level of protection to APPI.
(c) Measures taken by the receiving entity to protect personal information
Each of our processors has published its own privacy and security practices. Summary:
| Recipient | Key safeguards |
|---|---|
| OpenAI | SOC 2 Type 2, enterprise-grade encryption in transit and at rest, data not used to train models for API/Enterprise tier. Details: https://openai.com/security |
| Stripe | PCI DSS Level 1, SOC 1/2, ISO 27001, GDPR/CCPA compliant. Details: https://stripe.com/docs/security |
| Google (GCP/Firebase) | ISO 27001/27017/27018, SOC 1/2/3, GDPR data-processing terms, encryption in transit and at rest. Details: https://cloud.google.com/security |
You may request further details of these measures by contacting us at the address in §15. By using the Service, you consent to the cross-border transfer described above.
10.2 Transfers from the EEA / UK
Where personal data is transferred from the EEA or the UK to countries without an adequacy decision, we rely on the Standard Contractual Clauses (SCCs) and UK IDTA / UK Addendum of our processors (Google, OpenAI, Stripe), each of which publicly offers these terms.
11. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access — request a copy of the personal information we hold about you.
- Correction — ask us to correct inaccurate information.
- Deletion — ask us to delete your account and associated data.
- Portability — receive your data in a machine-readable format.
- Objection / Restriction — object to or restrict certain processing.
- Withdraw consent — where processing is based on consent.
To exercise any of these rights, email gasagent26@gmail.com. We respond without undue delay and, in any event, within the period required by applicable law (typically within two weeks under the Japanese APPI, and within one month under the GDPR).
You may also uninstall the extension at any time via chrome://extensions. Uninstalling stops all further data collection, but does not automatically delete server-side data; contact us to request deletion.
12. Children's Privacy
The Service is not directed to children under 13 (or the minimum digital consent age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.
13. Cookies and Local Storage
The extension uses Chrome's chrome.storage API to store:
- Firebase ID token and refresh token (for authentication).
- User preferences (panel position, UI settings).
No tracking cookies are set by the extension itself. Our backend does not set third-party tracking cookies.
14. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date above.
- Post the new version at the URL where this Policy is published.
- If the change materially reduces your rights, notify you via email or an in-extension notice at least 14 days before the change takes effect.
Your continued use of the Service after the effective date of changes constitutes acceptance.
15. Contact Us
For privacy questions, data access requests, or complaints:
- Email: gasagent26@gmail.com
- Postal: INNIT LLC, 12-12, Osaka Ekimae Dai-2 Bldg., 1-2-2 Umeda, Kita-ku, Osaka, Japan
If we cannot resolve your complaint, you may lodge a complaint with your local data protection authority (e.g., the Personal Information Protection Commission of Japan, or an EEA supervisory authority).