Privacy Policy

Your privacy is important to us. This Privacy Policy explains how Paperclip manages your information when you use our tools.

Last updated: September 25, 2025

Identity

  • Paperclip Group [Pty Ltd], ABN [____], is based in Sydney, Australia.

Scope & Roles

  • This policy covers (a) marketing sites (getpaperclip.ai, shop.getpaperclip.ai, setup pages) and (b) the Paperclip product (Google Apps Script connector).
  • We act as controller for marketing-site data. For the product, you deploy and run the Apps Script in your Google account; Paperclip does not receive or store your document/sheet content and generally does not act as a processor.

Lawful Bases

  • Essential site data is processed under legitimate interests (security, fraud prevention, load balancing).
  • Analytics or marketing cookies are processed under your consent where required.
  • Order and support communications are processed under contract or legitimate interests.

International Transfers

  • Providers such as Google, OpenAI, Netlify, and Gumroad/Shopify may process data in other countries.
  • Where required, they use safeguards like Standard Contractual Clauses or equivalent mechanisms.

How to Exercise Your Rights

  • To access, correct, or delete marketing-site data, email support@getpaperclip.ai.
  • For product content, use your Google or OpenAI account tools because Paperclip does not host that data.

Complaints

  • Please contact us first with any concerns.
  • If unresolved, you may complain to the Office of the Australian Information Commissioner (OAIC) or your local data protection authority.

Data Breaches

  • If we become aware of a security incident affecting marketing-site personal data, we will notify affected individuals and regulators when legally required.

Orders & Payments

  • If you purchase via Gumroad/Shopify, we receive limited order details (name, email, order ID) for fulfilment and support.
  • Payment card data is processed by the provider; we do not receive or store full card details.

Email Marketing

  • If you opt into newsletters, you can unsubscribe via the link in our emails or by emailing support@getpaperclip.ai.

Governing Law

  • This policy is governed by the laws of New South Wales, Australia.

Data Ownership & Storage

  • All data created, logged, or stored with Paperclip remains in your personal Google account (Google Docs, Google Sheets, and Google Drive).
  • The creators of Paperclip do not have access to your documents, sheets, or activity.
  • Paperclip does not operate a centralized database or store user content on Paperclip servers.

Data Processing

  • When Paperclip is linked to a Custom GPT, information you provide for a request may be transmitted to and processed by OpenAI’s systems to generate responses.
  • Any such data is handled subject to OpenAI’s own terms of use and privacy policy.

Data Collection

  • Paperclip does not collect, transmit, or store personal data on Paperclip-controlled servers.
  • All content you work with remains in your Google account unless you choose to export or share it elsewhere.

Security

  • Security of your Google Docs, Sheets, and Drive is managed through your Google account and its access controls.
  • The connection between your content and OpenAI runs through a Google Apps Script Web App that you deploy under your Google account.
  • The Paperclip API is designed with reference to the OWASP API Security Top 10 best practices.

Responsibility & Risk

  • While Paperclip provides guidance and guardrails, responsibility for secure configuration and use rests with you.
  • Paperclip cannot guarantee absolute security of your environment.

Compliance

  • Paperclip is designed to align with core data protection principles (including GDPR).
  • Your compliance with applicable privacy and regulatory laws depends on how you configure and use the tools.

Cookies & Tracking

Product (Connector & Apps Script)

  • Paperclip’s product does not use cookies, analytics trackers, or advertising pixels.

Marketing Site (getpaperclip.ai, shop.getpaperclip.ai, setup pages)

  • We may use cookies or similar technologies in the future for essential site functions (security, load balancing, fraud prevention).
  • Analytics cookies may help us understand site usage and improve content.
  • Marketing cookies (e.g., ad measurement, retargeting) may be introduced to support campaigns.

Third-Party Resources

  • Services we rely on (e.g., Google Fonts, Netlify, Gumroad/Shopify) may automatically receive limited technical data, such as IP address and browser information, when their resources load.

Your Choices

  • You can manage cookies through your browser settings at any time.
  • Where required (EU/UK/EEA), we will display a cookie banner and obtain consent before setting non-essential cookies.
  • California residents may have additional options under CCPA/CPRA; we will provide links or controls such as “Cookie Settings” or “Do Not Sell/Share My Personal Information” when applicable.

Do Not Track

  • We do not currently respond to browser “Do Not Track” signals.

Updates

  • If we introduce or change cookie usage, we will update this section and our cookie controls accordingly.

Third-Party Services

  • Paperclip integrates with and depends on services provided by third parties, including Google (Docs, Sheets, Drive, Fonts, and Apps Script hosting), OpenAI (processing prompts and generating responses), Netlify or similar (hosting setup/documentation pages), and Gumroad/Shopify (payment processing and fulfillment when you purchase products).
  • Each provider has its own privacy policy and terms which apply in addition to this policy.

Children’s Privacy

  • Paperclip is not directed to children under 13 (or 16 where applicable).
  • We do not knowingly collect or store personal information from children. If you believe a child has provided information, contact support@getpaperclip.ai.

Data Retention

  • Paperclip does not retain personal data on Paperclip servers.
  • Your documents, logs, and records remain under your control in your Google account.
  • Any third-party services you connect (e.g., OpenAI, Gumroad/Shopify) handle retention under their own policies.

Your Rights

  • Depending on your location, you may have rights under laws such as GDPR or CCPA, including the right to access, correct, or delete your information; restrict or object to processing; and request portability of your data.
  • Because Paperclip does not host your data, you can exercise these rights directly through your Google or OpenAI accounts and/or by contacting those providers.

Apps Script–Specific Disclosures

Script Identifiers & Preferences We Store

  • The connector stores limited configuration in Script Properties (inside your Google Apps Script project): linked Google Doc ID, linked Google Sheet ID, your chosen time zone, deployment timestamps, and a SHA-256 hash of your API key.
  • These identifiers enable the connector to function and do not contain document contents.

API Key Handling

  • Paperclip never stores your API key in plaintext; only a one-way cryptographic hash is saved for authentication.
  • At runtime, the key is sent in the POST body only; keys in URLs or headers are rejected. Constant-time comparison and brief lockouts help mitigate brute force attacks.

In-Sheet Audit Log (“WriteLog”)

  • To support Undo, write actions can be recorded in a “WriteLog” tab that lives inside your Sheet. Entries may include timestamps, actions, affected ranges, new values, and prior values needed for restoration.
  • The WriteLog never leaves your Google account. Older entries may be pruned, and a full reset deletes the tab.

Data Returned to Your Client (Exports)

  • When you or your GPT client request searches/exports, the connector returns the requested Doc/Sheet content directly to the client. Paperclip does not store these exports.

Execution Logs

  • Apps Script execution logs (visible to you) may contain diagnostic metadata. The connector avoids logging document content beyond what Google may capture for errors.

Minimization & Sanitization

  • Inputs are validated/sanitized, and payload limits help block risky or oversized requests.

User Controls: Undo & Reset

  • Undo relies on WriteLog snapshots; actions prior to a reset cannot be undone.
  • Reset options let you clear stored config (Doc/Sheet IDs, time zone, API key hash) or everything, which also removes the WriteLog.

Rate Limiting & Idempotency

  • Write operations may be rate-limited and use short-lived request IDs to prevent duplicates; the connector does not store content in this mechanism.

Time Zone Preference

  • If you provide a time zone, it is stored in Script Properties so timestamps in logs and UI remain consistent.

Where Processing Occurs

  • All connector operations run in your Google Apps Script deployment. Only prompts/context you send for a particular request are transmitted to OpenAI.

Keys in Chat (UX Safeguard)

  • Paperclip’s UX forbids requesting API keys in chat. Enter keys only via the secure Auth field; they are included in POST bodies automatically.

Changes to This Policy

  • We may update this Privacy Policy to reflect new features, legal requirements, or security practices.
  • Updates will appear here with a revised “Last updated” date.
  • Please review this page periodically to stay informed.

Contact Us

We use cookies and analytics to make this site work better.

Learn more