← Back to SheetChat

Cookie & Privacy Policy

Last updated: 25 June 2026

SheetChat is built so that only you can read your data. We use exactly one cookie, we run no trackers or analytics, and the contents of your spreadsheets and chats are encrypted with a key that lives only in your browser — so we cannot read them, even if we wanted to.

The one cookie we set

When you first open SheetChat we set a single signed session cookie. It is strictly necessary for the service to function, so it does not require consent under the ePrivacy Directive / GDPR. It contains:

  • An anonymous id — a random token. It is not your name, email or IP; it just lets us associate your credit balance with your browser. There is no account and no login.
  • Your encryption key — a random key generated for your session that is used to encrypt and decrypt your files and messages. This key is only ever stored in this cookie, in your browser. It is never written to our database, disk, logs or backups.
CookiePurposeTypeLifetime
sessionHolds your anonymous id and your in-browser encryption keyStrictly necessaryUntil you clear it / log out

We set no advertising, analytics, marketing or third-party tracking cookies.

Why no one but you can read your data

Your spreadsheet contents, file names and chat messages are encrypted using the key held in your cookie. Because that key never leaves your browser, the people who operate SheetChat cannot decrypt or read your data — not from the database, not from backups, not with the server's own secret key. If you clear the cookie, the key is gone and any remaining encrypted data becomes permanently unreadable to everyone, including us.

What is kept, and for how long

While you are working on a spreadsheet, its encrypted contents and your encrypted messages are stored temporarily so the conversation can continue. They are removed when you finish a chat (the “finish” action) and when you delete your data. The unencrypted spreadsheet only ever exists briefly in server memory while we answer a question — it is never written to disk in readable form.

The only thing we keep that is not encrypted is your credit balance and a ledger of credit changes, tied to your anonymous id. We need this to run the paid service (legal basis: performance of our contract with you). It contains no spreadsheet content.

Who else processes your data

  • Anthropic — to answer your questions, the relevant spreadsheet data is sent to Anthropic's Claude API. Anthropic acts as our processor and does not train its models on this data.
  • Stripe — if you buy credits, Stripe handles the payment. We never see or store your card details.

Your rights

Because we hold no identifying account, the simplest way to erase everything tied to your browser is to use the “delete my data” action or clear this site's cookies. Under the GDPR you also have the rights of access, rectification, erasure, restriction, portability and objection. To exercise them, or for any privacy question, contact us at octavian.rosca7@gmail.com.