Legal
Privacy policy
Last updated: June 12, 2026
The short version: the BidSheet app runs on your computer and we collect nothing from it. No analytics, no telemetry, no account. If you use the optional cloud sync service, we store what you sync (that's the product) and the minimum account information needed to run it. We don't sell data, we don't run ads, and we don't use tracking cookies anywhere.
This policy is provided by BidSheet LLC ("BidSheet", "we"), the operator of the BidSheet application and the BidSheet Cloud service. Contact: support@bidsheet.co.
If you use the app without cloud sync
We collect nothing. The app has no analytics or telemetry, requires no account, and your estimating data lives in a database file on your computer. The only network request the app makes is a check against GitHub for new versions (GitHub receives your IP address as part of serving that request, per GitHub's privacy statement). Local-only mode disables even the cloud machinery from initializing.
If you create a cloud sync account
Account information
- Email address and credentials. Authentication is handled by Supabase; passwords are stored only as cryptographic hashes. Two-factor authentication (TOTP) enrollment data is stored to verify your sign-ins.
- Subscription status. Whether your account is on trial, active, or lapsed, and identifiers linking it to your Paddle subscription. We never see or store your card number; payment details go directly to Paddle.
Content you sync
- Jobs, bids, and catalog data you choose to sync, stored so your other computers can download them. Encrypted in transit (TLS) and at rest.
- Encrypted backups. Whole-database backups are encrypted on your computer with a key derived from your passphrase before upload. We store the sealed file and cannot read its contents. We also cannot recover it if you lose the passphrase.
Operational records
- Standard service logs (request timestamps, IP addresses, error details) kept briefly for security, abuse prevention, and debugging, not for profiling.
Who processes data for us
| Provider | What they handle |
|---|---|
| Supabase | Account authentication (email, password hash, TOTP) |
| Cloudflare | API, synced data, and backup file storage (Workers, D1, R2) |
| Paddle | Payments, as merchant of record (card details, billing address, tax) |
| GitHub | Website hosting, app downloads, update checks |
This website
bidsheet.co is a static site with no cookies and no analytics. The home page asks GitHub's API for the latest release version so the download button is current. The checkout page loads Paddle's payment software, which handles the payment session under Paddle's privacy policy.
How long we keep things
- Account and synced data: for as long as your account is active.
- After your subscription or trial lapses: synced data remains downloadable during a wind-down period of at least 30 days, after which it may be deleted from our servers.
- Encrypted backups: deleted when you turn the backup feature off, when you delete your account, or after the post-lapse wind-down.
- Your local data is yours and is never touched by any of this.
Deleting your account
Email support@bidsheet.co from your account address and we will delete your account and all synced content. In-app account deletion is planned. Deletion is permanent on our side; your local data stays on your computer.
Your rights
Depending on where you live (GDPR, UK GDPR, CCPA, and similar), you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. Email us and we'll honor them. Exporting your data is also built into the product itself. We do not sell personal information.
Changes
If this policy changes materially, we'll note it here with a new date and mention it in release notes. The current version always lives at this address.
Contact
support@bidsheet.co ยท BidSheet LLC, Texas, USA