Privacy Policy

Your privacy is important to us. This policy explains what we collect and how we use it.

Last updated: March 24, 2026

This Privacy Policy explains how Redcoded Limited, trading as BAM Apps ("we", "us", "our") collects, uses, and protects your information when you use the Google Easy Embed Pro application ("App") on the monday.com marketplace.

1. Information We Collect

1.1 Google Account Data

When you connect your Google account, we receive:

OAuth tokens (access token and refresh token) — used to authenticate API requests on your behalf
Basic profile information (name, email, profile photo URL) — displayed within the App's UI to show which Google account is connected

We access these via Google OAuth 2.0 with the following scopes:

drive.file — access only to files you explicitly select through the App's file picker
email and profile — to display your account identity within the App

We do not access your entire Google Drive, Gmail, Calendar, or any other Google service.

1.2 monday.com Session Data

The App receives your monday.com session token to verify your identity. This token contains your monday.com user ID and account ID.

1.3 View Configuration Data

When you configure an embedded file, we store:

The Google file URL and metadata (file name, MIME type)
Your selected display mode (content, toolbar, or full)
Your selected access mode (view, comment, edit, or private)
The monday.com user ID and name of the person who configured the view

1.4 Analytics and Support Data

PostHog collects product usage analytics, including:

Feature usage events (e.g., file embedded, display mode changed, access mode changed)
App version and environment (production/development)
monday.com account ID and user name
Google email address (used to identify the connected account in analytics)

PostHog autocapture is disabled. We do not track page views, clicks, or form inputs automatically.

HelpScout Beacon is used for in-app support. When you have a connected Google account, your name and email address are shared with HelpScout to provide contextual support. See HelpScout's Privacy Policy.

2. How We Use Your Information

Data	Purpose
Google OAuth tokens	Authenticate Google API requests (file picker, file sharing, metadata retrieval)
Google profile info	Display your connected Google account name and avatar in the App toolbar
monday.com session token	Verify your identity and authorize API requests
View configuration	Persist your embedded file selection and display preferences across sessions
Analytics events	Understand feature usage to improve the App

We do not use your data to:

Serve advertisements
Build user profiles for marketing
Sell or rent data to third parties
Train machine learning models
Contact you for marketing purposes (unless you opt in)

3. How We Store Your Information

3.1 Google OAuth Tokens

Stored in monday.com Secure Storage (an encrypted, server-side key-value store provided by the monday.com platform)
Scoped per user and per account
Not stored in our own databases, file systems, or code repositories

3.2 View Configuration

Stored in monday.com instance-level Storage (per view)
Accessible only within the specific monday.com board view where it was configured

3.3 Analytics Data

Processed by PostHog (see PostHog's Privacy Policy)
We use PostHog's EU data residency option where available

3.4 What We Do NOT Store

Google file contents or document data
Google Drive file listings or directory structures
Passwords or Google account credentials
monday.com board data, item data, or workspace information

We do not sell, rent, or share your personal data with third parties except:

Third Party	Data Shared	Purpose
Google APIs	OAuth tokens (sent with API requests)	File picker, sharing permissions, metadata retrieval
monday.com platform	Session tokens, storage data	Authentication, data persistence
PostHog	Usage events, account ID, user name, Google email	Product analytics
HelpScout	User name, Google email	In-app support

All communication with third-party services is encrypted via TLS 1.2 or higher.

4.1 Third-Party Domains

The App communicates with the following third-party domains:

Domain	Frontend/Backend	Purpose
`accounts.google.com`	Backend	Google OAuth authentication
`www.googleapis.com`	Backend	Google Drive API (file metadata, permissions, sharing) and Google user profile
`apis.google.com`	Frontend	Google Picker SDK (file selection UI)
`docs.google.com`	Frontend	Embedding Google Docs, Sheets, Slides, Forms in iframes
`drive.google.com`	Frontend	Embedding Google Drive file previews
`drive-thirdparty.googleusercontent.com`	Frontend	Google file type icons
`fonts.googleapis.com`, `fonts.gstatic.com`	Frontend	Google Fonts (app typography)
`us.i.posthog.com`	Both	Product analytics (PostHog) — cookieless mode, no cookies set
`beacon-v2.helpscout.net`, `beaconapi.helpscout.net`	Frontend	In-app customer support widget (HelpScout Beacon) — only shown when user opens it
`d3hb14vkzrxvla.cloudfront.net`	Frontend	HelpScout CDN (serves widget assets via CloudFront)

Embedded Google documents may load additional Google subdomains (e.g., ssl.gstatic.com, play.google.com) within their own iframe. These requests are made by Google's embedded viewer and are governed by Google's Privacy Policy.

No ad platforms, marketing trackers, or data brokers are used.

5. Data Retention and Deletion

On disconnect: When you disconnect your Google account through the App, your OAuth tokens are immediately deleted from monday.com Secure Storage.
On uninstall: When you uninstall the App, all stored data (OAuth tokens and view configurations) will be deleted within 10 days.
Token refresh: Access tokens are short-lived and automatically refreshed. Expired access tokens are replaced, not accumulated.
Analytics data: Retained by PostHog per their data retention policy.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you
Delete your data (disconnect your Google account or uninstall the App)
Restrict processing (disable analytics via account settings)
Port your data (request an export of stored configuration)
Object to data processing

To exercise these rights, contact us at support@bam-apps.com.

GDPR (European Economic Area)

If you are in the EEA, our legal basis for processing is:

Legitimate interest — to provide and improve the App
Consent — for optional analytics tracking
Contract performance — to deliver the service you installed

CCPA (California)

We do not sell personal information. California residents may request disclosure of data collected and request deletion.

7. Security

All data in transit is encrypted via TLS 1.2+
Google OAuth uses PKCE (Proof Key for Code Exchange) to prevent authorization code interception
OAuth state is passed via HMAC-signed, time-limited parameters — not stored in cookies or local storage
OAuth tokens are stored in monday.com's Secure Storage (encrypted at rest by the platform)
No credentials or tokens are stored in source code or environment variables accessible to the client

8. Cookies

Google Easy Embed Pro does not set any cookies.

OAuth authentication state (CSRF token, PKCE verifier, user identity, and return URL) is passed through signed URL parameters during the authorization flow. These parameters are short-lived, tamper-resistant, and discarded after the OAuth flow completes.

8.1 Third-Party Cookies (Google Embedded Content)

When a Google document, spreadsheet, or presentation is displayed within the App, it is rendered via an embedded Google iframe. Google sets its own cookies in this context (from domains such as docs.google.com, accounts.google.com, and clients6.google.com) to manage authentication and session state within the embedded content.

These cookies are set and controlled entirely by Google. We do not read, modify, or have access to them. For details, refer to Google's Privacy Policy and Google's Cookie Policy.

Email: support@bam-apps.com
Entity name: Redcoded Limited