Privacy Policy
Your privacy is important to us. This policy explains what we collect and how we use it.
Last updated: February 23, 2026
This Privacy Policy explains how Redcoded Limited, trading as BAM Apps ("we", "us", "our") collects, uses, and protects your information when you use the Google Easy Embed Pro application ("App") on the monday.com marketplace.
1. Information We Collect
1.1 Google Account Data
When you connect your Google account, we receive:
- OAuth tokens (access token and refresh token) — used to authenticate API requests on your behalf
- Basic profile information (name, email, profile photo URL) — displayed within the App's UI to show which Google account is connected
We access these via Google OAuth 2.0 with the following scopes:
-
drive.file— access only to files you explicitly select through the App's file picker emailandprofile— to display your account identity within the App
We do not access your entire Google Drive, Gmail, Calendar, or any other Google service.
1.2 monday.com Session Data
The App receives your monday.com session token to verify your identity. This token contains your monday.com user ID and account ID.
1.3 View Configuration Data
When you configure an embedded file, we store:
- The Google file URL and metadata (file name, MIME type)
- Your selected display mode (content, toolbar, or full)
- Your selected access mode (view, comment, edit, or private)
- The monday.com user ID and name of the person who configured the view
1.4 Analytics Data
We use PostHog to collect anonymous product usage analytics, including:
- Feature usage events (e.g., file embedded, display mode changed, access mode changed)
- App version and environment (production/development)
- monday.com account ID (for aggregate usage metrics)
PostHog autocapture is disabled. We do not track page views, clicks, or form inputs automatically. Analytics can be disabled by the account administrator.
2. How We Use Your Information
| Data | Purpose |
|---|---|
| Google OAuth tokens | Authenticate Google API requests (file picker, file sharing, metadata retrieval) |
| Google profile info | Display your connected Google account name and avatar in the App toolbar |
| monday.com session token | Verify your identity and authorize API requests |
| View configuration | Persist your embedded file selection and display preferences across sessions |
| Analytics events | Understand feature usage to improve the App |
We do not use your data to:
- Serve advertisements
- Build user profiles for marketing
- Sell or rent data to third parties
- Train machine learning models
- Contact you for marketing purposes (unless you opt in)
3. How We Store Your Information
3.1 Google OAuth Tokens
- Stored in monday.com Secure Storage (an encrypted, server-side key-value store provided by the monday.com platform)
- Scoped per user and per account
- Not stored in our own databases, file systems, or code repositories
3.2 View Configuration
- Stored in monday.com instance-level Storage (per view)
- Accessible only within the specific monday.com board view where it was configured
3.3 Analytics Data
- Processed by PostHog (see PostHog's Privacy Policy)
- We use PostHog's EU data residency option where available
3.4 What We Do NOT Store
- Google file contents or document data
- Google Drive file listings or directory structures
- Passwords or Google account credentials
- monday.com board data, item data, or workspace information
4. Data Sharing
We do not sell, rent, or share your personal data with third parties except:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Google APIs | OAuth tokens (sent with API requests) | File picker, sharing permissions, metadata retrieval |
| monday.com platform | Session tokens, storage data | Authentication, data persistence |
| PostHog | Anonymous usage events | Product analytics |
All communication with third-party services is encrypted via TLS 1.2 or higher.
5. Data Retention and Deletion
- On disconnect: When you disconnect your Google account through the App, your OAuth tokens are immediately deleted from monday.com Secure Storage.
- On uninstall: When you uninstall the App, all stored data (OAuth tokens and view configurations) will be deleted within 10 days.
- Token refresh: Access tokens are short-lived and automatically refreshed. Expired access tokens are replaced, not accumulated.
- Analytics data: Retained by PostHog per their data retention policy.
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Delete your data (disconnect your Google account or uninstall the App)
- Restrict processing (disable analytics via account settings)
- Port your data (request an export of stored configuration)
- Object to data processing
To exercise these rights, contact us at support@bam-apps.com.
GDPR (European Economic Area)
If you are in the EEA, our legal basis for processing is:
- Legitimate interest — to provide and improve the App
- Consent — for optional analytics tracking
- Contract performance — to deliver the service you installed
CCPA (California)
We do not sell personal information. California residents may request disclosure of data collected and request deletion.
7. Security
- All data in transit is encrypted via TLS 1.2+
- Google OAuth uses PKCE (Proof Key for Code Exchange) to prevent authorization code interception
- OAuth tokens are stored in monday.com's Secure Storage (encrypted at rest by the platform)
- Session cookies are HttpOnly, Signed, and use SameSite attributes
- No credentials or tokens are stored in source code or environment variables accessible to the client
8. Cookies
The App uses the following cookies:
| Cookie | Purpose | Duration | HttpOnly |
|---|---|---|---|
oauth_state | CSRF protection during Google OAuth | 10 minutes | Yes |
oauth_code_verifier | PKCE verification during OAuth | 10 minutes | Yes |
oauth_origin | Return URL after OAuth callback | 10 minutes | Yes |
oauth_user_id | Identify user during OAuth callback | 10 minutes | Yes |
oauth_account_id | Identify account during OAuth callback | 10 minutes | Yes |
All cookies are:
- Short-lived (10-minute expiry)
- HttpOnly (not accessible to JavaScript)
- Signed (tamper-resistant)
- Secure in production (HTTPS only)
- Cleared immediately after the OAuth flow completes
We do not use cookies for tracking, advertising, or cross-site purposes.
9. Children's Privacy
The App is not directed at children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect data from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the App listing on the monday.com marketplace. The "Last updated" date at the top reflects the most recent revision.
11. Contact
For questions or concerns about this Privacy Policy, contact us at:
- Email: support@bam-apps.com
- Entity name: Redcoded Limited