Privacy Policy

1. Data Controller

nullsheet is operated by RelevantUse LLC, a company organized under the laws of the State of Illinois, United States. RelevantUse LLC is the data controller for all personal data processed through the nullsheet service. For privacy-related inquiries, contact [email protected].

2. Account Data

We store your authentication identity (Discord user ID and/or email address) and display name for authentication and identification purposes. Your email address is stored by our authentication provider (Supabase) in an access-controlled system and is encrypted at rest. If you connect your Discord account, we store your Discord user ID, username, and avatar URL to enable authentication and display your identity within your group.

3. Uploaded Images

Images you upload are transmitted to Google Cloud (Gemini API) for optical character recognition (OCR) to extract structured data, then permanently deleted from our systems within 30 minutes of processing. We do not retain uploaded images. Once processing is complete, images cannot be retrieved by you, by other users, or by nullsheet. Google processes these images in accordance with the Gemini API Terms of Service and does not use them for model training under the paid API tier.

4. User-Created Content

We store content you create on the platform, including but not limited to: group names, manually entered statistics, configurations, messages (direct messages, group messages, group chat messages, announcements), poll votes, calendar events, and custom views. This data is stored to provide the service and is retained as long as your account exists. Messages that are not marked as saved may be automatically deleted after 7 days as part of our data hygiene practices.

5. Organizational Data

We store information about group memberships, roles, and relationships between users. This data is used to determine access permissions and display relevant information to group members. Your group membership and role (such as R5/Leader, R4/Officer, R3/Senior, R2/Member, or R1/Recruit) are visible to other members of your group.

6. Translation Data

If auto-translation is enabled for your group, message content may be sent to Google Cloud (Gemini API) for translation into your preferred language. Translated text is cached to avoid repeated processing. Google processes this data in accordance with their API terms and does not use it for model training under the paid API tier.

7. Data Security

All data is encrypted in transit (TLS/HTTPS) and at rest (AES-256). Access to data is scoped by group membership and role-based permissions enforced at the database level via Row Level Security (RLS). All sensitive operations require authentication. IP-based screening is applied at the middleware layer for sanctions compliance. Audit logs record significant system actions for security monitoring.

8. Data Location & International Transfers

Your data is stored and processed in the United States. Our primary database is hosted by Supabase in the AWS us-east-2 (Ohio) region. Our application is hosted on Vercel's edge network, which may serve content from global points of presence. Our DNS and CDN are provided by Cloudflare, which operates a global network.

By using nullsheet, you consent to the transfer of your personal data to and its processing in the United States, which may not provide the same level of data protection as your home country. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data will be transferred to the US on the basis of your explicit consent and contractual necessity (i.e., the transfer is necessary to provide you with the service you have requested).

9. Legal Basis for Processing (GDPR)

If you are located in the EEA, UK, or Switzerland, we process your personal data on the following legal bases:

• Contractual necessity (Art. 6(1)(b) GDPR): Processing your account data, uploaded images, and user-created content is necessary to provide the nullsheet service as described in our Terms of Service.
• Legitimate interest (Art. 6(1)(f) GDPR): We process organizational data, usage analytics, and audit logs to maintain the security and integrity of the service, prevent abuse, and improve the platform.
• Consent (Art. 6(1)(a) GDPR): Where required, such as for optional integrations (e.g., Discord OAuth) and international data transfers.

10. Your Rights (EEA/UK/Swiss Users)

If you are located in the EEA, UK, or Switzerland, you have the following rights under applicable data protection law:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data, subject to legal retention obligations.
• Data Portability: Request a copy of your data in a structured, machine-readable format.
• Restriction: Request that we restrict the processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interest.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

11. Third-Party Services (Sub-Processors)

We use the following third-party services to operate nullsheet. Your data may be processed by these services in accordance with their respective privacy policies:

• Supabase (authentication, database, storage — US) — supabase.com/privacy
• Google Cloud / Gemini API (image processing, translation — US) — Gemini API Terms
• Vercel (application hosting — US/Global) — vercel.com/legal/privacy-policy
• Cloudflare (DNS, CDN, DDoS protection — Global) — cloudflare.com/privacypolicy
• Resend (transactional email — US) — resend.com/legal/privacy-policy
• Discord (OAuth authentication — optional) — discord.com/privacy

We do not sell your personal data to any third party. Data shared with sub-processors is limited to what is necessary to provide the service.

12. Data Retention & Deletion

We retain your personal data for as long as your account is active or as needed to provide the service.

You may delete your account at any time from within your account settings. Upon initiating deletion, your account enters a 7-day grace period during which you may cancel the deletion by signing back in. After the grace period, your account data, user-created content, and personal identifiers are permanently deleted by an automated process. Player statistics that you contributed to group-level datasets may be retained in anonymized form (with your identity removed) to preserve group historical records. Uploaded images are deleted immediately after processing and are not subject to retention.

You may also request deletion by contacting [email protected].

13. Cookies

During beta, nullsheet uses only essential cookies required for the service to function:

• Authentication session cookies (Supabase) — required to maintain your login session.
• Account reactivation cookie — a temporary cookie (5-minute maximum) set when you cancel a pending account deletion.

We do not use analytics, advertising, or tracking cookies. If non-essential cookies are introduced in the future, we will update this policy and implement a consent mechanism before activating them.

14. Email Communications

We may send you transactional email related to your account and group activity using Resend, our email service provider. Email categories include digest summaries, event notifications, poll reminders, message notifications, and join requests. You can manage your email preferences per category from your account settings, or disable all email notifications with a master toggle. Every email includes an unsubscribe link.

15. Children's Privacy

nullsheet is not directed at children under 16 years of age (or the applicable minimum age in your jurisdiction pursuant to GDPR Article 8). We do not knowingly collect personal data from children under this age. If you believe a child under 16 has provided us with personal data, please contact us at [email protected] and we will take steps to delete such data.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page with a new “Last updated” date. Your continued use of nullsheet after any changes constitutes acceptance of the updated policy.

17. Contact

For privacy-related inquiries, data subject requests, or complaints, contact [email protected].