Effective Date: March 10, 2026
ClickUpSync by Aveosea s.r.o.
1. Data Controller
The data controller responsible for your personal data is Aveosea s.r.o., Příčná 1892/4, Nové Město, 110 00 Praha 1, Czech Republic. Company ID (IČO): 22056521. Email: hello@clickupsync.com.
2. Data We Collect and Why
| Data Category | Purpose & Legal Basis |
| Google account email address | License management and account identification. Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). |
| Google Sheets data (current spreadsheet only) | Performing the synchronisation service. Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). We do not store spreadsheet content on our servers. |
| ClickUp task data (accessed in real-time) | Populating your Google Sheet. Processed in real-time as a bridge. Not stored on our servers. Legal basis: Performance of a contract. |
| ClickUp OAuth token | Stored locally in Google Apps Script UserProperties on your own Google account — not on our servers. This token is used only to authenticate requests on your behalf. |
| Server / access logs (IP address, browser type) | Security, abuse prevention, and site stability. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Retained for a maximum of 30 days. |
| Billing email (via Paddle) | Passed to Paddle.com (Merchant of Record) for payment processing and tax compliance. Legal basis: Legal obligation (Art. 6(1)(c) GDPR) and performance of contract. |
| Team member emails (Team plan) | Used to provision access for members added by a Team Owner. Members receive an invitation email containing a link to this Privacy Policy before their data is processed. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) and performance of contract. |
3. Google API Scopes & Limited Use Disclosure
Limited Use Disclosure: ClickUpSync’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use data received from Google APIs only to provide and improve the ClickUpSync service described in this Privacy Policy.
- We do not use Google user data for serving advertisements or for any other purpose unrelated to providing the Service.
- We do not allow humans to read Google user data unless we have your explicit consent, it is necessary for security purposes, or it is required by law.
- We do not share Google user data with third parties except as necessary to provide the Service or as required by law.
We request the following OAuth scopes. Each scope is used only for the stated purpose:
| Scope | Why We Need It |
| userinfo.email | Identify you for license management. We read your email address only. |
| spreadsheets.currentonly | Read and write data exclusively to the specific spreadsheet you have open. We cannot access any other files in your Google Drive. |
| script.external_request | Allow the Add-on to make HTTP requests to the ClickUp API and our Firebase license endpoint. |
| script.container.ui | Render the Add-on’s sidebar and dialog panels inside Google Sheets. |
| script.scriptapp | Create time-based triggers for automated (scheduled) synchronisation on paid plans. |
4. ClickUp Data Access
You connect your ClickUp account via the standard OAuth 2.0 authorisation flow. The resulting access token is stored exclusively in Google Apps Script’s UserProperties — a per-user, client-side storage managed by Google on your own account. Aveosea s.r.o. does not store your ClickUp token on any of its own servers.
We access task-related data solely to perform the requested synchronisation in real-time. We do not persist the content of your ClickUp tasks.
5. Website Data (Cookies & Logs)
- Server Logs: For security purposes, our hosting provider may collect your IP address and browser type to prevent abuse and ensure site stability (Art. 6(1)(f) GDPR).
- Technical Cookies: We use only strictly necessary cookies to ensure the website functions correctly. We do not use third-party marketing or tracking pixels.
6. International Data Transfers
Our license management infrastructure runs on Google Cloud / Firebase with data residency set to the European Union. Our web hosting provider (WEDOS Internet, a.s.) is a Czech company with servers located in the Czech Republic.
When you use the synchronisation feature, data is transmitted to ClickUp, Inc., a company based in the United States. This transfer is safeguarded by Standard Contractual Clauses (SCCs) as approved by the European Commission under Art. 46(2)(c) GDPR, as incorporated in ClickUp’s Data Processing Agreement.
7. Sub-processors
We do not sell your data. We share only what is strictly necessary with the following sub-processors:
| Sub-processor | Role & Data Shared | Location |
| Google Cloud / Firebase | License database and authentication. Stores your email and subscription status. | EU (Belgium) |
| Paddle.com | Merchant of Record. Handles all payment processing, VAT/tax compliance, and receipts. Receives your billing email. Does not share full card details with us. | United Kingdom / Global |
| WEDOS Internet, a.s. | WordPress hosting for our marketing website. May process IP addresses via server logs. | Czech Republic |
8. Cookies
We use only strictly necessary cookies (e.g. session cookies) on our website. These are required for the site to function and do not require your consent under applicable law (ePrivacy Directive, Recital 25). We do not use analytics, advertising, tracking, or third-party marketing cookies. No cookie banner is displayed because none is legally required.
9. Children’s Privacy
Our Service is not directed at children. Under Czech law (§ 7 of Act No. 110/2019 Coll.), the minimum age for online consent to data processing is 15 years. If you are under 15, please do not use the Service without the consent of a parent or legal guardian. If we become aware that we have collected data from a person under 15 without such consent, we will delete it promptly.
10. Retention Periods
| Data | Retention Period |
| License and account data | Retained for the duration of your active account. Deleted within 30 days of an account deletion request. |
| Server / access logs | Maximum 30 days, then automatically purged. |
| Billing records (via Paddle) | Retained for 10 years to satisfy Czech and EU tax/accounting obligations (Act No. 563/1991 Coll.). |
| ClickUp OAuth token | Stored in your own Google UserProperties. Cleared when you disconnect the Add-on or revoke access from your Google Account security settings. |
11. Your Rights Under GDPR
As a data subject you have the right to:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate data.
- Erasure (Art. 17): Request deletion of your data (‘right to be forgotten’) — see Section 12.
- Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
- Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Object (Art. 21): Object to processing based on legitimate interests.
- Withdraw Consent: You may revoke the Add-on’s Google permissions at any time via your Google Account security settings (myaccount.google.com/permissions). You may disconnect ClickUp at any time from within the Add-on.
To exercise any right, contact us at hello@clickupsync.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů, www.uoou.cz).
There is no automated decision-making or profiling (Art. 22 GDPR) carried out by ClickUpSync.
12. Right to Erasure — Scope & Limitations
When you submit a verified erasure request to hello@clickupsync.com, we will delete or anonymise the following data within 30 days:
| Data | Action |
|---|---|
| Firebase license record (email, plan, subscription metadata) | Deleted |
| Team membership records | Deleted |
| Server / access logs | Deleted (or already expired within the 30-day retention cycle) |
| Transactional email queue records | Deleted |
The following data cannot be fully deleted due to overriding legal obligations or technical limitations outside our control:
| Data | Reason Retained |
|---|---|
| Billing records (Aveosea s.r.o.) | Retained for 10 years under Czech statutory tax and accounting law (Act No. 563/1991 Coll.). |
| Billing records (Paddle) | Held by Paddle as Merchant of Record under their own legal obligations. Submit a separate request at https://paddle.net. |
| ClickUp OAuth token | Stored exclusively in Google Apps Script UserProperties on your own Google account — outside our control. To delete, disconnect ClickUp within the Add-on or revoke access at https://myaccount.google.com/permissions. |
| Google Sheets data | Stored in your own Google account. Uninstalling the Add-on and deleting the relevant sheets removes this data. |
Important: Uninstalling the Add-on or deleting your Google Sheet does not automatically delete your Firebase license record. You must submit an explicit erasure request to hello@clickupsync.com.
13. Security
We implement industry-standard security measures including HTTPS for all data transmissions, Google Cloud security controls for our Firebase infrastructure, and we do not store sensitive API tokens on our own servers. No transmission over the internet is 100% secure; you use the Service at your own risk.
14. Changes to This Policy
We may update this Policy from time to time. We will notify you of material changes by displaying a notice within the Add-on or by email. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.
15. Contact
Aveosea s.r.o., Příčná 1892/4, 110 00 Praha 1, Czech Republic | hello@clickupsync.com