Last updated: July 16, 2026
CopydoWell is provided by Metalix ("we", "us", "our") as two related products: a Google Sheets add-on and a companion Chrome extension. This policy covers both — sections are marked where they apply to only one.
Google Sheets add-on
What it accesses
The add-on requests these Google OAuth scopes:
https://www.googleapis.com/auth/spreadsheets— read and write access to Google Sheets you open the add-on in, or that you explicitly point it to (via a spreadsheet URL/ID you enter into the sidebar).https://www.googleapis.com/auth/script.container.ui— to display its sidebar and menu inside Google Sheets.https://www.googleapis.com/auth/script.scriptapp— to create, list, and remove the installable triggers that power the optional Automation feature (run on edit, on form submission, or on a schedule), only when you explicitly enable it.https://www.googleapis.com/auth/script.send_mail— used by Mail Merge to send email as you, only when you click "Send now" or "Send test to myself."
How it's used
- All spreadsheet data is processed entirely within Google's Apps Script infrastructure, running under your own Google account's authorization.
- Data is copied, sorted, and filtered, or mail merge emails are sent, only at your explicit request or via automation you personally configured and can disable at any time.
- Automation settings (source sheet, destination spreadsheet, sort/filter rules) are stored using Apps Script's Document Properties service, scoped to the specific spreadsheet you configured — this stays inside your own Google Workspace environment.
Chrome extension
What it accesses
The extension requests:
https://www.googleapis.com/auth/spreadsheets— same purpose as above, via the Sheets API directly.https://www.googleapis.com/auth/gmail.send— used by Mail Merge to send email via the Gmail API on your behalf, only when you click "Send now" or "Send test to myself." This is a send-only scope; the extension cannot read your Gmail messages.
It also uses these browser permissions:
- identity — to sign you into Google and to look up your signed-in email for "Send test to myself" (via Chrome's own profile info, not a Google API call).
- storage — to save your configured triggers (source, destination, filters, schedule) locally in your browser.
- alarms — to run your scheduled triggers at the times you set.
- notifications — to alert you if a scheduled trigger fails.
- Read-only access to the active tab's URL on
docs.google.com— only to detect which spreadsheet is open, so the destination is set automatically. - Access to
drive.google.com— only to download attachment/image files you link from Google Drive for Mail Merge, and only files shared as "Anyone with the link can view." No Drive API or broader Drive access is used.
Payments
The Chrome extension's one-time $1 purchase is processed by ExtensionPay, using Stripe as the payment processor. When you purchase, your payment details (card number, billing address, etc.) are handled directly by Stripe and ExtensionPay — CopydoWell and Metalix never receive, see, or store your payment card information. We only receive confirmation of whether you've paid, via ExtensionPay's API. See ExtensionPay's privacy policy and Stripe's privacy policy for how they handle payment data.
What we do not do (both products)
- We do not operate any backend server that receives, stores, or logs your spreadsheet or email data.
- We do not sell, rent, or share your data with third parties, beyond the payment processing described above.
- We do not use your data for advertising or profiling.
- We do not access spreadsheets you have not explicitly opened the product in or provided a link/ID for.
Data retention
Neither product transmits your spreadsheet or email data to any server we operate, so there is no off-Google, off-browser copy for us to retain. Add-on automation settings live in Apps Script's Document Properties inside your Google account; extension triggers live in your browser's local storage. Both persist until you remove the product or clear them yourself.
Your choices
You can revoke either product's Google access at any time via your Google Account permissions page. Uninstalling removes its menus/sidebar/side panel and any triggers it created.
Changes to this policy
We may update this policy as either product evolves. Material changes will be reflected by updating the "Last updated" date above.
Contact
Questions about this policy or either product's data practices can be sent to support@metalix.in.