Privacy Policy

Simple Timer for Forms ("Simple Timer," "we," "us," or "our") is a Google Forms™ add-on that lets form owners add countdown timers, scheduling, and proctoring features to their forms. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

By installing or using Simple Timer, you agree to this Privacy Policy. If you do not agree, please uninstall the add-on and stop using our services.

2.1 Information from Form Owners (Add-on Users)

• Google Account information — your email address, display name, and Google user ID, collected when you install the add-on or sign in at simpletimer.co.
• Form configuration data — the timer settings you create (duration, scheduling dates, instructions, auto-submit preferences).
• Usage data — the number of active timed forms and monthly responses, used to enforce plan limits.
• Billing information — if you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer ID and subscription status but never your credit card number.

2.2 Information from Form Respondents

• Email address — only if the form owner has enabled "Collect email addresses" in Google Forms™. We use it solely to match timer sessions to form responses and to enforce per-respondent session limits.
• Timer session data — session start time, time remaining, submission status (submitted vs. auto-submitted), and tab-switch count.
• Browser metadata — we do not collect IP addresses, device fingerprints, or cookies from respondents beyond a temporary session token stored in the browser for the duration of a single timed session.

Simple Timer requests only the minimum permissions needed to function. Here is an explanation of each OAuth scope we use:

Simple Timer's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• Provide and operate the service — creating timer links, enforcing time limits, tracking sessions, and writing timer data to your spreadsheet.
• Enforce plan limits — counting active forms and monthly responses to apply Free or Pro tier limits.
• Process payments — managing subscriptions through Stripe.
• Improve the service — aggregated, anonymized usage statistics (e.g., average timer duration) may be used to improve features. We never sell or share individual user data.
• Communicate with you — transactional emails related to your subscription (sent via Stripe) and critical service announcements.

• Data is stored in a Supabase-hosted PostgreSQL database with Row Level Security (RLS) enabled.
• All data is transmitted over HTTPS/TLS.
• API endpoints are protected by shared secret authentication (for add-on communication) and session tokens (for respondents).
• Payment information is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. We never see or store your credit card details.
• We apply rate limiting to all API endpoints to prevent abuse.

We do not sell, rent, or trade your personal information. We share data only with:

• Stripe — to process subscription payments. Subject to Stripe's Privacy Policy.
• Supabase — for database hosting. Subject to Supabase's Privacy Policy.
• Vercel — for web application hosting. Subject to Vercel's Privacy Policy.
• Law enforcement — if required by law, subpoena, or court order.

• Form configurations are retained while your timer is active. When you disable a timer, the configuration is deleted from our database.
• Timer sessions are retained for 90 days after completion to support analytics and troubleshooting, then automatically deleted.
• User accounts are retained while your account is active. You may request deletion at any time (see "Your Rights" below).
• Monthly usage counters (response counts) are reset at the beginning of each calendar month.

If you are a person taking a timed form (a "respondent"), the form owner — not Simple Timer — is the data controller for your form responses. Simple Timer acts as a data processor on the form owner's behalf.

• We collect only the data necessary to run the timer (session timing, tab-switch count, and email if the form owner has enabled email collection).
• We do not use respondent data for advertising, profiling, or any purpose unrelated to the timer service.
• Session tokens are stored only in the browser's localStorage for the duration of the session and are not used for tracking across sites.

You have the right to:

• Access your data — view your account and usage information at simpletimer.co/account.
• Delete your account and all associated data by emailing us at support@simpletimer.co.
• Export your timer data from the "Timer Data" sheet in your linked Google Spreadsheet at any time.
• Revoke access by uninstalling the add-on from Google Forms™ and revoking permissions at myaccount.google.com/permissions.

Simple Timer is not directed at children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date. Your continued use of Simple Timer after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or your data, please contact us at:

support@simpletimer.co