Legal
Privacy Policy
Last updated: March 15, 2025
🔒 We never store your AWS credentials on any external server. Your Access Key and Secret are stored exclusively within your own Google account using Google's encrypted storage.
AWS Cost Health ("the Add-on") is a Google Sheets Editor Add-on that connects to the AWS Cost Explorer API to display billing and cost data in your Google Sheet. This policy explains how we handle your data.
1. Data We Collect
- AWS Access Key ID — used to authenticate API calls to AWS Cost Explorer
- AWS Secret Access Key — used to sign SigV4 requests to the AWS API
- AWS Region — used to determine the API endpoint
We do not collect, read, or store any other AWS data beyond cost and billing information explicitly fetched to display in your sheet.
2. How We Store Data
- Your AWS credentials are stored using Google Apps Script's ScriptProperties — encrypted, per-project storage managed by Google
- Data is stored within your Google account and is only accessible to you
- We do not operate any external servers or databases
- No data is stored outside of your Google account
3. How We Use Data
Your credentials are used solely to:
- Call the AWS Cost Explorer API (
ce:GetCostAndUsage) to fetch daily and monthly cost data grouped by service
- Display this cost data in your Google Sheet as a structured dashboard
4. Data Sharing
We do not share your data with any third parties. All API calls go directly from Google's servers to the AWS Cost Explorer API. There are no intermediary servers, analytics services, or tracking tools.
5. Third-Party Services
The Add-on communicates only with:
- AWS Cost Explorer API (ce.{region}.amazonaws.com) — to fetch cost data using your credentials
- Google Sheets API — to write dashboard data to your spreadsheet
6. Data Retention
- Your AWS credentials are stored until you click "Disconnect" in the Add-on panel
- Cost data written to the spreadsheet persists until you delete it
- Disconnecting removes all stored credentials immediately
7. Security
- All API calls use HTTPS encryption
- Requests to AWS are signed using AWS SigV4 — your Secret Key is never transmitted in plaintext
- Your credentials are stored in Google's encrypted ScriptProperties storage
- We recommend creating a dedicated IAM user with only
ce:GetCostAndUsage permission
8. Your Rights
- Disconnect — removes all stored credentials from your Google account instantly
- Revoke AWS credentials — deactivate the Access Key in AWS IAM to immediately disable all access
- Uninstall the Add-on — removes the Add-on and all associated stored data
9. Google API Services User Data Policy
This Add-on's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
10. Contact
For questions about this privacy policy, contact us at: ajaypadwal73@gmail.com
11. Changes
We may update this policy occasionally. Changes will be posted on this page with an updated date.