How we handle your data.

01Who we are

"DaisySync" (we, us, our) refers to the business that operates the DaisySync Google Workspace add-on and this website at daisysync.com. DaisySync is not affiliated with, endorsed by, or sponsored by DaisyBill, Inc., Google LLC, or any other third party referenced on this site.

If your organization uses DaisySync to handle Protected Health Information (PHI) as defined under HIPAA, we act as a Business Associate to your organization and are bound by a separate Business Associate Agreement (BAA).

02Where your data lives

The DaisySync add-on is a Google Apps Script project that executes entirely inside your own Google Workspace account. There are no DaisySync-operated servers, containers, or databases in the data path. Concretely:

• Your DaisyBill API token is stored in your Google Workspace UserProperties — per-user scoped, never shared with other editors of the same spreadsheet.
• Every bill, patient, injury, submission, and payment record fetched from DaisyBill is cached in a hidden sheet named _DaisyBillCache inside your Google Sheet.
• Audit logs are written to a hidden sheet named _DaisySyncAuditLog inside your Google Sheet.
• Scheduled-sync triggers run under your Google Workspace identity and against your Google Workspace quotas.

Because the add-on's code runs on Google's Apps Script runtime inside your own tenancy, Google's BAA (where applicable to your edition) covers the execution environment. DaisySync never sees, stores, or transmits your PHI.

03What DaisySync does not collect

We explicitly do not collect, ingest, log, or process:

• Patient demographics, date of birth, injury details, or claim numbers.
• Billing amounts, payment history, or remittance details.
• Your DaisyBill API token, or any data retrievable with it.
• The contents of your spreadsheets or any hidden cache sheets.
• Google OAuth tokens for your Workspace account (Apps Script manages these inside your tenancy).

The add-on's manifest enforces this technically: the OAuth scope spreadsheets.currentonly limits access to the currently-open spreadsheet, and the urlFetchWhitelist in appsscript.json restricts outbound API calls to go.daisybill.com only. There is no outbound path to a DaisySync server.

04The only data we do store

To support optional webhook-driven sync (where DaisyBill pushes events to a DaisySync endpoint), we maintain one global key-value record on a Google-managed Apps Script ScriptProperties store. That record contains:

• A SHA-256 hash of the webhook-only username and password you generated in DaisySync (never your DaisyBill login password or API token), mapped to your Google Sheet's ID.
• A non-identifying counter of recent webhook events per tenant (total count, last event timestamp, event-type breakdown).

This record contains no PHI. The hash is one-way — it cannot be reversed to reveal your webhook credentials. Its sole purpose is to verify an incoming webhook and route it to the correct customer spreadsheet. If you never enable webhooks, no record is created.

You can delete this record at any time by clicking Disable webhooks in the DaisySync sidebar, or by running Disconnect & Wipe Data from the DaisySync menu.

05The marketing website (this page)

This website — daisysync.com — is a static marketing site hosted by Netlify. It contains no tracking pixels, no advertising networks, no session recording, and no third-party analytics.

The site loads typography from Google Fonts over HTTPS (preconnected to fonts.gstatic.com) to display Inter and Instrument Serif. Google Fonts may record your IP address and browser string in its server logs per its own privacy policy. No cookies are set by the font request.

Netlify, the CDN hosting this site, processes standard web-server request logs (IP address, user-agent, request path, response code, timestamp) for normal operational purposes and for up to 30 days. See Netlify's privacy policy.

We do not set cookies on this site.

06Service providers (processors)

The following third parties are involved in delivering DaisySync to you. You already have (or will have) a direct relationship with each:

• Google LLC — hosts the Apps Script runtime, your Google Sheet, and your Google Workspace identity. Your data processing relationship with Google is governed by your own Google Workspace agreement (and, where applicable, Google's BAA with your organization).
• DaisyBill, Inc. — the source of the billing data the add-on syncs. Your relationship with DaisyBill is governed by the DaisyBill agreement you hold with them.
• Netlify — hosts this marketing website only. Does not touch customer data.

07Data protection mechanisms

DaisySync relies on a layered set of technical and organizational safeguards to protect your data — both the small amount described in §4 and the customer data that lives entirely inside your own Google Workspace tenancy.

Encryption in transit

• All calls to the DaisyBill API are HTTPS-only. The add-on manifest's urlFetchWhitelist in appsscript.json is restricted to https://go.daisybill.com/; plain-HTTP outbound calls are rejected at the runtime level.
• All reads and writes against Google Workspace storage (Sheets, UserProperties, DocumentProperties, ScriptProperties) transit Google's internal network over TLS.
• The optional webhook receiver is a Google Apps Script Web App, reachable only over HTTPS at script.google.com. There is no plain-HTTP listener.

Encryption at rest

• Every persistent artifact DaisySync writes — your DaisyBill API token in UserProperties, per-sheet configuration in DocumentProperties, the tenant hash record in ScriptProperties, and every hidden cache/audit/webhook-queue sheet — is stored on Google Cloud infrastructure, which encrypts customer data at rest by default (AES-256). See Google Cloud: Encryption at Rest.
• DaisySync itself does not operate any additional storage tier. There is no DaisySync-owned database, object store, or backup system to protect.

Credential protection

• Your DaisyBill API token is stored in Google Apps Script UserProperties, which is scoped to your Google identity. Other editors of the same spreadsheet cannot read it.
• Webhook credentials (the username and password you generate in the DaisySync sidebar to authenticate incoming webhook calls) are never stored in plaintext. Only a SHA-256 digest of password:username is persisted. The username functions as a per-record salt so identical passwords across tenants produce different digests.
• Verification of an incoming webhook is a hash-lookup against the registered digest — no plaintext password comparison ever occurs in DaisySync code.
• DaisySync does not store, log, or transmit Google OAuth tokens. Those are managed by the Apps Script runtime inside your tenancy.

Access controls & least privilege

• Minimum-viable OAuth scopes. The add-on requests spreadsheets.currentonly rather than broad spreadsheets access, so the code physically cannot read or modify any spreadsheet other than the one you have open. Similarly, script.external_request is paired with the urlFetchWhitelist above to confine network egress to a single hostname.
• Per-user and per-spreadsheet state isolation. Configuration, cache, and audit data live in the spreadsheet's own DocumentProperties and hidden sheets. One customer's spreadsheet cannot read another customer's state.
• No DaisySync-operated servers. Because the add-on runs entirely inside the Apps Script runtime in your tenancy, DaisySync has no employees, contractors, or support staff with administrative access to your data. There is no admin console on our side.
• Customer-controlled factory reset. The Disconnect & Wipe Data command removes the API token, every per-sheet configuration, all scheduled triggers, and all hidden cache sheets in a single operation.

Secure development practices

• No third-party JavaScript in the add-on runtime. The sidebar and dialogs contain no CDN scripts, no analytics SDKs, no advertising pixels, and no external fonts. The only externally loaded resource anywhere in the product surface is Google Fonts on the marketing website (§5).
• No package dependencies. DaisySync has no npm dependency tree, no transitive packages, and therefore no typical supply-chain exposure.
• Input validation. Every privileged entry point that accepts a sheet identifier calls a validator that enforces a strict regex and an existence check before any I/O is performed. User-supplied strings are escaped before being interpolated into HTML or email bodies.
• PHI-aware logging. A redaction helper strips first names, last names, dates of birth, and claim numbers from any error body or user-facing message before it reaches Logger.log, email notifications, or the audit log.
• Concurrency safety. Resume execution and webhook-directory mutations are protected by LockService critical sections to prevent race conditions between scheduled and manual runs.

Audit logging

• Every sync run is appended to a per-spreadsheet _DaisySyncAuditLog hidden sheet, capturing the actor, sheet, sync type, row count, duration, and outcome. This supports HIPAA §164.312(b) audit controls and the §164.528 right to an accounting of disclosures.
• Audit logs reside in the customer's own spreadsheet. They are never copied to a DaisySync-controlled log aggregator.

Vulnerability disclosure & incident response

• Report suspected vulnerabilities to security@daisysync.com. We acknowledge reports within 3 business days and commit to acting in good faith with researchers who follow responsible-disclosure norms.
• In the event of a confirmed security incident affecting DaisySync-controlled data (i.e. the tenant hash directory described in §4), affected customers will be notified without undue delay and in any case within 72 hours of confirmation, in line with GDPR Article 33. Where a Business Associate Agreement (§8) is in effect, HIPAA breach-notification timelines apply in addition.
• Because customer data resides in the customer's own Google Workspace, an incident affecting that data is a Google Workspace incident, not a DaisySync incident, and is governed by Google's own incident-response posture.

08HIPAA & protected health information

Workers' compensation billing data is PHI under HIPAA when processed for covered entities. DaisySync's architecture is designed so that no PHI ever reaches DaisySync-controlled infrastructure.

If you are a HIPAA-regulated organization:

• You must use a Google Workspace edition that supports a Business Associate Agreement with Google — Business Plus or higher — and have an executed BAA with Google in force.
• You must execute a DaisySync BAA before transmitting any PHI through the add-on.
• Free @gmail.com accounts are not eligible to sign Google's BAA and must not be used with PHI.

In the absence of an executed DaisySync BAA, DaisySync is not authorized to be involved in the processing of PHI on your behalf, and you agree not to use the add-on for that purpose.

09Your rights

Depending on where you live, you may have rights over the personal data we process. Because we process virtually none, most of these rights are trivially satisfied — but we list them explicitly:

GDPR (if you are in the EEA, UK, or Switzerland)

• Right of access, rectification, erasure, restriction, and portability — the only data we have tied to you is the hash-to-spreadsheet record described in §4. You can have it deleted immediately by emailing privacy@daisysync.com with your webhook tenant hash (visible in the DaisySync sidebar).
• Right to object — you can disable webhooks in DaisySync at any time; this stops any further record keeping.
• Right to lodge a complaint — you may complain to your local supervisory authority.

California (CCPA/CPRA)

• We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
• You have the right to know, delete, correct, and to non-discrimination. Submit a request to privacy@daisysync.com.

Other jurisdictions

We honor equivalent rights from other jurisdictions where applicable.

10Data retention & deletion

Because all customer data lives in your own Google Workspace, retention is controlled by you, not us. The webhook hash record described in §4 is retained for as long as your webhook is enabled and deleted within 24 hours of being disabled.

The DaisySync add-on includes a Disconnect & Wipe Data command that removes the API token, all per-sheet configurations, all scheduled triggers, and all hidden cache sheets from your spreadsheet, atomically.

11Children

DaisySync is a business-to-business product intended for use by licensed medical billing professionals. It is not directed to individuals under 18, and we do not knowingly collect data from them.

12Changes to this policy

We may update this policy from time to time. Material changes will be announced at least 30 days in advance on this page and, where practical, by email to active customers. The "Last updated" date at the top of this page reflects the latest revision.

13Contact

Questions, complaints, or rights requests: privacy@daisysync.com.

General inquiries: hello@daisysync.com.