What We Actually Access (Plain English)
When you connect a platform to Spreadsheet Broccoli, you're giving us permission to read specific data from your account. Think of it like giving someone read-only access to certain folders on your computer - they can see the contents, but they can't change, delete, or add anything.
What "Read-Only" Really Means:
We CAN:
- Read your orders, products, customers (to build reports)
- Pull transaction history, payment data, inventory levels
- Access analytics and performance metrics
- Fetch fee structures and payout information
We CANNOT:
- Change prices, create products, edit descriptions
- Process refunds, cancel orders, or modify transactions
- Change store settings or configurations
- Delete anything from your account
- Send emails to your customers
- Access your payment methods or bank accounts
- Modify inventory levels
We NEVER:
- See your platform password (OAuth doesn't share passwords)
- Store your data permanently (we generate reports then delete)
- Sell your data to third parties
- Share your data with advertisers
OAuth: The Secure Way to Connect
What is OAuth?
OAuth is like a valet key for your car. It starts the engine and drives, but can't open the trunk or glove box. Similarly, OAuth gives us limited, specific access without your password.
The OAuth Flow (What Happens When You Click "Connect"):
1. You click "Connect Shopify" in Spreadsheet Broccoli
2. You're redirected to Shopify's official site (you can verify the URL)
3. Shopify shows you exactly what we're requesting (read orders, read products, etc.)
4. You log in with YOUR credentials on Shopify's site (we never see this)
5. Shopify gives us a "token" (a random string, not your password)
6. We use this token to fetch data (read-only, specific scopes)
7. You can revoke the token anytime (cuts off our access immediately)
Why This is Secure:
- Your password stays with Shopify/platform only
- We get a token that only works for specific actions
- Token expires or can be revoked
- You control exactly what we can access
- Industry-standard security (used by thousands of apps)
Scopes by Platform: What We Request and Why
Shopify Scopes
read_orders
- Why we need it: To build sales reports, payout reconciliation, refund analysis
- What we access: Order numbers, dates, amounts, SKUs, customer names
- What we DON'T access: Ability to cancel, refund, or modify orders
read_products
- Why we need it: To analyze product performance, inventory, SKU profitability
- What we access: Product titles, SKUs, prices, COGS, inventory levels
- What we DON'T access: Ability to change prices, edit products, or modify inventory
read_customers
- Why we need it: For customer LTV analysis, cohort tracking, repeat purchase rates
- What we access: Customer names, emails, order history, total spent
- What we DON'T access: Ability to email customers, edit profiles, or delete accounts
read_analytics
- Why we need it: To include traffic data, conversion metrics in reports
- What we access: Aggregated store metrics, sales trends
- What we DON'T access: Individual customer browsing behavior
read_payments
- Why we need it: For payout reconciliation, fee analysis
- What we access: Transaction fees, payout schedules, payment processor details
- What we DON'T access: Bank account numbers, payment methods, credit card info
We Do NOT Request:
- write_orders (we can't create, edit, or cancel orders)
- write_products (we can't change prices or inventory)
- write_customers (we can't modify customer data)
- read_price_rules (we don't need discount code internals)
- write_fulfillments (we can't mark orders as shipped)
Stripe Scopes
read_charges
- Why: Transaction history for revenue reports
- Access: Charge amounts, dates, statuses
- NOT: Ability to create charges or refunds
read_payouts
- Why: Payout reconciliation
- Access: Payout amounts, schedules, bank deposit info
- NOT: Bank account details
read_customers
- Why: Customer billing analysis, subscription tracking
- Access: Customer metadata, subscription status
- NOT: Credit card numbers or payment methods
WooCommerce Access
Consumer Key/Secret with Read Permissions
- Orders: Read order history for sales reports
- Products: Read catalog for inventory analysis
- Customers: Read customer data for LTV tracking
- Reports: Read sales/revenue summaries
No Write Access to:
- Store settings
- WordPress admin
- Product management
- Order fulfillment
Data Retention: What We Keep and For How Long
During Report Generation:
Step 1: Data Pull (Real-Time)
- We connect to your platform via OAuth
- Pull the specific data needed for your report
- Data is in temporary processing memory
- Duration: 5-30 minutes depending on data volume
Step 2: Report Building (In-Process)
- Calculate metrics, build tables, format Excel
- Data still in temporary processing
- Duration: 2-10 minutes
Step 3: Report Delivery
- Excel file generated and stored for download
- Duration: 30 days (then auto-deleted)
- Raw source data is immediately purged
What We Keep Long-Term:
- OAuth tokens: Encrypted, stored securely (needed to generate future reports)
- Report metadata: File name, generation date, platform connected
- Account info: Your email, subscription status
What We DON'T Keep:
- Individual order details after report is generated
- Customer PII after report is delivered
- Raw transaction data
- Historical snapshots of your store data
How to Audit and Disconnect
Auditing Your Connections
In Spreadsheet Broccoli:
1. Go to Dashboard → Connectors
2. See list of all connected platforms
3. View: Date connected, last data pull, active status
4. Click any connector to see: Scopes granted, report history
In Your Platform (Shopify Example):
1. Shopify Admin → Settings → Apps and sales channels
2. Find "Spreadsheet Broccoli"
3. View: Scopes granted, API activity, last access date
4. Check API logs for our access timestamps
Signs of Normal Activity:
- API calls during scheduled report times
- Regular read operations (orders, products)
- No write operations (should be zero always)
- Access patterns match your report schedule
Red Flags (Contact Support):
- Unexpected API activity outside scheduled times
- Write operations appearing (shouldn't be possible)
- Access to scopes you didn't grant
- Unusual data volume transfers
Disconnecting: How to Revoke Access
Option 1: Disconnect from Spreadsheet Broccoli
1. Dashboard → Connectors
2. Find the platform you want to disconnect
3. Click "Disconnect"
4. Confirm
What happens:
- We delete your OAuth token immediately
- We can no longer pull data from that platform
- Scheduled reports for that platform stop
- Historical reports remain downloadable (your data)
Option 2: Revoke from Platform (Double-Sure Method)
Shopify:
1. Settings → Apps and sales channels
2. Find Spreadsheet Broccoli
3. Click "Uninstall"
4. Confirm
Stripe:
1. Settings → Connected Accounts
2. Find Spreadsheet Broccoli
3. Click "Disconnect"
WooCommerce:
1. WooCommerce → Settings → Advanced → REST API
2. Find Spreadsheet Broccoli key
3. Click "Revoke"
What happens:
- Platform invalidates our OAuth token
- We can no longer access your data
- Next scheduled report will fail (expected)
- You'll get notification that connection is broken
Common Security Questions
"Can you see my bank account?"
No. We see payout amounts and dates, but not your actual bank account numbers, routing numbers, or account balances.
"Can you see customer credit card numbers?"
No. Payment processors don't expose full credit card numbers through their APIs. We might see last 4 digits (for display in reports), but never the full number.
"Can you process refunds or charge customers?"
No. We have read-only access. Write permissions (which would be required for refunds, charges, etc.) are not requested and not granted.
"What if Spreadsheet Broccoli gets hacked?"
Best case scenario: Our tokens are encrypted at rest. If someone steals encrypted tokens, they can't use them without the encryption keys (stored separately).
Worst case scenario: If both tokens AND encryption keys were stolen, attacker could read your store data. They still couldn't modify anything (read-only). You'd immediately disconnect to revoke tokens.
What we do: Regular security audits, penetration testing, encrypted storage, isolated environments, activity monitoring.
"Can you use my data for your own purposes?"
No. Our Terms of Service and Privacy Policy explicitly prohibit:
- Selling your data
- Using your data for our marketing
- Sharing data with third parties
- Training AI models on your data
Your data is processed solely to generate your reports, then deleted.
The "Too Good to Be True" Question
"Why should I trust you with access to my business data?"
Fair question. Here's our answer:
1. Technical Security
- OAuth 2.0 (industry standard)
- Read-only scopes only
- Encrypted token storage
- No password access
2. Business Model Alignment
- We make money from subscriptions, not data
- Our business depends on your trust
- GDPR/CCPA compliance (audited)
- Data Processing Agreement available
3. Transparency
- Open about what we access (this guide)
- Show you exactly what scopes we request
- You control when we can access (scheduled reports)
- Easy disconnect process
4. Minimal Access Principle
- We request only the scopes we actually need
- We don't ask for write permissions
- We don't ask for customer browsing data
- We don't ask for admin-level access
5. You're in Control
- Connect/disconnect anytime
- Revoke access instantly
- Audit API activity
- Download your reports and leave
Read our complete Security & Privacy documentation, or connect your first platform to see exactly what permissions we request.
View Security DetailsOr start free trial to see OAuth flow yourself
Comparing Spreadsheet Broccoli to Alternatives
vs. Manual CSV Export
Security:
- Manual: You download CSVs with full data, store locally (risk of loss/theft)
- Us: Data never stored locally, processed in secure cloud, auto-deleted
Access:
- Manual: Anyone with access to your laptop can see CSVs
- Us: Reports encrypted, access-controlled, audit trail
vs. Building Your Own Integration
Security:
- DIY: You store OAuth tokens (if breached, attacker gets direct access)
- Us: Tokens encrypted, monitored, isolated per customer
Maintenance:
- DIY: You're responsible for security updates, token rotation
- Us: We monitor platform API changes, security patches
vs. Full-Access Business Intelligence Tools
Scope:
- BI Tools: Often request write access, admin access, broad scopes
- Us: Read-only, minimal scopes, specific to reporting needs
Data Storage:
- BI Tools: Warehouse all your data long-term for dashboards
- Us: Process and purge, only keep aggregated metrics
Common Mistakes to Avoid
Learn from these common pitfalls to ensure success
Assuming OAuth means we have your password
Solution: OAuth specifically avoids sharing passwords. We get a token that works like a temporary, limited key, not your master password.
Thinking read-only access means we can't see sensitive data
Solution: Read-only means we can't modify anything, but we can see order data, customer names, etc. This is necessary for reports.
Not disconnecting old integrations you no longer use
Solution: Review connected apps quarterly. Disconnect anything you don't actively use. Good security hygiene.
Connecting with admin/owner credentials when staff credentials would work
Solution: If your platform supports role-based access, create a reporting-only staff account with minimal permissions.
How to Verify Your Numbers
Ensure accuracy with these verification steps
You understand that OAuth doesn't share your password with us
You can list the scopes we request for your platform
You know how to audit our API activity in your platform
You can disconnect/revoke access in under 2 minutes
You've reviewed what data we keep vs what we delete
Frequently Asked Questions
Why do you need read_customers if you're just doing financial reports?
Can I limit which data you pull (e.g., last 90 days only)?
What happens if I change my platform password?
Do you access my data even when I'm not generating reports?
Can I see exactly what data was pulled for each report?
Ready to Transform Your Reporting?
Start with a free report and see exactly what you'll get every time.