CloudRaft
Privacy

What we store, and why

CloudRaft moves files between cloud providers on your behalf. As a rule, we keep as little of your data as is absolutely required to run the service — and we delete it as soon as we no longer need it. This page tells you exactly what we do handle, and why.

Last revised 2026-06-06.

Who's responsible for your data

CloudRaft is operated by Robinson Holding AS, org. no. 927 250 861, registered in the Norwegian Register of Business Enterprises (Foretaksregisteret), Norway. Robinson Holding AS is the data controller for the personal data described here. Contact us about privacy at support@cloudraft.app.

We haven't appointed a Data Protection Officer (we're not required to). Because we're established in Norway, within the EEA, we don't need an EU representative.

What we store

Your account

  • Email address.
  • Hashed session tokens.
  • Sign-in attempts (timestamped; we don't log your IP address — see below).

Your connected accounts

  • For a cloud you connect by sign-in (Google Drive™, Dropbox, OneDrive, Box): OAuth access + refresh tokens. Encrypted at rest with AES-GCM. We never see or ask for your provider account password.
  • For a self-hosted or personal cloud server (Nextcloud, ownCloud, Synology, Koofr, Fastmail…): the server URL, the username, and an app password you create for CloudRaft — also encrypted at rest with AES-GCM, and used only to read + write during a copy. Use an app password (not your main account password) so you can revoke it on your server any time.
  • The provider's stable account identifier, plus the account's email or display name — shown to you in Settings so you can tell connected accounts apart. Nothing else from your profile (no photo, contacts, or calendar).

What we can access, and what we do with it

To copy your files, you grant CloudRaft access to the cloud you connect. We use that access for one purpose only: reading the files you choose and writing the copies. We never delete, move, rename, or modify anything else in your account.

How much access a provider gives us depends on what it offers:

  • Google Drive™ grants narrow access — we can reach only the files you pick and the copies we write, nothing else in your account.
  • Dropbox depends on the direction. Copying into Dropbox (a destination) uses app-folder-only access — we can write into one dedicated CloudRaft folder and see nothing else. Copying out of Dropbox (a source) requires read-only access to your Dropbox so you can pick any file to copy; that access is read-only — we never write, move, rename, or delete anything in your Dropbox.
  • OneDrive grants broad read access, so you can pick any file to copy; our writes stay inside a dedicated CloudRaft area.
  • Box offers no narrow option, so the app technically holds read and write access to all your Box files. We use it strictly to copy — we never touch your other files.
  • Self-hosted & personal servers (Nextcloud, Synology, Koofr…) grant whatever the app password you create allows; we only read to copy and write the copies, within the area you connect.

When you disconnect a cloud in CloudRaft settings, we delete its stored tokens/credentials from our database. For providers that support it (e.g. Google, Dropbox), we also call the provider's revocation endpoint on a best-effort basis. WebDAV has no revocation endpoint — deleting the stored app password ends our access; revoke or rotate that app password on your own server to be certain.

Your migrations

  • A record of the files you asked us to move — their names, sizes, and where they came from and went. We do not store file contents.
  • A counter for each migration (files copied, files to review, bytes transferred) for the progress bar.
  • An audit-log row for each meaningful event (migration created, started, finished, failed, OAuth connected, OAuth disconnected).
  • When you start a paid migration, a record of your “begin now / 14-day withdrawal” choice (which pass, when, and the version of the wording you agreed to), so we can show we handled your consumer rights correctly.

Your billing

  • A Stripe customer ID, and a reference to each Checkout payment.
  • For each prepaid pass you buy: the tier, the data allowance, the validity window, and its status (active / refunded / disputed).
  • To calculate tax and issue a VAT invoice, Stripe processes your billing location and address.
  • No card numbers — Stripe's hosted checkout handles those. We never see or store them.

Our legal bases

We rely on the following legal bases under the GDPR:

What we doLegal basis
Run your account and perform migrations (account data, connected-cloud credentials, migration metadata, transactional email)Performance of our contract with you (Art. 6(1)(b))
Process payments, collect billing/location data, and issue VAT invoicesPerformance of contract (Art. 6(1)(b)) and our legal obligations, including tax (Art. 6(1)(c))
Record your “begin now / 14-day withdrawal” choiceOur legal obligation to show we complied with consumer law (Art. 6(1)(c)), supported by our legitimate interest in keeping accurate records (Art. 6(1)(f))
Keep security and audit logs, triage abuse, and prevent free-tier farmingOur legitimate interests in securing and protecting the service (Art. 6(1)(f))

Where we rely on legitimate interests, we've weighed them against your rights, and you can object at any time (see Your rights).

What we do NOT store

  • File contents. We don't store your files — the bytes stream through our worker between your clouds and are never written to our disks. We do keep each file's name, path, size, and copy status as the migration history you see on your dashboard (covered above under “Your migrations”), until you delete your account — but never the contents themselves.
  • File previews, thumbnails, or extracted text.
  • Your IP address. (Server logs hold it for up to 30 days for abuse triage, then it rotates out.)
  • Ad pixels, fingerprinting, profiling, or data brokers. None — ever. We don't advertise to you or build a profile of you. For basic traffic counts we use Google Analytics, and to understand which pages confuse people we use Microsoft Clarity (which masks all your content, so it never sees file names or what you type) — both only after you accept the cookie banner, and we request no advertising storage, so neither is ever used for ads or remarketing (more under “Cookies” below). Inside the app the only other third-party script is Google's own File Picker, loaded only when you click to choose Drive files.

Who we share data with

Only the operational service providers we need to run CloudRaft — each acting solely on our instructions as a data processor, and never for advertising:

ServiceWhat they seeWhy
Supabase (database) and Fly.io (app + worker)The encrypted database, and our app's memory while a copy is running.Securely host and run the service (EU-based).
Resend (email delivery)Your email address + the sign-in / “migration done” email body.Send your sign-in links and completion notices.
Stripe (paid tier only)Your billing info — entered directly into Stripe's hosted checkout. We never see or store card numbers.Payments, tax, and VAT invoices.
Sentry (error monitoring)Crash reports with personal data scrubbed — never your file contents.Diagnose and fix problems.
Google Analytics & Microsoft Clarity (analytics — only if you accept the cookie banner)Anonymous usage: pages visited, rough region, and — for Clarity — masked page interactions. No file contents, no ads, no profiling.Count visits and see which pages help or confuse.
ImprovMX (inbound email)Any email you send to support@cloudraft.app — it forwards the message to our support mailbox.Receive support email you send us.

We never sell, rent, or trade your data. We have no advertising business and no data brokers in the loop.

Sending data outside the EU/EEA

Your account, your migration metadata, and the encrypted connection credentials are hosted in the European Union — our database with Supabase in Ireland and our app + worker on Fly.io in Amsterdam. Some of the service providers above are in the United States:

ProviderLocation
Supabase (database)EU (Ireland)
Fly.io (app + worker)EU (Amsterdam)
StripeUnited States
ResendUnited States
SentryUnited States
Google Analytics & Microsoft Clarity (analytics)United States
ImprovMX (inbound email)United States

Where data goes to the US, the transfer is protected by an appropriate safeguard under the GDPR — certification under the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses, as set out in each provider's data-processing agreement. You can ask us for a copy of the relevant safeguards.

File contents are different: we don't store them. During a copy they pass between the clouds you choose (and, for WebDAV, the server you point us at), so those providers process them in whatever regions they operate.

How long we keep it

  • Migration history: kept for as long as your account exists, so you can refer back; deleted when you delete your account.
  • Audit log: 1 year, then auto-pruned.
  • Magic-link rows: consumed-or-expired in minutes.
  • Sessions: 30 days, then expired.
  • OAuth tokens / app passwords: until you disconnect the account or delete your account.
  • IP address in server logs: up to 30 days, then rotated out.
  • Payment records (with Stripe): when you delete your account, we erase your data from our systems and delete your Stripe customer profile (name, email) — best-effort; if Stripe is briefly unreachable at that moment we flag it and finish the erasure as soon as we can. Stripe keeps the bare financial record of any purchase you made — the charge and its tax details — for the period Norwegian bookkeeping law requires (about five years), because as a Norwegian company we must be able to account for our sales. It's about the transaction, not about you, and it's kept only for that legal purpose.

Your rights

You can ask us to:

  • Access a copy of your personal data
  • Correct data that's wrong or incomplete
  • Delete your data (Settings → Delete my account, or contact us)
  • Restrict or object to processing we base on legitimate interests
  • Port your data — receive it in a structured, machine-readable format
  • Withdraw consent where we relied on it (this won't affect processing we already did)

Email support@cloudraft.app and we'll respond within one month.

If you think we've mishandled your data, you can complain to your local data protection authority. In Norway that's Datatilsynet (datatilsynet.no); in the UK, the ICO (ico.org.uk); elsewhere in the EEA, your national authority. We'd appreciate the chance to put things right first, but going straight to them is your right.

How to delete your data

In-app: Settings → Delete my account. The deletion pauses + cancels any running migrations, makes a best-effort call to revoke your OAuth tokens at the providers that support it (Google, Dropbox), and removes every row of yours in our database — including your stored WebDAV app password. For WebDAV (no revocation endpoint), rotate that app password on your own server to be fully certain.

Two narrow exceptions:

  • Payment records. When you delete your account we erase your data from our database and delete your Stripe customer profile (name, email) on a best-effort basis (if Stripe is momentarily unavailable we flag it and finish as soon as we can). Stripe still keeps the financial record of any purchase — the charge and its tax details — for as long as Norwegian bookkeeping law requires (about five years), our accounting obligation as the seller. See How long we keep it.
  • Free-tier abuse prevention. If your account used the free tier, we keep a one-way fingerprint of the cloud account(s) you connected — never your email, name, or account ID in readable form. It's a pseudonymous record whose only use is to stop the free allowance from being reset by deleting and re-creating an account. We keep it for up to 24 months. Our legal basis is our legitimate interest in preventing free-tier abuse, and you can object to it at any time (support@cloudraft.app).

We also keep a single “this user was deleted at X” record (no personal data) so we can prove the deletion happened. You can request its removal too.

Children

CloudRaft is for adults (18+) and isn't directed at children. We don't knowingly collect data from children; if you believe a child has used CloudRaft, contact us and we'll delete the account.

Cookies

  • One session cookie (HttpOnly, Secure, SameSite=Lax). Required for the app to know you're signed in.
  • One OAuth state cookie during a connect flow. HttpOnly, Secure, lives for ~10 minutes, used for CSRF protection.

If you accept our cookie banner, Google Analytics and Microsoft Clarity set analytics cookies so we can count visits and see which pages help (Clarity records masked, anonymized page interactions — never your file names or what you type). Decline (or just ignore it) and neither loads — no analytics cookie is set. We use no advertising cookies and no cross-site tracking, ever, and you can change your mind any time by clearing the CloudRaft cookies in your browser.

Changes to this policy

We'll email registered users at least 30 days before any material change.

Contact

Questions: support@cloudraft.app. We aim to reply within one business day.