Privacy
CloudRaft moves files between cloud providers on your behalf. We try to handle as little of your data as we possibly can. This page tells you exactly what we do handle, and why.
What we store
Your account
- Email address.
- Hashed session tokens.
- Sign-in attempts (timestamped, no IP).
Your connected accounts
- OAuth access + refresh tokens for each provider you connect (Google Drive, Dropbox, OneDrive). Encrypted at rest with AES-GCM. We never see your password and never ask for it.
- The provider's stable account identifier. Not your name, not your profile photo.
What permissions we ask for, and why each one
We deliberately request the narrowest scope each provider offers. We never ask for "full drive" or anything similar.
| Provider | Scope we request | What that means |
|---|---|---|
| Google Drive | drive.file | Read only the files you picked via the Google Picker. Write only inside folders we created. We can't see anything else in your Drive — not filenames, not folder structure, nothing. (We do not request drive or drive.readonly, which would give us access to everything.) |
| Dropbox | files.content.read + files.content.write (App folder type) | Read and write only inside the /Apps/CloudRaft folder Dropbox creates for us. We have zero access to anything else in your Dropbox. |
| Microsoft OneDrive (coming) | Files.ReadWrite (delegated) + offline_access | Delegated read/write to your OneDrive — same shape as Google's drive.file via the Microsoft Picker. Final scope locked in before the OneDrive provider ships. |
If you disconnect a provider in the CloudRaft settings, we call that provider's revocation endpoint immediately and delete the encrypted tokens from our database.
Your migrations
- A list of files you asked us to move: source ID, source path, size in bytes, destination ID once written. We do not store file contents.
- A counter for each migration (verified count, set-aside count, bytes-verified) for the progress bar.
- An audit-log row for each meaningful event (migration created, started, finished, failed, OAuth connected, OAuth disconnected).
Your billing (when paid tiers ship)
- A Stripe customer ID.
- Subscription state (free / paid).
- No card numbers — Stripe handles all of that. We never see them.
What we do NOT store
- File contents. Files stream from the source provider to the destination provider through our worker, never to disk, never to long-term storage. The moment a file is copied + verified, our memory of it is the size in bytes — nothing else.
- File previews, thumbnails, or extracted text.
- Your IP address. (Server logs hold it briefly for abuse triage, then rotate out.)
- Browser fingerprints, analytics events, pixels, or any third-party tracker. Our marketing pages and our app load zero third-party scripts.
Who we share data with
Only the operational vendors we need to function:
| Vendor | What they see | Why |
|---|---|---|
| Supabase | Our Postgres database, encrypted at rest. | Hosted database. |
| Fly.io | Our app + worker process memory. | Hosting. |
| Resend | Your email address + the magic-link email body. | Sign-in emails. |
| Stripe (paid tier only) | Your billing info — entered directly into Stripe's hosted checkout. | Payments. |
| Sentry (when wired up) | Crash reports with PII scrubbed. | Error monitoring. |
We never sell, rent, or trade your data. We have no advertising business and no data brokers in the loop.
Where the data lives
Primary region: Amsterdam (Fly.io ams). The Postgres database is hosted in the same region by Supabase.
How long we keep it
- Migration history: kept indefinitely as long as your account exists, so you can refer back. Delete your account to remove it.
- Audit log: 1 year, then auto-pruned.
- Magic-link rows: consumed-or-expired in minutes.
- Sessions: 30 days, then expired.
- OAuth tokens: until you disconnect the account or delete your account.
How to delete your data
In-app: Settings → Delete my account. The deletion pauses + cancels any running migrations, revokes your OAuth tokens at each provider, cancels any active Stripe subscription, and removes every row of yours in our database.
We keep a single "this user was deleted at X" record (no PII) so we can prove the deletion happened. You can request its removal too.
Cookies
- One session cookie (HttpOnly, Secure, SameSite=Lax). Required for the app to know you're signed in.
- One OAuth state cookie during a connect flow. HttpOnly, Secure, lives for ~10 minutes, used for CSRF protection.
No analytics cookies. No third-party cookies. No banner because we have nothing to ask consent for beyond what's strictly necessary to make the service work.
Changes to this policy
We'll email registered users at least 30 days before any material change.
Contact
Questions: support@cloudraft.app. We aim to reply within one business day.