Privacy Policy

What We Collect

When you connect a Google account, Nephos receives and stores only your Google account email address, display name, avatar URL, and storage quota information. We use this to identify your account in the UI and display storage usage.

What We Do NOT Store

File contents are never stored on Nephos servers. When you browse, move, or download files, they pass through our servers transiently to facilitate the operation and are never written to disk or retained after the request completes.

OAuth access tokens and refresh tokens are never logged, never shared with third parties, and never accessible to client-side JavaScript.

How Tokens Are Handled

Your Google OAuth tokens are encrypted with AES-256-GCM using a server-side key and stored in httpOnly cookies. This means they are:

Inaccessible to any JavaScript running in the browser
Never visible in browser developer tools
Never sent in URL parameters or request bodies
Automatically deleted when you disconnect an account
Set with a 30-day expiry and refreshed automatically on use

Third-Party Services

Google OAuth 2.0 — used for authentication and Drive API access. Governed by Google's Privacy Policy.
Paddle — used for payment processing. Paddle is the Merchant of Record and handles all billing, taxes, and invoices on our behalf. Nephos does not store your payment card details — these are handled entirely by Paddle. Governed by Paddle's Privacy Policy.
Vercel — used for hosting. Server logs may include IP addresses and request metadata as part of standard infrastructure operation.

Data Deletion

Disconnecting an account from Nephos immediately deletes all encrypted tokens associated with that account from your browser cookies. No residual token data is retained on our servers. Your Google Drive files and data remain unchanged in Google's systems.

Contact

For privacy questions or data requests, contact us at privacy@nephos.app.