← Back to Nephos

Privacy Policy

Last updated: May 3, 2026

What We Collect

When you connect a Google account, Nephos receives and stores only your Google account email address, display name, avatar URL, and storage quota information. We use this to identify your account in the UI and display storage usage.

What We Do NOT Store

File contents are never stored on Nephos servers. When you browse, move, or download files, they pass through our servers transiently to facilitate the operation and are never written to disk or retained after the request completes.

OAuth access tokens and refresh tokens are never logged, never shared with third parties, and never accessible to client-side JavaScript.

Data Security & Protection Mechanisms

Nephos applies multiple layers of security to protect sensitive data at every stage — in transit, during server-side processing, and at rest in cookies. The following mechanisms are in place:

Encryption in Transit (TLS/HTTPS)

All communication between your browser and Nephos servers is encrypted using TLS (Transport Layer Security). This applies to every request — account connections, file listings, file uploads, downloads, moves, searches, and all API calls. No sensitive data is ever transmitted over an unencrypted connection. In production, any plain-HTTP request is permanently redirected (HTTP 301) to its HTTPS equivalent before being processed. The server also sets a Strict-Transport-Security header (2-year max-age, includeSubDomains, preload) so that browsers enforce HTTPS automatically on all subsequent visits.

Google Drive File Data

When you browse, preview, move, or upload files, Nephos communicates directly with the Google Drive API on your behalf using your authorized OAuth tokens. File contents that must pass through Nephos servers (for example, during a cross-account file transfer) are:

  • Transferred exclusively over TLS-encrypted connections
  • Held only in server memory for the duration of the operation
  • Never written to disk, logged, cached, or stored in any database
  • Immediately discarded once the operation completes or fails
  • Never shared with any third party other than the destination Google account you specify

File metadata (names, sizes, MIME types, modification dates) is fetched live from Google's API on each request and is not persisted on Nephos servers beyond the lifetime of the HTTP response.

OAuth Token Encryption at Rest

Google OAuth access tokens and refresh tokens are stored in encrypted httpOnly browser cookies using AES-256-GCM, a symmetric authenticated encryption algorithm. Each token payload is encrypted with a unique random initialization vector (IV) and an authentication tag that detects any tampering. The encryption key is a 32-byte secret stored exclusively as a server-side environment variable — it is never embedded in client-side code or exposed in any response. Tampered or incorrectly decrypted cookies are rejected and treated as unauthenticated, requiring the user to reconnect.

Token Isolation from Client-Side Code

OAuth tokens are stored in httpOnly cookies, which means they are completely inaccessible to any JavaScript running in your browser — including browser extensions, third-party scripts, and developer tools. Tokens are never placed in localStorage, sessionStorage, URL parameters, request bodies, or any other JavaScript-accessible location. All token operations (reading, refreshing, invalidating) happen exclusively on the server.

Minimum Necessary Access (Scope Minimization)

Nephos requests only the Google OAuth scopes strictly required to operate the file manager: access to your Google Drive files and your basic Google profile (name, email, avatar). No other Google services or data sources are accessed. Within Drive, Nephos only reads, creates, modifies, or deletes files in response to your explicit actions in the interface — it does not perform any background scanning, indexing, or processing of your Drive contents.

Server-Side Access Controls

Every API endpoint that interacts with Google Drive verifies your identity server-side before processing a request. The server reads your encrypted token cookie, validates its integrity, checks that it belongs to the account specified in the request, and proactively refreshes expiring tokens — all without any token value ever being transmitted to or from your browser. If token validation fails for any reason, the request is rejected and you are prompted to reconnect your account.

Rate Limiting & Abuse Prevention

All API routes are protected by server-side rate limiting keyed to your IP address. Authentication endpoints are limited to 5–10 requests per minute; Drive API endpoints are limited to 100 requests per minute. This limits the impact of credential stuffing, token brute-force attempts, and other automated abuse.

Security Headers

Every response from Nephos includes the following HTTP security headers to protect against common web vulnerabilities:

  • Strict-Transport-Security — instructs browsers to always use HTTPS for 2 years, across all subdomains, with HSTS preload eligibility
  • X-Frame-Options: DENY — prevents clickjacking by blocking the app from being embedded in iframes
  • X-Content-Type-Options: nosniff — prevents MIME-type sniffing attacks
  • Referrer-Policy: strict-origin-when-cross-origin — limits referrer information sent to third parties
  • Permissions-Policy — disables access to camera, microphone, and geolocation APIs
  • Content-Security-Policy — restricts which origins can load scripts, styles, and frames, preventing XSS and data injection attacks

Google API Services — Limited Use Disclosure

Nephos's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • Data obtained via Google APIs is used only to provide and improve the Nephos file management service that you explicitly requested. It is not used for advertising, profiling, or any purpose unrelated to operating the app.
  • Google user data is never transferred to third parties except as necessary to operate the service (e.g., routing a file to a destination Google Drive account you select), or as required by law.
  • Google user data is never used or transferred for purposes that violate Google's policies, including selling data, using data to determine creditworthiness, or using data for lending purposes.
  • Humans at Nephos do not read your Google Drive files or data unless you explicitly provide access for support purposes or as required by law.

Third-Party Services

  • Google OAuth 2.0 — used for authentication and Drive API access. Governed by Google's Privacy Policy.
  • Paddle — used for payment processing. Paddle is the Merchant of Record and handles all billing, taxes, and invoices on our behalf. Nephos does not store your payment card details — these are handled entirely by Paddle. Governed by Paddle's Privacy Policy.
  • Vercel — used for hosting. Server logs may include IP addresses and request metadata as part of standard infrastructure operation.

Data Deletion

Disconnecting an account from Nephos immediately deletes all encrypted tokens associated with that account from your browser cookies. No residual token data is retained on our servers. Your Google Drive files and data remain unchanged in Google's systems.

Contact

For privacy questions or data requests, contact us at privacy@nephos.app.

Privacy Policy | Nephos