Cloudstic

Privacy Policy

Last updated: March 1, 2026

1. Introduction

Cloudstic ("we", "us", or "our") operates the cloudstic.com website and the Cloudstic cloud backup service (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

2. Information We Collect

We collect the minimum information necessary to provide and improve the Service:

  • Account information — your email address, provided during sign-up.
  • Authentication credentials — passkey public keys used for passwordless sign-in. We never store passwords.
  • Connected accounts — OAuth tokens for services you connect (e.g. Google Drive). These tokens are encrypted at rest and used solely to perform backups on your behalf.
  • Google user data — when you connect your Google account, we request the following OAuth scopes: userinfo.email, userinfo.profile, and drive.readonly. Through these scopes we access your Google account email address, display name, and read-only access to your Google Drive files — including file contents, file names, folder structure, sizes, MIME types, and modification dates. We do not request write access to your Google Drive.
  • Backup metadata — file names, sizes, and modification dates necessary to manage your backups. This metadata is encrypted before storage.
  • Usage data — backup frequency, storage consumption, and general Service usage to maintain and improve reliability.
  • Payment information — processed by Stripe. We do not store credit card numbers or bank details on our servers.

3. How We Use Your Information

We use your data to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and secure your account
  • Perform backups and restores from your connected sources
  • Process payments and manage your subscription
  • Send transactional emails (e.g. backup failures, account changes)
  • Monitor and improve Service performance and reliability

4. Google API Services — Limited Use Disclosure

Cloudstic's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only access Google Drive data that you explicitly authorize via the drive.readonly OAuth scope. We never request write access.
  • We use Google Drive data solely to create and manage encrypted backups on your behalf. The processing pipeline is: (1) files are read from your Google Drive, (2) encrypted client-side with your account's unique AES-256-GCM key, (3) deduplicated, and (4) stored as encrypted blobs in our cloud storage. Plaintext file contents are never persisted on our servers.
  • We do not use Google Drive data for advertising, market research, or any purpose unrelated to the backup functionality you requested.
  • We do not share Google Drive data with third parties except as necessary to provide the Service (e.g. encrypted storage infrastructure that only receives encrypted blobs).
  • Human access to Google Drive data is limited to debugging and support at your request, security investigations, or legal compliance — and only when strictly necessary.

5. Data Storage & Protection

We take the security of your data seriously. The following measures are in place to protect your information:

  • Encryption — all backup data (file contents and metadata) is encrypted using AES-256-GCM before it leaves your session. Each account has its own unique encryption key. We cannot read the contents of your backups.
  • Token encryption — OAuth tokens for connected services are encrypted at rest using separate application-level keys.
  • Storage infrastructure — encrypted backup blobs are stored in S3-compatible cloud storage. The storage provider only receives encrypted data and cannot access plaintext content.
  • Access controls — all data is tenant-isolated at the database level using row-level security. Administrative access to production systems is restricted and logged.
  • Transport security — all data in transit is protected by TLS. Connections to third-party APIs (Google, Stripe) use HTTPS exclusively.

6. Data Sharing

We do not sell your personal information. We share data only with:

  • Stripe — for payment processing.
  • Cloud infrastructure providers — for encrypted data storage. These providers only receive encrypted blobs and cannot access your plaintext data.

We may disclose information if required by law or to protect our rights, safety, or property.

7. Data Retention & Deletion

We retain your data only as long as necessary to provide the Service:

  • Account data — retained while your account is active. When you delete your account, all personal information, backups, encryption keys, and OAuth tokens are permanently deleted within 30 days. Deletion is irreversible.
  • Backup data — encrypted backups are retained according to the retention policy you configure (e.g. number of snapshots to keep). You can delete individual backups or all backups at any time from your dashboard.
  • Google data on OAuth revocation — if you disconnect your Google account or revoke OAuth access (either from your Cloudstic settings or from your Google account), we immediately delete the stored OAuth tokens. Your existing encrypted backups remain available until you explicitly delete them or your account, but no new data will be read from Google.
  • Requesting deletion — you can delete your account and all associated data from your account settings page. Alternatively, you can email support@cloudstic.com to request deletion and we will process your request within 30 days.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and all associated data
  • Revoke access to connected services at any time
  • Export your backups before account deletion

You can exercise these rights from your account settings or by contacting us at support@cloudstic.com.

9. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies.

10. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the email associated with your account. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy, please contact us at support@cloudstic.com.