DriveTag Privacy Policy

Last updated: May 23, 2026

This policy describes what information DriveTag collects, how we use it, and the choices you have. It applies to the DriveTag Chrome extension, our website, and any related services we offer (collectively, "DriveTag" or "the service").

The data controller for DriveTag is Tosch Roy, sole proprietor. You can reach us at toschroy@gmail.com for any privacy question, request, or concern.

In plain English

We built DriveTag to be a thin layer over your own Google Drive. We've designed it so that the data we hold on our servers is the minimum needed to make the product work — and most importantly, we never store the contents of your Drive files, and we never store the tags you apply to specific files on our servers. Your tags live inside Drive's own metadata, accessible only to DriveTag's authorized app.

The rest of this policy explains exactly what that means.

What we collect

1. Information you give us when you sign in

When you sign in with Google to enable cross-device sync, we receive (from Google) and store:

your email address
your display name
a unique identifier for your account
the avatar URL associated with your Google profile

This is stored in our database (Supabase) so we can recognize you across devices and apply your subscription tier to your account.

2. Workspace data you create

DriveTag lets you build a library of "saved tags" and "tag categories" that appear as quick-add chips in the sidebar. These are stored in our database, scoped to your workspace (org). If you invite teammates later, they'll see the same library.

This includes:

the text of each saved tag
the name, color, and ordering of each category
which tags belong to which category
timestamps for when entries were created or modified

3. Subscription information (if you upgrade)

If you purchase a paid plan, our payments processor (LemonSqueezy) handles the transaction. We never see or store your card details. From LemonSqueezy we receive and store:

your subscription's external ID, status, and current billing period
the tier and seat count you've subscribed to
the timestamps of subscription lifecycle events (created, renewed, cancelled, expired)
a copy of the raw webhook payload from LemonSqueezy, for audit and debugging

LemonSqueezy's own privacy policy governs what they collect from you during checkout: https://www.lemonsqueezy.com/privacy

4. Local data on your device

The DriveTag extension stores some information on your computer using Chrome's local storage. This data never leaves your browser unless you sign in (see "Sync" below). It includes:

your sidebar preferences (which file types show DriveTag, sort order, layout, etc.)
a local index of your tagged files, used to make search instant
the current folder you have open in Drive (used by the share feature)
your Supabase session token (if signed in), so you don't have to sign in again every time

Removing the extension or running "Clear browsing data" wipes this.

5. Information we receive from Google Drive

To make DriveTag work, our extension uses the Google Drive API to:

list files in your Drive so we can find files that already have DriveTag tags
read file metadata (name, MIME type, thumbnail link, modified time, etc.) for the file you're currently viewing or for files in your search results
read and write a Drive-managed metadata field called appProperties on the files you tag

appProperties is a per-application field in Drive. Tags stored there are only readable by DriveTag — not by other apps, not by other Drive users, and not by Google to other parties.

We do not read the contents of your files, only their metadata.

6. Diagnostic logs

Like most services, our backend (Supabase) logs technical information about requests, including timestamps, the operation performed, and the IP address the request came from. These logs are retained per our hosting provider's defaults (currently 7 days for Supabase) and are used only to investigate errors, abuse, or security incidents.

What we don't collect

The contents of any Drive file (documents, spreadsheets, images, PDFs, etc.)
File names or other Drive metadata on our servers (these are processed in your browser and never sent to our backend)
Which specific files you've tagged, or which tags are on which file (those associations live in Drive's appProperties, not in our database)
Your browsing history
Behavioral analytics, telemetry, or tracking pixels
Data about anyone other than the person signed in to DriveTag

We do not buy data about you from data brokers, and we do not sell or rent any data we collect.

How we use what we collect

We use the information described above only to:

Operate the DriveTag service (sign you in, sync your saved tags across devices, apply your subscription tier)
Process payments through LemonSqueezy and keep your subscription status up to date
Respond to support requests you send us
Investigate security incidents, debug errors, and prevent abuse
Comply with legal obligations when required

We do not use your information for advertising, profiling, or training machine-learning models.

Google API Services User Data Policy

DriveTag's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, with respect to Google Workspace APIs we access (Drive metadata, Drive file content via drive.file, and drive.readonly):

We use the data only to provide the user-facing features of DriveTag (tagging and searching files you own or have access to).
We do not transfer this data to third parties except as necessary to provide or improve the user-facing features (for example, our hosting provider), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
We do not use this data for serving ads.
We do not allow humans to read this data unless you give us specific consent, it is necessary for security reasons (such as investigating abuse), to comply with applicable law, or the data has been aggregated and anonymized in a way that does not personally identify you.

Where your data goes (sub-processors)

We use the following third-party services to operate DriveTag. Each has its own privacy policy and security practices:

Provider	What they do for us	Where data goes	Their policy
Google	OAuth + Drive API	Google data centers	policies.google.com/privacy
Supabase	Hosted database and auth	AWS US-East-2 (Ohio)	supabase.com/privacy
LemonSqueezy	Subscription billing + checkout	LemonSqueezy infrastructure (EU/US)	lemonsqueezy.com/privacy

If we add or remove a sub-processor we'll update this list.

How long we keep it

Account information (email, name, workspace memberships): kept as long as your account is active. Deleted within 30 days of an account-deletion request.
Saved tags and categories: kept as long as your workspace is active. You can delete individual entries any time from the Settings tab.
Subscription records: kept for as long as required by tax and accounting law (typically 7 years), even after you cancel.
Diagnostic logs: per the retention windows set by our hosting provider (currently 7 days at Supabase).

Your rights

Depending on where you live, you may have the right to:

Access the personal information we hold about you
Correct inaccurate information
Delete your account and the data associated with it
Export your saved tags in a portable format (JSON)
Object to or restrict certain processing

To exercise any of these rights, email toschroy@gmail.com from the address associated with your account. We'll respond within 30 days. We won't charge you for any of this, and we won't discriminate against you for asking.

Residents of the European Economic Area (EEA) and the United Kingdom: the legal basis we rely on to process your data is your consent (for sign-in) and the performance of our contract with you (for delivering the service you're paying for). You have the right to lodge a complaint with your local data protection authority if you believe we've mishandled your data.

Residents of California: you have the rights described above plus those granted by the California Consumer Privacy Act (CCPA), including the right to know what information we've collected and the right to opt out of "sale" of personal information. We do not sell personal information.

Cookies and local storage

The DriveTag extension uses Chrome's local storage (a per-extension key/value store) to hold the data described in section 4 above. It does not set cookies on third-party websites and does not use tracking pixels.

The DriveTag website (if any) may use cookies for basic functionality (such as remembering whether you're signed in to read documentation). We'll update this policy if that changes.

Children

DriveTag is not directed at children under 13 (or under 16 in the EEA/UK). We don't knowingly collect information from anyone in that age group. If you believe a child has provided information to us, email toschroy@gmail.com and we'll delete it.

International transfers

DriveTag is operated from the United States. If you access the service from outside the US, your information will be transferred to and stored in the US. By using DriveTag you consent to that transfer. We rely on standard contractual clauses or equivalent safeguards with our sub-processors where required by law.

Security

We use industry-standard practices to protect your data: TLS in transit, encryption at rest (handled by Supabase), Row-Level Security policies that scope every database read to your workspace, and the minimum-necessary principle for any data we store. No system is perfectly secure — if we discover a breach that affects you, we'll notify you within the timeframe required by applicable law.

Changes to this policy

If we make material changes to this policy, we'll update the "Last updated" date at the top and, when the change is significant, notify you via email or an in-app notice before it takes effect. Continued use of DriveTag after a change means you accept the updated policy.

Contact

Questions, requests, or feedback about this policy or our privacy practices:

Tosch Roy
toschroy@gmail.com