ONEDRIVE PRIVACY POLICY

This document describes how Cloud Storage ("we", "us", "our", the "App") accesses, uses, stores, and shares Microsoft OneDrive user data when a user connects their OneDrive account through our Cloud Drives feature. It supplements our main Privacy Policy.

1. Who We Are

Cloud Storage is a cloud file storage platform available at https://cloudstorage.bar. We allow users to import files from third-party cloud storage providers (including Microsoft OneDrive) into their Cloud Storage account.

2. Compliance with Microsoft Terms

Our use of Microsoft Graph and OneDrive APIs complies with the Microsoft APIs Terms of Use and the Microsoft Privacy Statement. We will not use OneDrive data in any way that violates Microsoft's policies.

3. Permissions Requested

When a user connects their OneDrive account, we request the following Microsoft Graph permissions:

• Files.Read — read access to the user's OneDrive files (needed to list and import files)
• Files.ReadWrite — required by the underlying rclone library; we do not use it to write back to the user's OneDrive in normal operation
• offline_access — allows refresh tokens so the user does not have to re-authorize every hour

Why these permissions are needed: the user must be able to browse their OneDrive folders and select files for import. The offline_access token enables long-running folder imports without forcing the user to be present.

4. What OneDrive Data We Access

Only files and folder metadata that the user explicitly browses or selects for import. Specifically:

• File and folder names, sizes, modification dates, and folder structure — fetched on demand when the user opens a folder in our Cloud Drives browser
• File contents — only when the user clicks "Import" on a specific file or folder. The file is streamed directly from OneDrive into the user's Cloud Storage storage
• The user's Microsoft account email/username — used only as the display label for the connected drive

5. How We Store OneDrive Data

• OAuth tokens (access token + refresh token) are stored in our database and used solely to make subsequent rclone API calls on the user's behalf
• File contents are streamed directly through our server and stored in the user's Cloud Storage account on our backend storage. After import, the file is treated like any other file the user uploaded directly
• We do not retain OneDrive file IDs, paths, or metadata beyond the import operation
• We do not cache or index OneDrive content not actively being imported

6. Data Retention

• OAuth tokens are kept until the user disconnects the drive or deletes their Cloud Storage account
• Imported files follow the Cloud Storage main retention policy — the user controls them and can delete them at any time
• Microsoft refresh tokens typically expire after 90 days of inactivity

7. Sharing and Disclosure

We do not sell, share, or transfer OneDrive user data to any third party. Specifically:

• We do not share OneDrive data with advertising networks, data brokers, or analytics providers
• We do not use OneDrive data to train AI/ML models
• The only "transfer" that occurs is the user-initiated copy of selected files from their OneDrive into their own Cloud Storage storage account
• We may disclose OneDrive data only when required by valid legal process or to investigate abuse / security incidents

8. Security

OAuth tokens are stored securely. All connections to Microsoft APIs use HTTPS. Access to our database is restricted to authorized personnel and audited. We follow industry-standard security practices.

9. How to Revoke Access and Delete Data

• In-app: open Cloud Drives in Cloud Storage, click the trash icon next to the connected OneDrive entry. This deletes the OAuth tokens from our database immediately
• From Microsoft: visit https://account.live.com/consent/Manage (personal accounts) or your tenant's app consent page (work/school accounts), find Cloud Storage, and revoke access
• Full account deletion: deleting your Cloud Storage account removes all OAuth tokens and associated data
• By email: contact us using the address below to request manual deletion of any data we hold

10. Children's Privacy

Cloud Storage is not directed to children under 13. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this OneDrive Privacy Policy from time to time. Material changes will be reflected in the "last updated" date below.

12. Contact

For questions about this policy, to request data deletion, or to report a security concern, please use the contact options on the main Cloud Storage website (https://cloudstorage.bar).

Last updated: 2026-04-07