Privacy Policy

This Privacy Policy explains how Uploom ("Uploom," "we," "us," or "our") collects, uses, and safeguards information when you use our unified cloud storage gateway and S3-compatible API (collectively, the "Service"). By using the Service, you agree to the practices described below.

1. Our Role as a Routing Gateway

Uploom operates as an intelligent routing gateway between you and the cloud storage providers you choose to connect. We do not function as a primary storage provider. When you upload, download, or otherwise interact with files through the Service, your data is transferred over encrypted channels directly between you and your connected providers (such as Google Drive, Dropbox, Mega, or any S3-compatible bucket you supply).

Uploom does not permanently store your raw files on our servers. Files may be held transiently in memory or on disk only for the duration required to complete an active transfer, perform multipart upload assembly, or service an in-flight S3 API request. Transient data is discarded as soon as the operation completes or fails.

2. Information We Collect

2.1 Account Information

When you create an Uploom account, we collect your name, email address, and authentication credentials. If you sign in via a third-party identity provider, we receive the basic profile information that provider exposes.

2.2 Connected Provider Credentials

To route traffic to your storage providers, we collect the credentials necessary to access the providers you choose to connect. For Google Drive, Dropbox, and other OAuth-supported providers, we exchange the OAuth authorization flow for access and refresh tokens — Uploom never sees or stores your provider passwords. For S3-compatible buckets, Mega, and similar services that issue API keys, we collect the access keys you supply.

2.3 Operational Metadata

We collect file metadata required to render the unified dashboard and route requests, including object keys, sizes, content types, last-modified timestamps, and the destination provider for each object. We also collect usage logs (API endpoints called, request timestamps, IP addresses, and error codes) for security, billing, and abuse detection.

3. How We Handle OAuth Tokens and API Keys

OAuth access and refresh tokens issued by Google Drive, Dropbox, and similar providers are encrypted at rest using authenticated encryption with a per-tenant key. Tokens are decrypted only in memory at the moment a routed request requires them, and the plaintext is never written to disk or logs.

API keys for S3-compatible providers, Mega, and similar services follow the same encryption-at-rest model. You may revoke any connected provider at any time from your Uploom dashboard, which deletes the associated tokens and keys from our systems and terminates further routing to that provider.

4. How We Use Information

We use the information described above to operate the Service: authenticating users, routing API and dashboard requests to your connected providers, displaying file listings, enforcing routing rules and quotas, billing your account, providing technical support, and detecting abuse or security incidents. We do not sell your personal information or your file metadata to third parties, and we do not use your file contents to train machine-learning models.

5. Sharing With Third Parties

We share information with third parties only as needed to provide the Service: with the cloud storage providers you have connected (necessarily, in order to route your requests), with infrastructure and analytics vendors operating under contractual confidentiality and data-processing terms, and where required by law or to protect the rights and safety of Uploom and its users.

6. Data Security

We encrypt data in transit using TLS, encrypt credentials and tokens at rest, isolate tenant data, and apply principle-of-least-privilege access controls to internal systems. No method of transmission or storage is perfectly secure, but we work to maintain industry-standard safeguards and to disclose incidents promptly where required.

7. Data Retention

Account information, connected-provider credentials, and operational metadata are retained for as long as your account is active. When you delete a connected provider, its credentials are removed promptly. When you delete your Uploom account, we delete your account data within thirty (30) days, except where retention is required to satisfy legal, audit, or fraud-prevention obligations.

8. Your Rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. You can exercise most of these rights directly from your dashboard or by contacting us at the address below.

9. International Transfers

Uploom operates from data centers in multiple regions. By using the Service you acknowledge that your information may be processed in countries other than your own, subject to appropriate safeguards.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will notify account holders by email or in-product notice before the changes take effect.

11. Contact Us

Questions about this Privacy Policy or our data practices may be sent to info@uploom.app.