Privacy Policy for Foldly.com

1. Information We Collect

When you use Foldly.com, we may collect the following types of information:

• Account Information: Your name, email address, and authentication credentials managed through our authentication provider (Clerk).
• Uploaded Files: Any files you upload directly or that are uploaded to your shareable links by external users. Files are stored securely in cloud storage and associated with your workspace.
• Email Uploader Identity: When external users upload files via your shareable links, we collect their email address to track file provenance.
• Usage Data: We automatically collect information about your interactions with our site, including IP address, browser type, device information, and pages visited.
• Cookies and Tracking: We use cookies and similar technologies to maintain sessions, manage editor verification state, and improve functionality.

2. Google User Data

If you choose to connect your Gmail account, Foldly accesses your Google user data through the Gmail API with the gmail.readonly scope (read-only access). This section describes exactly what data is accessed, why, and how it is handled.

What Google data we access

• Email headers: Sender name and address, recipient addresses, subject line, and date for each email that contains attachments.
• Body preview: A short plain-text preview of the email body (up to 500 characters) to provide context for imported attachments.
• Attachment file contents: The binary content of file attachments (e.g., PDFs, documents, images) attached to your emails.
• Message identifiers: Gmail message IDs and thread IDs used for deduplication to avoid importing the same attachment twice.

Why we access this data

• To import file attachments from your inbox into your Foldly workspace.
• To provide email context (sender, subject, date, body preview) alongside imported files.
• To classify, summarize, and auto-file imported documents using AI.
• To deduplicate imports and avoid processing the same email or attachment more than once.

How Google data is stored

• Attachment files are stored in your workspace's cloud storage (Supabase Storage or Google Cloud Storage) and treated identically to files uploaded directly.
• Email metadata (sender, subject, date, body preview, message IDs) is stored in our database to provide context and prevent duplicate imports.
• Email body text beyond the 500-character preview is not stored.
• OAuth tokens (access token and refresh token) are encrypted at rest using AES-256-GCM and stored in our database. They are used solely to maintain your Gmail connection.

AI processing of Google data

Imported attachments may be processed by AI services for classification (document type detection), summarization, data extraction, and automated filing. AI processing results are stored alongside your files in the database. AI providers used include NVIDIA NIM and, when configured, Google Gemini, Moonshot Kimi, or Anthropic Claude via the Vercel AI Gateway. File content is sent to these providers for processing via their APIs. Each provider's own data handling and retention practices are governed by their respective terms of service and privacy policies.

Disconnect and deletion

• You can disconnect your Gmail account at any time from your Settings page. Disconnecting deletes your stored OAuth tokens (encrypted access token, refresh token, and token expiry) from our database. To also revoke Foldly's access at the Google level, visit your Google Account permissions page.
• Previously imported files and their associated metadata remain in your workspace until you explicitly delete them.
• You can delete individual files, folders, or your entire account at any time. Deleting a file removes it from both storage and the database.

3. How We Use Your Information

We use the information collected to:

• Provide, operate, and improve our services.
• Securely store and deliver your uploaded and imported files.
• Classify, summarize, extract data from, and auto-file documents using AI.
• Scan uploaded files for malware using VirusTotal.
• Send transactional emails (verification codes, upload notifications, follow-up reminders).
• Respond to support inquiries and communicate with you.
• Monitor for misuse, abuse, or security threats.
• Comply with legal obligations.

4. How We Share Information

We do not sell your personal information. We may share information only in these limited cases:

• Service Providers (Subprocessors): With third-party vendors who help operate our services. See Section 5 for the full list.
• Legal Compliance: If required by law, regulation, legal process, or governmental request.
• Business Transfers: If Foldly.com is involved in a merger, acquisition, or sale of assets.

Foldly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. Subprocessors

We use the following third-party service providers to operate Foldly. Each provider processes only the minimum data necessary for its function:

6. File Storage and Security

• Uploaded and imported files are stored securely using encrypted cloud storage and are accessible only to you (and anyone you explicitly share them with via shareable links).
• Files uploaded by external users via your shareable links are tracked by their email address and stored in your workspace.
• OAuth tokens and link passwords are encrypted at rest using AES-256-GCM.
• Uploaded files are scanned for malware when VirusTotal is configured.
• We use reasonable technical and organizational measures to protect your files and personal data, including row-level security policies on our database.
• However, no system is 100% secure; you upload and share files at your own risk.

7. Data Retention

• Files and personal information are retained as long as your account is active.
• Imported email metadata (sender, subject, body preview) is retained as long as the associated file exists in your workspace.
• Temporary ZIP downloads are automatically deleted from Cloudflare R2 after 24 hours.
• AI analysis results are retained alongside files and deleted when the file is deleted.
• Rate-limiting data and OTP codes are ephemeral and auto-expire within minutes.
• If you delete your account, we will delete or anonymize your data, except where retention is required by law.
• If you disconnect your Gmail account, your stored OAuth tokens (encrypted access token, refresh token, and token expiry) are deleted from our database. Previously imported files remain until you delete them.

8. Your Choices and Rights

• You may access, download, or delete your files at any time.
• You may update or delete your account information by logging into your profile.
• You may disconnect third-party integrations (e.g., Gmail) at any time from your Settings page.
• You can disable cookies in your browser, but some features may not work correctly.
• You can revoke Foldly's access to your Google account at any time via your Google Account permissions page.
• Depending on your location, you may have additional rights under applicable privacy laws (e.g., GDPR, CCPA).

9. Children's Privacy

Foldly.com is not intended for use by anyone under the age of 13 (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the new policy with a revised effective date.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Email: dev@foldly.com