Privacy Policy

Last updated: April 14, 2026

1. Introduction

This Privacy Policy describes how gdsync ("the Software," "we," "our") collects, uses, and handles your information when you use the gdsync command-line tool and its associated authentication proxy service. gdsync is an open-source CLI tool that synchronizes Google Docs with local files for editing. It connects to Google's APIs on your behalf to read and modify documents you have authorized access to.

By using gdsync, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Access

When you authenticate with gdsync, the Software accesses the following through Google's APIs using the permissions (OAuth scopes) you grant:

• Google Docs — to read and write document content for documents you explicitly open with gdsync;
• Google Drive — to list your accessible documents, read and create comments, and upload images;
• Basic profile information — your name and email address, used solely to identify your account within the CLI.

gdsync requests only the minimum OAuth scopes necessary to perform its core functionality. The Software does not request or access data beyond the scopes listed above.

3. Data We Store

3.1 On Your Machine

• OAuth tokens are stored locally at ~/.gdsync/credentials.json.
• Document content is stored in content.txt in your working directory.

These files reside entirely on your local machine and are never transmitted to any server controlled by the gdsync maintainers.

3.2 On Our Infrastructure

During the initial authentication flow, the gdsync auth proxy (hosted as a Cloudflare Worker) temporarily facilitates OAuth token exchange. Specifically:

• OAuth tokens are held in Cloudflare KV storage for a maximum of 5 minutes during the sign-in flow;
• Tokens are automatically deleted after this window expires;
• No tokens, document content, personal data, or usage information is retained after the authentication flow completes.

The auth proxy is involved only during initial sign-in. It has no ongoing access to your Google account, documents, or API calls.

4. Data We Do NOT Collect

• We do not read, store, log, or transmit the content of your Google Docs on any server;
• We do not access documents other than those you explicitly open with gdsync;
• We do not collect telemetry, usage analytics, crash reports, or diagnostic data;
• We do not share, sell, rent, or disclose any user data to third parties;
• We do not use your data for advertising, profiling, marketing, or model training;
• We do not track your IP address, device information, or browsing activity.

5. Your Google Cloud Project

gdsync requires each user to create and configure their own Google Cloud Platform project. As a result:

• All Google API calls are made through your own GCP project, using your own API quota and credentials;
• The gdsync maintainers' infrastructure never has persistent or ongoing access to your Google account or documents;
• You are responsible for the configuration and security of your GCP project in accordance with Google's policies.

6. Third-Party Services

gdsync interacts with the following third-party services:

• Google APIs (Docs, Drive, OAuth) — governed by Google's Privacy Policy and Google API Services User Data Policy;
• Cloudflare Workers and KV (auth proxy only) — governed by Cloudflare's Privacy Policy.

We encourage you to review the privacy policies of these services. gdsync's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

7. Data Retention and Deletion

gdsync does not maintain any persistent user data on its infrastructure. To fully revoke access and delete your data:

1. Revoke OAuth access — remove gdsync from your Google account at myaccount.google.com/permissions;
2. Delete local credentials — remove the ~/.gdsync/ directory;
3. Delete local document files — remove any content.txt files or working directories created by gdsync.

After completing these steps, no data associated with your use of gdsync will remain on your machine or on any server controlled by the gdsync maintainers.

8. Security

gdsync uses OAuth 2.0 for authentication and does not handle or store your Google account password at any point. OAuth tokens are stored locally with your operating system's default file permissions. We recommend ensuring that your ~/.gdsync/ directory is accessible only to your user account.

The auth proxy communicates exclusively over HTTPS. Temporary token storage in Cloudflare KV is subject to Cloudflare's infrastructure security controls.

9. Children's Privacy

gdsync is a developer tool and is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

10. Open Source Transparency

gdsync is open source. You can review the complete source code at github.com/kylecooper7/gdsync to independently verify what data is accessed, how it is handled, and what network requests are made.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top of this page. Your continued use of gdsync after any modification constitutes acceptance of the revised Privacy Policy.

12. Contact

For questions about this Privacy Policy, open an issue at github.com/kylecooper7/gdsync/issues.