Privacy Policy
Last updated:
Contents
TL;DR
DriveStat is a client-side Google Drive visualizer. It runs entirely in your browser. We do not operate servers that receive your Drive data, we do not have a database of users, and we do not use analytics, tracking cookies, or third-party ad networks. Your Drive metadata is fetched directly from Google's API to your browser and cached locally in IndexedDB so you don't have to rescan on every visit.
Who we are
"DriveStat", "we", "us", or "our" refers to the operators of drivestat.em95.org. DriveStat is a free, open-source web application. The app is served as static HTML, CSS, and JavaScript from a CDN; there is no application server that processes your requests.
What data we access
When you sign in with Google and grant permission, DriveStat requests the following scope:
-
https://www.googleapis.com/auth/drive.metadata.readonly— read-only access to file metadata. DriveStat uses this to build the treemap. We never request or receive file contents, thumbnails, or previews.
DriveStat reads only metadata: file and folder IDs, names, MIME types, parent folder relationships, file sizes/quota bytes, modified timestamps, shared/owned status, Drive ID, and trash status. It does not:
- Download the contents of your files
- Upload, copy, or transmit your files to any server we control
- Modify, trash, or delete any of your files — DriveStat is strictly read-only
- Share your data with any third party
Where it's stored
Everything is kept in your browser. Specifically:
- IndexedDB — caches the scanned Drive metadata index so rescanning is optional on return visits.
- sessionStorage — stores the short-lived Google OAuth access token for the current tab session only. Tokens are not persisted to localStorage, cookies, IndexedDB, or any server.
- localStorage — stores UI preferences (theme, pane layout) and the cookie/storage acknowledgement flag only.
Clearing your browser's site data for drivestat.em95.org deletes all of the
above. Because tokens are tab-session only, closing the tab or opening DriveStat
in a new tab requires signing in again. You can also sign out from the app header,
which clears the in-browser token and cached Drive metadata from this browser.
To fully revoke DriveStat's access to your Google account, visit your
Google account permissions page.
How we protect Google user data
DriveStat treats the OAuth access token and cached Drive metadata as sensitive Google user data. The app uses the following protection mechanisms:
- No server-side collection. DriveStat is a static client-side app. Your OAuth token and Drive metadata are not uploaded to, stored on, or processed by any application server we control.
- Encrypted transport. DriveStat is served over HTTPS, and Google Identity Services / Google Drive API calls are made directly from your browser to Google over HTTPS/TLS.
-
Least-privilege, read-only access. DriveStat requests only the
drive.metadata.readonlyscope and requests only the metadata fields needed to display storage usage. The app cannot edit, trash, delete, upload, copy, or download file contents. -
Browser-isolated local storage. Cached Drive metadata stays in IndexedDB
scoped to the
drivestat.em95.orgorigin. The Google OAuth access token is kept only in tab-scopedsessionStorageand is not written to cookies,localStorage, IndexedDB, or any server. - Reduced exfiltration surface. The app does not include analytics, ad networks, session recorders, or cross-site trackers. The main app page uses a Content Security Policy that restricts scripts and network connections to DriveStat, Google Identity Services, and the Google Drive API.
- User-controlled deletion and revocation. Signing out clears the in-browser access token and cached Drive metadata. Clearing site data removes all local DriveStat data, and you can revoke DriveStat's Google access at any time from your Google account permissions page.
Because the Drive metadata cache stays on your device, its at-rest protection is provided by your browser's same-origin storage isolation and your device, operating-system, and browser security controls. DriveStat does not maintain an application database or server-side backups of your Google Drive metadata.
Google API Services disclosure
DriveStat's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We only use Drive data to provide and improve user-facing features that are prominent in the app's UI (the file list, the treemap, the details sidebar).
- We do not transfer Drive data to others, unless doing so is necessary to provide the user-visible feature (it is not, today), or required by law.
- We do not use Drive data for serving ads.
- We do not allow humans to read Drive data, unless we have your affirmative consent, it's needed for security purposes, or it's required by law.
Third parties
-
Google Identity Services — the "Sign in with Google" button is loaded
from
accounts.google.com. Google may set cookies on their own domain as part of the sign-in flow. Their handling is governed by the Google Privacy Policy. -
Google Drive API — metadata requests are made directly from your
browser to
www.googleapis.comover TLS. We are not a man-in-the-middle. - Hosting / CDN — the static files (HTML, CSS, JS) are served from a CDN, which will see standard request logs (IP address, user agent, requested path) for operational purposes. No personal data beyond that is shared with the host.
We do not use Google Analytics, Meta Pixel, ad networks, cross-site trackers, or session recorders.
Your rights & deletion
Because DriveStat does not operate a user database, there's nothing to export or delete on our side. To delete your locally cached data:
- Sign out from DriveStat (clears the in-browser token and cached Drive metadata from this browser).
- Close the current tab (clears the tab-scoped session token).
- Clear site data for
drivestat.em95.orgin your browser's settings. - Revoke DriveStat from your Google account at myaccount.google.com/permissions.
If you are an EU/UK resident and believe we have somehow processed personal data relating to you, you can contact us (see below). You have the right to access, rectify, delete, restrict processing, and port your data under GDPR / UK GDPR; in practice there is rarely anything on our side to act on.
Children
DriveStat is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from them. If you believe a child has used DriveStat, contact us and we will help you purge any locally cached data from their device.
Changes to this policy
If we make material changes to how DriveStat handles your data, we will update the date above and post a notice in the app. Continued use after changes take effect constitutes acceptance.
Contact
Questions, concerns, or data deletion requests: em95org@gmail.com.