Privacy Policy

Last updated: 2/18/2026
Version: 2.0 (Compliant with GDPR, CCPA, DPDP Act 2023)

1. Introduction

At Morespace ("we," "our," or "us"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Morespace application and services (the "Service").

Core Principle: Morespace operates on a zero-storage model. We DO NOT store your cloud storage files. We process data temporarily to provide our service, then securely delete it.

By using the Service, you agree to the collection and use of information in accordance with this policy.

2. What Data We Collect and Process (But Don't Store)

2.1 Authentication Data (Stored Securely)

We collect and securely store only the minimum data necessary for authentication:

  • Your Email Address - Used as your unique identifier (Stored)
  • Password Hash - Never stored in plain text; using bcrypt with salt for secure hashing (Stored)
  • OAuth Tokens - For your cloud providers (Google Drive, OneDrive, Dropbox)

OAuth Token Security:

  • Stored encrypted using AES-256-GCM encryption at rest
  • Transmitted over TLS 1.3 only
  • Automatically refreshed and rotated every 7 days
  • NEVER logged or cached in application logs
  • Securely deleted when you revoke authorization or delete account

Retention Period: Authentication data retained for account lifetime + 30 days after deletion to prevent re-registration abuse.

2.2 Temporary Processing Data (NOT Stored)

When you use Morespace, we briefly process but do not permanently store:

  • File Metadata - Name, size, type, modification date
    • Discarded after account deletion
  • Deduplication Hashes - SHA-256 file hashes computed on-demand
    • Hash only exists in memory during analysis
  • API Response Data - Temporarily buffered during cloud provider calls
    • Held in in-memory buffer only
    • Deleted after processing
    • Never persisted to database

2.3 Analytics Data (Anonymized & Aggregated)

To improve Morespace, we collect only anonymized metrics:

  • Feature usage counts (aggregate, not per-user)
  • Error rates and types (anonymized)
  • Performance metrics (API response times)
  • Storage provider popularity (aggregate statistics)

NOT collected: Individual user activity, file names, file contents, email addresses associated with metrics.

Retention: 90 days of rolling aggregated data only. All historical data older than 90 days is automatically deleted.

2.4 Google API Scope Disclosures

When you authenticate with Google, Morespace requests access to the following Google APIs. You control whether to grant these permissions during authentication.

Drive API (https://www.googleapis.com/auth/drive) - OPTIONAL

  • Purpose: To read and manage files in your Google Drive for backup and deduplication analysis
  • Data Accessed: File metadata (name, size, type, modification date, file IDs)
  • Data NOT Accessed: File contents are NOT downloaded or stored on Morespace servers
  • User Control: You authorize this scope during authentication. Revoke anytime in your Google Account settings

Gmail API (https://mail.google.com/) - OPTIONAL

  • Default Setting: Email body text is NOT indexed by default
  • Purpose: Email indexing for advanced search and organization (optional feature)
  • Data Accessed: Email headers (subject, sender, date); optionally email body text and attachment for mail archive feature on user action only
  • Data Retention: Email metadata indexed locally is deleted when you disable this feature or delete your account
  • User Control: Enable/disable anytime in Settings > Mail > Index Email Content from Users Google Account Settings
  • Restricted scope is required to perform mailbox cleanup after archival (Only on user-initiated actions only)

2.5 Optional Email Indexing Cache (User-Controlled)

If you enable email indexing for search functionality:

  • Email metadata (headers, sender, subject, date) cached and stored locally
  • Email body text indexed ONLY if you open email or use archive feature (OFF by default)
  • Stored in encrypted local database
  • Automatically deleted when you disable the feature
  • Deleted immediately upon account deletion
  • You can export and delete this data anytime in Settings > Data Export > Delete Email Cache

NOT collected from email: Email content analysis for other purposes, or metadata for third-party sharing.

2.6 What We NEVER Collect

  • ✗ File contents - Your actual files and mails are never downloaded by our service unless explicitly authorized by you for move or archive operations
  • ✗ File paths/structure - Folder organization details not needed
  • ✗ Personal information beyond email - Phone number, address, payment details
  • ✗ Behavioral profiling - Which files you're accessing or patterns
  • ✗ Geolocation - We don't request or use location data
  • ✗ Device identifiers - Except for mobile app device management

3. Zero-Trust Architecture & Data Privacy Design

Morespace is built on zero-trust principles. We do not assume data security based on possession; instead, we design systems to minimize what we can access at all.

3.1 Pass-Through Architecture

Our application is pass-through, not pass-and-store:

Your Device → Morespace → Your Cloud Provider
└─ Process → Discard
  • We receive data from your cloud provider on your request
  • We process it in-memory according to your instructions
  • We return results to your device
  • We immediately discard intermediate data from memory
  • We never store your files in our database

3.2 Token Isolation & Security

  • OAuth tokens are encrypted separately from user data (defense-in-depth)
  • Each token encrypted with a unique encryption key
  • Encryption keys NOT stored alongside encrypted tokens
  • Token decryption requires additional authentication
  • Tokens never logged in application logs
  • Token refresh happens automatically and securely

3.3 Audit Trail & Logging

All authentication and sensitive operations are logged with:

  • Event type (login, token refresh, data export, etc.)
  • Timestamp (UTC)
  • Result (success/failure)

NOT logged: Sensitive data, tokens, file information, or error details that could expose information.
Retention: Audit logs retained for 180 days for security investigation, then automatically deleted.

3.4 Communication Security

  • All API traffic uses TLS 1.3 (TLS 1.2 fallback for compatibility)
  • Certificate pinning implemented for mobile applications
  • API requests signed with HMAC-SHA256
  • Rate limiting enforced (1000 requests/hour per authenticated user)
  • Requests without valid authentication rejected immediately
  • All responses sanitized to remove sensitive data

4. Data Security & Protection Measures

4.1 Encryption Standards

  • In Transit: TLS 1.3 minimum; TLS 1.2 for compatibility
  • At Rest (Encrypted Data):
    • OAuth tokens: AES-256-GCM encryption
    • Database passwords: bcrypt with 12+ rounds
    • Sensitive configuration: Encrypted with system KMS
  • Application-Level: Tokens encrypted before database insertion; decryption on-demand only

4.2 Key Management

  • Encryption keys stored in managed key service (AWS KMS or equivalent)
  • Keys rotated annually
  • Lost keys prevent data recovery (intentional security design)
  • Key access logs audited quarterly

4.3 Authentication & Authorization

  • JWT tokens issued upon successful login
  • Refresh tokens issued with 14-day expiration
  • All API requests require valid JWT or OAuth token
  • Password reset requires email verification + 2FA code
  • Account lockout after 5 failed login attempts (30-minute lockout)

4.4 API Security

  • Rate limiting: 1,000 requests/hour per authenticated user
  • HMAC-SHA256 request signing for sensitive operations
  • CORS restricted to registered frontend domains only
  • CSRF protection via SameSite cookies
  • SQL injection prevention via parameterized queries (Entity Framework)

4.5 Infrastructure Security

  • Application runs in containerized environments (Docker)
  • Network isolation via VPC
  • Web Application Firewall (WAF) enabled
  • DDoS protection via AWS Shield
  • Regular security patches applied (monthly)
  • Annual penetration testing

4.6 Access Control

  • Role-based access control (RBAC) implemented
  • Principle of least privilege enforced
  • Database access restricted by IP whitelist
  • Admin console requires multi-factor authentication
  • Session timeout after 30 minutes of inactivity

5. How We Use Your Information

We use the collected information for the following purposes:

  • Providing and maintaining the Service
  • Processing backup operations and managing your storage analysis
  • Customer support and communication
  • Analyzing aggregated usage patterns to improve our service
  • Ensuring security and preventing fraud
  • Complying with legal obligations

We do NOT use your data for: Marketing profiling, targeted advertising, selling to third parties, or any purpose beyond providing the Service.

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following limited circumstances:

  • With your explicit consent (opt-in required for each instance)
  • To comply with legal obligations or valid court orders
  • To protect our rights, property, or safety
  • With trusted service providers who assist in our operations (under strict confidentiality agreements and Data Processing Agreements)
  • In connection with a business transfer or acquisition (with appropriate data protection terms)

7. Third-Party Service Providers (Sub-Processors)

We use the following service providers to operate our service. Each has been evaluated for GDPR/CCPA compliance and has signed a Data Processing Agreement (DPA).

Data Processing Agreements: All service providers have signed Data Processing Agreements (DPAs) confirming GDPR/CCPA compliance, data deletion upon service termination, and annual security certifications (SOC 2 Type II).

Cloud Storage Providers

When you authorize Morespace to access Google Drive, OneDrive, Dropbox, or other cloud providers:

  • You are granting Morespace permission directly, not transferring control
  • These providers are NOT our sub-processors; you control the integration
  • Their privacy policies govern that relationship, not ours
  • You can revoke access anytime in your cloud provider's security settings

8. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

Data Retention Schedule:

  • Account Email: Account lifetime + 30 days (prevent re-registration abuse)
  • Password Hash: Account lifetime + 30 days
  • OAuth Tokens: Until revoked or account deleted
  • Email Index Cache: Until you disable feature or delete account
  • Analytics Data: 90 days rolling aggregated data only
  • Audit Logs: 180 days, then automatic deletion

When you delete your account or request data deletion, we will securely delete your personal data within 14 days (required by GDPR), subject to legal requirements.

9. Data Deletion & Account Closure

9.1 What Happens When You Delete Your Account

Immediate (within 1 hour):

  • Account disabled - Login access revoked
  • All active sessions terminated
  • API access disabled

Within 24 hours:

  • Personal data deleted (email, name, profile)
  • Password hashes securely overwritten
  • OAuth tokens deleted and revoked
  • Email index cache (if enabled) deleted

Within 7 days:

  • Cloud storage account authorizations revoked
  • Audit logs anonymized
  • Temporary processing data purged

9.2 Data Export (Before Deletion)

Before closing your account, you can export your data:

  1. Go to Settings > Data Export > Generate Full Export
  2. Includes: Account metadata, email index (if enabled), activity logs
  3. Exported as JSON in encrypted ZIP file
  4. Available for download for 30 days

10. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data. Here's how to exercise them:

10.1 Right to Access

What: Receive a copy of all personal data we hold about you

How: Email dev@morespace.app with subject "Access Request"

Timeline: 14 days | Cost: Free (first request/year)

10.2 Right to Rectification

What: Correct inaccurate or incomplete data

How: Email dev@morespace.app with subject "Correction Request"

Timeline: 7 days | Cost: Free

10.3 Right to Erasure (Right to be Forgotten)

What: Request permanent deletion of your personal data

How: Settings > Account > Delete Account (or email dev@morespace.app)

Timeline: 14 days | Cost: Free

10.4 Right to Restrict Processing

What: Limit how we use your data (suspend processing while you investigate)

How: Email dev@morespace.app with subject "Restrict Processing"

Timeline: 7 days | Cost: Free

10.5 Right to Data Portability

What: Receive your data in structured, machine-readable format

How: Settings > Data Export > Generate Full Export

Timeline: 30 days | Cost: Free | Format: JSON

10.6 Right to Object

What: Object to processing for analytics/marketing

How: Settings > Privacy > Opt-Out of Analytics

Timeline: Immediate | Cost: Free

10.7 Right to Withdraw Consent

What: Revoke consent for optional features (email indexing, analytics)

How: Settings > Privacy Settings > Withdraw Consent

Timeline: 24 hours | Cost: Free

10.8 Automated Decision-Making & Profiling

Good news: Morespace does NOT use automated profiling, behavioral analysis, machine learning models trained on your data, or predictive analytics for decision-making about you.

11. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date at the top
  • Sending you an email notification (for material changes)
  • Requiring your consent before changes take effect (if required by law)

We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

13. Contact Us & Data Protection Authority

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: dev@morespace.app
Website: morespace.app
Phone: Available upon request

If you believe your privacy rights have been violated:

  • EU Users: File complaint with your local Data Protection Authority (DPA)
  • India Users: File with MEITY or local authority
  • US Users: File with FTC (www.ftc.gov)

14. Legal Basis & Jurisdiction

Governing Law: This Privacy Policy is governed by the laws of India, specifically the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023.

Compliance: Morespace complies with:

  • India: DPDP Act 2023, IT Act 2000
  • EU: GDPR (General Data Protection Regulation) - applies regardless of jurisdiction
  • US: CCPA, COPPA - applies for US users