CloudMusicBox - Privacy Policy

Our application uses Google OAuth 2.0 to access your Google Drive.

Data Collected

• Google account basic information (email address, name, profile picture)
• Google Drive file listings (for searching and displaying music files)
• Music file metadata (filename, size, creation date, file type)
• Music file content (when accessed by user for playback and offline caching)

Required Permissions

Google Drive

• https://www.googleapis.com/auth/drive.readonly (read-only access)
• openid, email, profile (basic profile information)

Microsoft OneDrive

• Files.Read (read-only access to OneDrive files)
• Sites.Read.All (read-only access to SharePoint sites, for OneDrive for Business accounts)

We use Microsoft Graph API to access OneDrive with the principle of least privilege.

Authentication Information

• Microsoft account authentication tokens (managed by MSAL library)
• User ID and basic profile information required for OneDrive access
• Refresh tokens for maintaining authentication state

OneDrive File Access

• File and folder metadata (names, paths, modification dates, file sizes)
• Music file content for playback purposes only
• Album artwork and music metadata (artist, title, duration, etc.)

Access Permissions Used

• Files.Read: Read-only access to music files in OneDrive
• Sites.Read.All: Read-only access to SharePoint sites (requested for all accounts to ensure OneDrive for Business compatibility)
• These permissions are used exclusively for music file search and playback
• No administrative privileges or write permissions are requested

Important Notes

• OneDrive file access uses read-only permissions only
• We do not modify, delete, or share your OneDrive files
• Authentication uses OAuth 2.0 with PKCE for enhanced security
• File data is only accessed when explicitly requested by user actions
• No automatic scanning or bulk downloading of user files
• Permissions can be revoked at any time through Microsoft account settings

Information stored in your browser

• Authentication credentials for maintaining login state
• User account identifiers (no personal details stored)
• Application settings (theme, volume settings, etc.)
• File listing cache for faster navigation
• Music file metadata (filename, size, file type)
• Album information derived from metadata
• Music file content (cached locally when accessed by user for offline playback)
• Cache management data (access times, storage usage tracking)

We use Google Analytics to understand how users interact with our application and to improve our services.

Data Collected Through Google Analytics

• Page views and user navigation patterns
• Device and browser information (type, version, screen size)
• Geographic location (country/region level only)
• Session duration and frequency of use
• Feature usage statistics
• Error reports and performance metrics

Important Notes

• No personally identifiable information (PII) is collected through Analytics
• Music file names, content, or cloud storage data are not tracked
• Analytics data is aggregated and anonymized
• You can opt out of Google Analytics tracking through browser settings or extensions

• Searching and displaying music files in cloud storage
• Music file playback
• Playlist functionality
• Album display

• Caching metadata for fast file search and navigation
• Local music file caching for offline playback of previously accessed songs
• User-controlled cache with automatic size management and manual clearing options
• Saving personal settings and preferences

• User-initiated only: Music files are only cached when you actively play or access them through the app
• No automatic downloading: The app does not automatically scan or download your entire music library
• Storage management: Cache size is automatically managed with configurable limits (typically 70% of available browser storage)
• User control: You can manually clear all cached music files from the settings page
• Access-based retention: Oldest cached files are automatically removed when storage limits are reached
• Offline playback: Cached music files enable playback without internet connection for previously accessed songs

• Automatic authentication credential refresh
• Connection state management
• Error handling and debugging

• Understanding user behavior and app usage patterns
• Identifying popular features and areas for improvement
• Monitoring app performance and stability
• Troubleshooting technical issues
• Aggregate usage statistics for development planning

• All data is stored only within the user’s browser
• We do not store any user data on our application servers
• Cloud storage files remain in their original locations

• HTTPS encryption for all communications
• Secure authentication via OAuth 2.0
• Use of PKCE (Proof Key for Code Exchange) for OneDrive authentication
• Implementation of CSP (Content Security Policy)

• Authentication credentials: Automatically managed by browser security standards
• Metadata cache: Managed by application settings
• Music file cache: User-controlled with automatic size management
• Local storage: Retained until deleted by user
• Cache cleanup: Automatic removal of oldest files when storage limits exceeded
• Analytics data: Managed by Google Analytics retention policies (typically 26 months)

• We do not share user personal information with third parties
• We do not provide information to advertising or analytics companies
• We do not sell user data

• We do not disclose information except when required by law
• However, since we do not store user data on servers, information available for disclosure is limited

• User data is primarily stored within the user’s browser
• Google Drive and OneDrive data is stored in their respective data centers

• Google Drive: Subject to Google’s Privacy Policy
• OneDrive: Subject to Microsoft’s Privacy Policy

User Consent

• Personal OneDrive access requires only user consent through Microsoft authentication
• The application uses incremental consent, requesting permissions only when needed
• The application requests consistent permission scopes for both personal and business accounts to ensure compatibility
• Users can review and manage granted permissions through Microsoft account settings

Organizational Environments

• When using work or school accounts (OneDrive for Business), administrator pre-approval may be required
• SharePoint site access permissions are requested for all OneDrive connections to ensure compatibility with business accounts
• Organization privacy policies and data governance rules apply
• The application does not have independent access rights to organizational data

Consent Management

• Consent can be revoked at any time through Microsoft account settings
• Revoking consent will disconnect OneDrive access but preserve other app functionality
• The application respects Microsoft’s conditional access policies when configured

• Users can access their data at any time
• Local data can be inspected using browser developer tools

• All data can be deleted from the application settings screen
• Music cache can be selectively cleared without affecting other data
• Data can be deleted using browser clear functions
• Cloud storage connections can be disconnected

• Data is easily exportable as it resides in the user’s browser
• Data can be backed up using standard browser functions

When using this application with work or school Microsoft accounts

• Organization administrators may control application access and data handling
• Your organization’s privacy policies and data governance rules take precedence
• The application does not store organizational data on our servers
• Data protection rights should be exercised through your organization’s data protection procedures
• IT administrators may have visibility into application usage through Microsoft’s admin tools

First-party Cookies

• Maintaining authentication state
• Saving user preferences
• Storing application settings
• Google Analytics cookies for usage analytics and performance monitoring (implemented as first-party cookies)
• These analytics cookies collect anonymized usage statistics only
• You can opt out of Google Analytics tracking through browser settings or extensions
• No personally identifiable information is collected through these cookies

• Saving configuration information
• Storing authentication credentials
• Caching data

• Privacy Policy updates will be published on this page with a new "Last Updated" date
• For significant changes affecting user rights, we may provide additional notice through:
  • GitHub repository updates and release notes
  • Website announcements (if applicable)
• Users are encouraged to review this Privacy Policy periodically

• Changes become effective from the publication date shown in "Last Updated"
• Continued use of the application after changes constitutes acceptance of the updated Privacy Policy

• Microsoft Graph API specification changes may require updates to privacy practices
• Important changes affecting user privacy will be communicated in advance
• Users will be notified of significant changes through appropriate channels
• The application maintains compatibility with Microsoft’s evolving security requirements

• This application is published as open source
• Source code can be reviewed to verify privacy protection

• Data handling can be verified through source code
• Third-party security audits are possible

• OAuth 2.0 Implicit Grant Flow for Google Drive (access token only)
• OAuth 2.0 Authorization Code Flow with PKCE for OneDrive (managed by MSAL library)
• OpenID Connect for user information

• TLS 1.3 for data transmission
• Browser-native encryption for local storage

• Cache expiration policies with least-recently-used cleanup
• Automatic storage size management within browser limits
• Authentication credential refresh mechanisms
• Manual data clearing options for music cache and all data

• API Version Management: Compatible with current Microsoft Graph API specifications
• Permission Scope Compliance: Adheres to Microsoft’s least privilege principle
• Error Handling: Proper handling of Microsoft Graph API responses and error codes
• Rate Limiting: Respects Microsoft Graph API throttling and retry policies