Skip to content

Legal

Privacy Policy

Nimbus Lab — Last updated June 2025

The short version: Nimbus Drive is architected so that we genuinely cannot access your files. They are encrypted on your device before upload, stored in your own Telegram account, and decrypted only on your device. We collect the minimum necessary to operate the service.

Who we are

Nimbus Drive, an encrypted file management application for Android (and more). Contact: support@nimbusdrive.app.

What we collect — and what we don't

What we never collect:

  • File content — files are encrypted on your device before they go anywhere
  • Encryption keys — generated and stored in the Android Keystore on your device only
  • Telegram session strings — stored only in your device's local secure storage
  • Plaintext file names or folder paths — these are encrypted in your metadata backup
  • Location data

What we do collect:

  • Account information: email address and hashed password (or Google account ID) for authentication
  • Subscription status: current plan, expiry date, and payment source (Play Store or website)
  • Encrypted metadata backup: an opaque, server-unreadable blob used to restore your file index on a new device
  • Crash reports via Sentry: stack traces and device info, no file content
  • Anonymized usage events via PostHog: feature interactions, no personal identifiers, no file data
  • Anonymized provider health events: FLOOD_WAIT signals and auth failures, linked to a hashed cohort ID, never to your identity

How we use information

Account data is used to authenticate you, issue subscription JWTs, and restore your file metadata when you log in on a new device.

Crash reports and anonymized usage events are used to identify bugs and understand how features are used. They are not linked to identifiable individuals.

We do not sell data to third parties. We do not use your data for advertising.

Third-party services

Nimbus Drive uses the following third-party services, each with their own privacy policies:

  • Telegram — stores your encrypted files. Your Telegram account is governed by Telegram's Privacy Policy.
  • Cloudflare Workers & D1 — hosts our account server and stores account data in the EU/US.
  • Sentry — crash reporting. Data is anonymized and subject to Sentry's Data Processing Agreement.
  • PostHog — product analytics. No PII is sent. Events are anonymized before transmission.
  • Google Sign-In — optional authentication method. If used, Google receives only your Sign-In event.

Data retention

Your account data is retained until you delete your account. You can request account deletion at any time by contacting support@nimbusdrive.app.

Encrypted metadata backups are deleted when you delete your account. Files in your Telegram account are not affected — those belong to you and can only be deleted by you.

Anonymized analytics events are retained for up to 24 months in aggregate form.

Your rights

You have the right to access, correct, or delete the personal data we hold about you. You can exercise these rights by emailing support@nimbusdrive.app.

For users in the EU/EEA, these rights are provided under GDPR. For users in California, equivalent rights apply under CCPA.

Children

Nimbus Drive is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

Changes to this policy

We will notify users of material changes to this policy via in-app notice or email. The latest version is always available at nimbusdrive.app/privacy.

Contact

Questions about this policy: support@nimbusdrive.app