Privacy Policy

Last updated: February 1, 2026

1. Data controller

• Owner: Gonzalo Vasco López
• Tax ID: 34884272B
• Address: Rúa Farillon 10, 1ºE, 27890 San Ciprián, Lugo, Spain
• Email: info@nubbo.app

2. Data we collect

Nubbo collects and processes the following personal data:

2.1 Account data

• Name and email: provided during registration to identify your account.
• Password: stored using a cryptographic hash (bcrypt). We never store your password in plain text.

2.2 Security data

• 2FA secret and recovery codes: if you enable two-factor authentication, we store the TOTP secret and recovery codes using bcrypt hashing.
• IP address and User-Agent: collected at each login and stored alongside session tokens to allow active session management.

2.3 Cloud provider credentials

• Access keys (Access Key ID and Secret Access Key): encrypted at rest with AES-256-GCM. The encryption key is stored as an environment variable, never in the database.

2.4 File metadata

• File names, paths, sizes, and types: temporarily cached (5 minutes) to improve performance. Nubbo does not store or access your file contents.

2.5 Shared link data

• Link tokens, optional passwords (bcrypt hashed), expiration dates, and download counters.

2.6 Preferences

• Theme, language, and view type: stored in your account to personalize your experience.

2.7 Technical logs

• HTTP request logs: method, URL, status code, IP, and User-Agent. These logs are written to the server console only and are not persisted to the database.

3. Purpose of processing

• Account management: creation, authentication, and maintenance of your account.
• Service delivery: connecting to your cloud providers, browsing, and managing files.
• Security: protecting your account through encryption, 2FA, and session management.
• Communications: sending verification and password recovery emails.

4. Legal basis

• Consent (Art. 6.1.a GDPR): by registering and accepting the terms.
• Performance of a contract (Art. 6.1.b GDPR): necessary to provide the requested service.
• Legitimate interest (Art. 6.1.f GDPR): system security, fraud prevention, and technical logs.

5. Recipients

• Resend: email delivery service, used exclusively for sending verification and password recovery emails.
• We do not share data with any other third party. We do not use analytics, advertising, or tracking services.

6. International transfers

Nubbo does not transfer your personal data to third countries. The cloud storage providers you connect are chosen by you and your relationship with them is your responsibility. We recommend reviewing the privacy policies of your cloud providers.

7. Data retention

• Account data: retained while the account is active. Deleted upon account deletion request.
• Sessions: refresh tokens expire automatically and are deleted.
• File cache: automatically deleted after 5 minutes (TTL).
• Technical logs: not persisted to the database.

8. User rights

In accordance with the GDPR and Spanish LOPD-GDD, you may exercise the following rights:

• Access: know what data we hold about you.
• Rectification: correct inaccurate data.
• Erasure: request deletion of your data.
• Portability: receive your data in a structured format.
• Restriction: request restriction of processing.
• Objection: object to the processing of your data.

To exercise these rights, send an email to info@nubbo.app.

You also have the right to file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

9. Security measures

• Credential encryption with AES-256-GCM.
• Passwords stored with bcrypt hashing.
• Communications encrypted via HTTPS/TLS.
• Authentication using JWT tokens with expiration.
• Optional two-factor authentication (TOTP).

10. Cookies and local storage

Nubbo does not use cookies. We use the browser's localStorage to store:

• Session tokens: access token and refresh token needed to keep your session active.
• Basic account data: name and email to display in the interface without querying the server.
• Preferences: theme, language, and view type.

This information is stored exclusively in your browser, is not sent to third parties, and is deleted when you log out or clear your browser data.