Skip to content
📬PhotoFlowr

Privacy Policy

Last updated: March 10, 2026

What PhotoFlowr Does

PhotoFlowr for Gmail (“PhotoFlowr,” “we,” “us”) is a service that scans your Gmail for photo attachments and syncs them to your own Google Photos library or Google Drive account. We act solely as a conduit between your Gmail and your chosen Google destination.

Data We Access

When you sign in with Google and initiate a sync, PhotoFlowr requests read-only access to your Gmail messages to identify photo attachments. We also request write access to your Google Photos or Google Drive so we can save the photos you choose to sync.

We do not read, store, or process the text content of your emails. We only access message metadata (sender, date, subject line) and binary attachment data (photos) needed to perform the sync you requested.

Data We Store

  • Account info: Your name, email address, and Google profile picture, used to identify your account.
  • Sync metadata: A record of which messages were checked and which photos were synced (file name, size, sender, date), so we can avoid re-processing the same emails.
  • Payment info: Billing is handled entirely by Stripe. We never see or store your credit card number. We only store your Stripe customer ID to link payments to your account.

Data We Never Store

  • The text content or body of your emails
  • Your photos — they go directly from Gmail to your Google Photos or Drive
  • Your Google password or OAuth tokens on any client device
  • Credit card numbers or banking information

How We Protect Your Data

We implement the following security measures to protect your sensitive data:

  • Encryption in transit: All communication between your browser, our servers, and Google APIs is encrypted using TLS 1.2 or higher (HTTPS). Photo data is never transmitted over unencrypted connections.
  • Encryption at rest: Our database is hosted on Supabase with AES-256 encryption at rest. Google OAuth refresh tokens stored in our database are encrypted using AES-256-GCM before storage.
  • Minimal data retention: We do not store your photos or email content. Photos are streamed directly from Gmail to your Google Photos or Drive account and are never written to our servers’ disk.
  • Access controls: Access to production infrastructure and databases is restricted to authorized personnel only, protected by multi-factor authentication and role-based access controls.
  • OAuth token security: Your Google OAuth refresh tokens are stored encrypted and are only used server-side to perform syncs you initiate. Tokens are never exposed to client-side code or transmitted to any third party.
  • Secure infrastructure: Our application runs on Google Cloud Run, which provides container isolation, automatic security patching, and built-in DDoS protection. We do not run any user-facing services on shared or self-managed servers.

We Never Sell Your Data

We do not sell, rent, trade, or otherwise share your personal information, email data, photos, or any other data with third parties. Your data is used exclusively to provide the PhotoFlowr service to you.

Third-Party Services

We use the following third-party services to operate PhotoFlowr:

  • Google APIs: To authenticate you and access Gmail, Google Photos, and Google Drive on your behalf.
  • Stripe: To process payments securely. Stripe’s privacy policy governs their handling of your payment information.
  • Supabase: To host our database (account info and sync metadata only).
  • Google Cloud Run: To host our application infrastructure.

Google API Services Disclosure

PhotoFlowr’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Revoking Access

You can revoke PhotoFlowr’s access to your Google account at any time by visiting myaccount.google.com/permissions and removing PhotoFlowr. All photos that were already synced to your Google Photos or Drive remain yours and are unaffected.

Data Deletion

If you would like us to delete your account and all associated metadata from our database, please contact us at support@photoflowr.com. We will process deletion requests within 30 days.

Changes to This Policy

We may update this privacy policy from time to time. We will notify users of any material changes by updating the “Last updated” date at the top of this page.

Contact

If you have any questions about this Privacy Policy, please contact us at support@photoflowr.com.