Privacy Policy

Last updated: June 1, 2026

1. Overview

Linger is a personal diary app. Your diary entries are stored in your own Google Drive. The app uses Cloudflare Pages Functions as a thin backend layer to handle OAuth authentication and to proxy Google Drive API requests — it does not store or process your diary content.

2. Information We Access

The app accesses the following via OAuth:

The refresh token is stored server-side in Cloudflare KV (a key-value store provided by Cloudflare) and is used only to obtain fresh access tokens when needed. The browser never receives the access token or refresh token directly.

3. How We Use Your Information

OAuth tokens are used exclusively to create, read, update, and delete your diary entries in Google Drive on your behalf. They are not used for any other purpose.

The Cloudflare Pages Functions backend acts as a proxy: your browser sends requests to /api/drive/… endpoints, which add the appropriate Google authorization header and forward the request to the Google Drive API. Diary content passes through Cloudflare's network in transit but is not stored there.

4. Session Storage

When you sign in, a session is created and stored in Cloudflare KV with a 30-day expiry. The session record contains your Google refresh token and a cached access token. Your browser receives a session identifier as an HttpOnly, Secure, SameSite=Strict cookie (linger_session). The cookie contains only the session ID — no tokens or diary content.

5. Local Storage

This app uses localStorage to persist non-sensitive preferences only:

None of these contain diary content or authentication tokens.

5a. IndexedDB Cache

To enable instant startup, this app caches diary entry metadata and content in your browser's IndexedDB under the key linger_diary_cache. This data is stored locally on your device and is never transmitted anywhere. It is cleared automatically when you sign out. You can also clear it manually via your browser's developer tools or by clearing site data.

6. Data Sharing

We do not share, sell, or transmit your data to any third party. Diary entries reside entirely within your own Google Drive account. Session data (OAuth tokens) is held in Cloudflare KV solely to operate the service and is not disclosed to any other party.

7. OAuth Scope

This app requests only the https://www.googleapis.com/auth/drive.file scope. This scope grants access only to files created by this app — it does not provide access to the rest of your Google Drive.

8. Analytics & Advertising

This app uses Cloudflare Web Analytics to collect basic, aggregated traffic data. It is cookie-free and does not track individual users. No personal data is collected or stored. The data collected includes page views, referrers, country, device/browser type, and Core Web Vitals. This data is processed by Cloudflare, Inc. (a US company) and is retained for up to 6 months. For details, see Cloudflare's Privacy Policy.

This app uses no advertising or behavioural tracking of any kind.

9. Deleting Your Data

All diary content is stored in the linger_diary/ folder in your Google Drive. You can delete it at any time by removing that folder.
To delete your server-side session, sign out from within the app or revoke access via Google Account → Apps & services. Revoking access also invalidates the stored refresh token.

10. Security

Diary content is stored and protected by Google Drive's security infrastructure. Server-side session data is stored in Cloudflare KV, which is isolated per account. OAuth tokens are never exposed to the browser; the browser only holds an opaque session cookie. All communication between the browser, Cloudflare, and Google uses HTTPS.

11. Contact

For privacy-related questions, please contact:
europeanplaice@gmail.com