Privacy Policy

Last Updated: March 11, 2026

1. What Data We Access

ThunderSweep requests the following Chrome permissions, each strictly necessary for the functionality described:

• Gmail and Google Drive Access: Read your Gmail messages and Google Drive files to scan for sensitive data locally, and write encrypted files to your ThunderSweep Vault folder in Google Drive.
• Identity: Authenticate your Google account(s) using OAuth 2.0 so the extension can access Gmail and Drive on your behalf.
• Storage: Store your preferences, scan history, and OAuth tokens locally in your browser using Chrome's Storage API. Nothing is uploaded to our servers.
• Downloads: Allow you to save your encrypted Vault files and exported scan reports directly to your local device.
• Tabs: Detect when you open Gmail in a browser tab so the extension can inject the outbound email scanning interface into the Gmail compose window.
• Alarms: Schedule periodic background tasks including license validity checks, Vault file expiry notifications, and monitoring refresh intervals.
• Notifications: Display desktop alerts when a scan completes, when suspicious activity is detected in your inbox, or when a Vault document is approaching its expiry date.

2. How We Process Your Data

100% Local Processing:

• All Gmail and Google Drive scanning happens in your browser using JavaScript
• Attachment and file analysis is performed locally on your device
• Pattern matching for sensitive data occurs entirely client-side
• No email or Drive file content is ever sent to our servers or any third-party servers
• Drive file contents are fetched directly from Google's API to your browser — they pass through no intermediate servers. Exception: when you use the Vault Share feature, the encrypted file blob is fetched via a Cloudflare proxy operated by ThunderSecurity LLC (see Section 4 for details).

Vault Encryption:

• Files saved to your Vault are encrypted locally in your browser using AES-256-GCM before being uploaded back to your Google Drive.
• Your encryption key stays on your device. ThunderSweep servers never possess the raw key to decrypt your files.

3. What Data We Store

We Do NOT Store (on any server, ever):

• Email content or subject lines
• Google Drive file contents
• Attachment files or their contents
• Sender or recipient information
• Any personally identifiable information from your emails or Drive files

Locally in Your Browser Only (Chrome Storage API):

• OAuth tokens for Gmail and Google Drive API access
• Your scan history (dates and counts only, not email or file content)
• Google Drive scan results metadata (file names, detected category, file ID — no file content)
• User preferences and settings
• License key (if you purchase the paid version)
• Encrypted key blob for Vault access

In Your Google Drive:

• The encrypted Vault files themselves reside purely in your Google Drive, not our servers.

4. Data Sharing

We do not share, sell, rent, or trade your data with anyone. Period.

• No third-party analytics: We don't use Google Analytics or similar tools
• No advertising: We don't share data with advertisers
• No data brokers: We don't sell or provide data to third parties

Anonymous Feedback (Optional): If you submit feedback through the in-extension feedback button, your message text is sent to a Cloudflare Worker endpoint operated by ThunderSecurity LLC. No email address, account information, or any personally identifiable information is collected or transmitted. Feedback submission is entirely voluntary and only occurs when you explicitly click the Send button.

Vault Share Proxy: When you share a Vault file and a recipient opens the share link, the encrypted file is downloaded via a Cloudflare Pages Function (proxy) operated by ThunderSecurity LLC. This proxy is necessary solely as a CORS intermediary — it fetches the encrypted file from Google Drive on the recipient's behalf so their browser can perform in-browser decryption. The proxy only ever handles the AES-256-GCM encrypted blob. The decryption key exists only in the URL fragment and is never transmitted to the proxy server. Cloudflare cannot read the file contents. No file content is logged or retained by the proxy. This does not apply to your own Vault access, which is direct browser-to-Google-Drive only.

5. Google OAuth API (Gmail & Drive)

ThunderSweep uses Google's OAuth 2.0 for secure authentication. You explicitly grant permission through Google's official consent screen. The following three permissions are requested, each explained below:

• View your email messages and settings — Used to read email metadata (sender, subject, date) and message content for local sensitive-data scanning. No content is uploaded anywhere.
• Read, compose, and send emails from your Gmail account — Required for delete and mark-as-read actions you explicitly trigger in the extension. ThunderSweep never composes or sends any email on your behalf without your direct action.
• See, edit, create, and delete all of your Google Drive files — Used to scan your Drive files locally for sensitive data, to read and write files inside your ThunderSweep Vault folder, and to delete the original unencrypted file from Drive when you vault it (completing a secure move). Files are fetched directly from Google to your browser; they pass through no intermediate server. ThunderSweep only modifies or deletes Drive files in direct response to actions you explicitly trigger.

You can revoke all access at any time via your Google Account settings (myaccount.google.com → Security → Third-party apps). OAuth tokens are stored only in your browser's local storage and are never sent to our servers.

Google API Services User Data Policy: ThunderSweep's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• Data obtained via Google APIs is used only to provide ThunderSweep's core scanning and Vault features — not for advertising, profiling, or any purpose unrelated to improving your in-extension experience.
• No Gmail or Google Drive content (including email body, subject lines, file contents, or attachment data) is ever transmitted to ThunderSweep servers or any third-party server.
• We do not allow humans to read your Google user data except as required by law or as you explicitly request for support purposes.

6. Payment Information

If you purchase the paid version:

• Payment processing is handled by Gumroad (gumroad.com), our third-party payment and licensing platform. Gumroad's Privacy Policy governs how they handle your payment data.
• We do not store or have access to your credit card or payment information
• Gumroad provides us with your license key and email address for the purpose of license activation and support
• We do not share your email address with any other third parties

7. Security

We take security seriously:

• All communication with Gmail API uses HTTPS encryption
• OAuth tokens are stored securely using Chrome's storage API
• No server-side database means no risk of data breaches
• Regular security updates and code reviews

8. Your Rights

You have complete control over your data:

• Access: All your data is stored locally - you can inspect it in Chrome DevTools
• Deletion: Uninstall the extension to remove all local data
• Revoke Access: Disconnect your Gmail account at any time through the extension or Google Account settings
• Export: Export your scan results as CSV before deletion

9. Age Requirement

ThunderSweep is intended for users 18 years of age or older. By using ThunderSweep, you confirm that you are at least 18 years old. If you are under 18, you are not authorized to use this service. We are not responsible for any use of ThunderSweep by minors, including purchases made with a parent or guardian's payment method without their consent. Refunds will not be issued on this basis.

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be reflected in the "Last Updated" date at the top of this page. Continued use of ThunderSweep after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this privacy policy or how we handle data:

• Email: [email protected]
• Website: https://thundersweep.com

12. Legal Compliance

GDPR Compliance: Since we don't collect or process personal data on our servers, most GDPR requirements don't apply. However, we respect user rights and provide full transparency.

New York SHIELD Act: We implement reasonable administrative, technical, and physical safeguards to protect any private information we hold. We do not collect email content, and payment data is handled entirely by Gumroad. We do not sell personal information.

California Privacy Rights (CCPA): We do not sell personal information. All email processing is local to your device.

© 2026 ThunderSecurity LLC. All rights reserved.