Cloudsweeper Privacy Policy

Last updated: May 16, 2026

Cloudsweeper ("the App," "we," "us," or "our") is an academic research web application operated by faculty and student researchers in the Computer Science Department at the University of Illinois Chicago (UIC), in collaboration with the University of Chicago. The App helps participants in a research study browse files in their Google Drive accounts and evaluate the sensitivity and ongoing usefulness of those files. This Privacy Policy describes what data we access, how we use it, how long we keep it, and how you can delete it.

Google API Services Limited Use Disclosure

Cloudsweeper's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy , including the Limited Use requirements. In particular:

• We only request the Google scopes that are necessary to operate the research study, as described below.
• We do not allow humans to read your Google user data unless one of the specific exceptions in the Limited Use requirements applies (for example, with your explicit consent for a specific research-related purpose, to comply with applicable law, or where the data has been aggregated and anonymized for internal operations such as evaluating model performance).
• We do not use or transfer Google user data for serving advertisements.
• We do not use Google user data to develop, improve, or train generalized or non-personalized AI and/or machine learning models. Any machine-learning analysis we perform is limited to providing the user-facing features of Cloudsweeper (e.g., classifying the sensitivity of a file for the user who owns it).
• We do not sell Google user data.

Information Collected via Google Sign-In

When you sign in with Google, we receive your basic Google account profile (your Google account ID, name, email address, and profile picture) so that we can identify you across sessions, restore your prior consent choices, and display your account in the navigation bar.

Google Drive Scope We Request and Why

To carry out the file-management research tasks, the App requests the restricted OAuth scope:

https://www.googleapis.com/auth/drive.readonly

We request this scope because the App is a file-review experiment whose scientific value depends on participants reviewing the same files they actually keep in Drive. We cannot use the non-restricted drive.file scope because that scope only exposes files that were created or opened with our app, which would defeat the purpose of helping participants re-evaluate their existing Drive contents. We cannot use the drive.metadata.readonly scope alone because part of the study requires the machine-learning classifier to analyze representative file contents (e.g., text features) in order to estimate the sensitivity of a file. The App is strictly read-only: it never writes to, modifies, moves, shares, or deletes any file in your Drive.

How We Access and Use Your Drive Data

Cloudsweeper operates in two phases, both of which are optional and require your explicit consent before any Drive data is accessed:

1. In-browser metadata listing. After you grant access, your browser queries the Google Drive API directly and renders a list of your files. This metadata (file names, sizes, modification dates, MIME types, sharing information, etc.) stays in your browser and is not transmitted to our servers unless you choose an experimental mode that requires it.
2. Server-side sensitivity analysis. If you opt into a research experiment (the "guided" or "unguided" experiences), our backend will download a selected file's contents from Drive on your behalf, run automated analysis on it to extract sensitivity-relevant features (for example, document topics or image-classification labels via the Google Vision API), and then discard the raw file contents. The analysis runs in our research infrastructure on servers operated by the UIC research team.

What We Store and What We Do Not Store

For all users we store: your Google account ID, email, name, profile picture, and the access type (online/offline) you have granted.

If you grant offline access for the guided experiment, we additionally store an OAuth refresh token so that the analysis pipeline can fetch the files selected for review on your behalf. This refresh token is stored securely in our database and is only used to call the Drive API to analyze files selected during the study. You can revoke this token at any time from your Google account permissions page .

For participants in an experiment we additionally store derived data only, including:

• automatically-computed feature vectors and sensitivity/retention classifier outputs for files that were analyzed (we do not store the original file contents);
• numeric and categorical metadata about your files (e.g., file size, modification date, MIME type, number of collaborators) used as inputs to the classifier;
• your decisions ("keep," "delete," "review later," etc.) and any free-text explanations you choose to provide about why you made a given decision;
• timestamps of UI events used to study how participants interact with the interface;
• optional study-recruitment identifiers you provide (e.g., a Prolific ID or a self-reported profession) so that we can compensate you and analyze results across populations.

We never store the raw contents of your Google Drive files on our servers. We never share your Drive contents with any third party, with the limited exception of sending image bytes to the Google Vision API for classification, where Google processes the bytes solely to return labels and does not retain them for other purposes per the Google Cloud terms.

Data Retention

• Browser-only data (file lists rendered in the UI when you are not participating in an experiment) is discarded when you close the tab.
• Raw file contents that are downloaded server-side for analysis are discarded as soon as analysis completes and are never written to disk outside of the volatile working memory of the analysis task.
• Refresh tokens are deleted when you request account deletion, when you revoke access at your Google account, or at the end of the research study, whichever comes first.
• Derived research data (anonymized features, decisions, explanations, timestamps) is retained for the duration of the research study and for a reasonable period afterward to permit reproducibility checks and peer review, after which it is either deleted or further aggregated/anonymized for archival publication of research results.

How to Revoke Access and Delete Your Data

You can revoke Cloudsweeper's access to your Google account at any time at https://myaccount.google.com/permissions . Revoking access immediately stops any further Drive API calls by the App on your behalf.

To delete all data we hold about you, use the Delete my data button in the account menu after signing in. This immediately revokes your OAuth token and permanently deletes your account record, refresh token, and all associated research data from our servers. Alternatively, email ckanich@uic.edu from the address associated with your Google account with the subject "Cloudsweeper data deletion request" and we will fulfill the request within 30 days.

Information We Share

We do not sell or rent your data. We do not share your Drive data or your research responses with advertising networks, data brokers, or any other third party. Aggregated, de-identified results may be published in peer-reviewed academic venues; individual files, individual file contents, and direct identifiers will not appear in any publication.

Security

We use industry-standard security practices to protect data we store, including TLS for all data in transit, access controls limiting database access to members of the research team, and physical/operational controls on the research infrastructure hosting the App.

Children's Privacy

Cloudsweeper is intended for use by adults age 18 and over and is not directed to children. We do not knowingly collect data from children under 13. If you believe a child has used the App, please email us so we can delete the data.

Changes to This Policy

If we materially change how we handle your data, we will update this page and the "last updated" date above. Continued use of the App after such an update constitutes acceptance of the revised Privacy Policy.

Contact

For questions about this Privacy Policy or the research study, contact:

• Chris Kanich, Associate Professor, UIC Computer Science — ckanich@uic.edu
• Blase Ur, Professor, UChicago Computer Science — blase@uchicago.edu