Privacy Policy

Last updated: March 16, 2026

1. Data controller

• Owner: Gonzalo Vasco López
• Tax ID: 34884272B
• Address: Rúa Farillon 10, 1ºE, 27890 San Ciprián, Lugo, Spain
• Email: info@nubbo.app

2. Data we collect

Nubbo collects and processes the following personal data:

2.1 Account data

• Name and email: provided during registration to identify your account.
• Password: stored using a cryptographic hash (bcrypt). We never store your password in plain text.
• Last login: date and time of your most recent sign-in.

2.2 Security data

• 2FA secret and recovery codes: if you enable two-factor authentication, we store the TOTP secret and recovery codes using bcrypt hashing.
• IP address and User-Agent: collected at each login and stored alongside session tokens to allow active session management.

2.3 Cloud provider credentials

• Access keys (Access Key ID and Secret Access Key): encrypted at rest with AES-256-GCM. The encryption key is stored as an environment variable, never in the database.

2.4 File metadata

• File names, paths, sizes, and types: stored in our database as an index of your cloud storage. They are synchronized each time you browse a folder and removed when the file is deleted from your storage, you remove the provider, or you delete your account. Nubbo does not store or access your file contents.

2.5 Shared link data

• Link tokens, optional passwords (bcrypt hashed), expiration dates, download counters, and view counters.

2.6 Gallery data

• Gallery configuration: title, description, layout style, theme, accent color, and download options.
• Branding: author name, logo URL, and website URL (optional).
• Access: optional password (bcrypt hashed) and expiration date.
• Counters: gallery views and downloads.

2.7 Gallery visitor data

When a third party accesses a shared gallery, Nubbo may collect:

• Name and email: voluntarily provided by the visitor.
• Session identifier: automatically generated in the visitor's browser.
• Favorite images: images marked as favorites by the visitor.
• Selections: images selected by the visitor, along with their name and email if provided.
• Download logs: individual and ZIP downloads made by the visitor.

The gallery owner (registered Nubbo user) is responsible for informing their visitors about the collection of this data.

2.8 File requests

• Configuration: name, description, allowed file types, and maximum file size.
• Access: unique token, optional password (bcrypt hashed), and expiration date.
• Counters: number of uploads and views.

Files uploaded by third parties through file requests are stored directly in the user's bucket. Nubbo does not keep copies.

2.9 Thumbnails and watermarks

• Thumbnails: Nubbo generates smaller versions of images on demand to improve browsing.
• Watermarks: watermarked versions generated on demand for galleries.

These files are stored in the user's bucket within the .nubbo-thumbs/ directory. They are automatically deleted when the associated gallery is removed. Since they reside in your own cloud storage, you can also delete them manually at any time.

2.10 Preferences

• Theme, language, default view type, and thumbnail display: stored in your account to personalize your experience.

2.11 Technical logs

• HTTP request logs: method, URL, status code, IP, and User-Agent. These logs are written to the server console only and are not persisted to the database.

3. Purpose of processing

• Account management: creation, authentication, and maintenance of your account.
• Service delivery: connecting to your cloud providers, browsing and managing files, sharing via links, galleries, and file requests.
• Security: protecting your account through encryption, 2FA, and session management.
• Communications: sending verification and password recovery emails.

4. Legal basis

• Consent (Art. 6.1.a GDPR): by registering and accepting the terms.
• Performance of a contract (Art. 6.1.b GDPR): necessary to provide the requested service.
• Legitimate interest (Art. 6.1.f GDPR): system security, fraud prevention, and technical logs.

5. Recipients

• Resend: email delivery service, used exclusively for sending verification and password recovery emails.
• We do not share data with any other third party. We do not use analytics, advertising, or tracking services.

6. International transfers

Nubbo does not transfer your personal data to third countries. The cloud storage providers you connect are chosen by you and your relationship with them is your responsibility. We recommend reviewing the privacy policies of your cloud providers.

7. Data retention

• Account data: retained while the account is active. Deleted upon account deletion request.
• Sessions: refresh tokens expire automatically and are deleted.
• File metadata: retained while the associated cloud provider is active. Deleted when the provider or account is removed.
• Galleries and visitor data: retained while the gallery is active. Deleted when the gallery, provider, or account is removed.
• File requests: retained while the request is active. Deleted when the request, provider, or account is removed.
• Thumbnails and watermarks: stored in the user's bucket. Automatically deleted when the associated gallery is removed. Thumbnails generated outside of galleries remain in the user's bucket.
• Technical logs: not persisted to the database.

8. User rights

In accordance with the GDPR and Spanish LOPD-GDD, you may exercise the following rights:

• Access: know what data we hold about you.
• Rectification: correct inaccurate data.
• Erasure: request deletion of your data.
• Portability: receive your data in a structured format.
• Restriction: request restriction of processing.
• Objection: object to the processing of your data.

To exercise these rights, send an email to info@nubbo.app.

You also have the right to file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

9. Security measures

• Credential encryption with AES-256-GCM.
• Passwords stored with bcrypt hashing.
• Communications encrypted via HTTPS/TLS.
• Session tokens with automatic expiration.
• Optional two-factor authentication (TOTP).

10. Cookies and local storage

Nubbo uses a single strictly necessary cookie for security purposes:

• nubbo_rt (httpOnly cookie): stores the refresh token used to renew your session. This cookie is httpOnly (not accessible to JavaScript), secure (sent only over HTTPS in production), and scoped to the API path (/api). It expires after 7 days (or 30 days if you select "Remember me"). As a strictly necessary cookie for the operation of the service, it does not require prior consent under Spanish LSSI-CE Article 22.2.

We also use the browser's localStorage to store:

• Short-lived access token: needed for API authorization, expires after 15 minutes.
• Basic account data: name, email, and preferences to display in the interface without querying the server.
• Interface preferences: theme and language.
• Media player volume: to preserve your volume setting between sessions.
• Gallery session identifiers: a unique identifier for each gallery you visit, stored in your browser.

We do not use any analytics, advertising, or tracking cookies. This information is stored exclusively in your browser, is not sent to third parties, and is deleted when you log out or clear your browser data.