Privacy Policy

Last updated: May 3, 2026

1. Data controller

• Owner: Gonzalo Vasco López
• Tax ID: 34884272B
• Address: Rúa Farillon 10, 1ºE, 27890 San Ciprián, Lugo, Spain
• Email: info@nubbo.app

2. Data we collect

Nubbo collects and processes the following personal data:

2.1 Account data

• Name and email: provided during registration to identify your account.
• Password: stored using a cryptographic hash (bcrypt). We never store your password in plain text.
• Last login: date and time of your most recent sign-in.

2.2 Security data

• 2FA secret and recovery codes: if you enable two-factor authentication, we store the TOTP secret and recovery codes using bcrypt hashing.
• IP address and User-Agent: collected at each login and stored alongside session tokens to allow active session management.

2.3 Cloud provider credentials

• Access keys (Access Key ID and Secret Access Key): encrypted at rest with AES-256-GCM. The encryption key is stored as an environment variable, never in the database.

2.4 File metadata

• File names, paths, sizes, and types: stored in our database as an index of your cloud storage. They are synchronized each time you browse a folder. When you delete a file, it is moved to a trash bin for 30 days before being permanently removed from our servers and your cloud storage. Metadata is also deleted when the provider or account is removed. Nubbo does not store or access your file contents.
• Favorite markers: the date when you mark a file as a favorite.
• Assigned labels: references to the labels you associate with each file (see section 2.12).

2.5 Shared link data

• Link tokens, optional passwords (bcrypt hashed), expiration dates, download counters, and view counters.

2.6 Gallery data

• Gallery configuration: title, description, layout style, theme, accent color, cover photo, and download options.
• Branding: name, logo URL, and website URL (optional).
• Access: optional password (bcrypt hashed) and expiration date.
• Counters: gallery views and downloads.

2.7 Gallery visitor data

When a third party accesses a shared gallery, Nubbo may collect:

• Name and email: voluntarily provided by the visitor. If the visitor provides an email address, it is used to identify them in subsequent visits and recover their favorites.
• Session identifier: automatically generated in the visitor's browser and stored temporarily (deleted when the browser tab is closed).
• Favorite images: images marked as favorites by the visitor.
• Download logs: individual and ZIP downloads made by the visitor.

If the visitor is a registered Nubbo user and accesses the gallery while logged in, their account data (name and email) is automatically used to identify them as a visitor.

This data is processed under a joint controllership arrangement between Nubbo and the gallery owner pursuant to Article 26 of the GDPR: Nubbo determines the technical means (identification form, storage, session cookies, download logs) and the owner determines the purpose (managing how their client views the photos). See section 15 for information addressed specifically to visitors.

2.8 File requests

• Configuration: name, description, allowed file types, and maximum file size.
• Access: unique token, optional password (bcrypt hashed), and expiration date.
• Counters: number of uploads and views.

Files uploaded by third parties through file requests are stored directly in the user's bucket. Nubbo does not keep copies.

2.8.2 Password Reveal by email

When the owner of a password-protected share, gallery or file request decides to send the password to a recipient via a one-time email link, Nubbo temporarily stores:

• Unique token, encrypted password (AES-256-GCM), recipient email, optional note, creation date, configurable expiration (24 hours, 3 or 7 days), and link status (viewed, expired, revoked or invalidated by password change).

The link self-invalidates the first time it is viewed, when it expires, when the resource password changes, or when the resource is deleted. The plain password is never stored long-term; it only stays AES-encrypted inside the temporary token until the token is consumed or expires.

2.8.1 File request visitor data

When a third party accesses a file request, Nubbo may collect:

• Name and email: voluntarily provided by the visitor. If the visitor provides an email address, it is used to identify them in subsequent visits.
• Session identifier: automatically generated in the visitor's browser and stored temporarily (deleted when the browser tab is closed).
• Upload records: name, size, and type of each file uploaded by the visitor.

If the visitor is a registered Nubbo user and accesses the file request while logged in, their account data (name and email) is automatically used to identify them as a visitor.

This data is processed under a joint controllership arrangement between Nubbo and the file request owner pursuant to Article 26 of the GDPR: Nubbo determines the technical means (identification form, storage, session cookies, upload logs) and the owner determines the purpose (receiving files from their client). See section 15 for information addressed specifically to visitors.

2.9 Thumbnails and watermarks

• Thumbnails: Nubbo generates smaller versions of images on demand to improve browsing.
• Watermarks: watermarked versions generated on demand for galleries.

These files are stored in the user's bucket within the .nubbo-thumbs/ directory. They are automatically deleted when the associated gallery is removed or when the account is deleted. Since they reside in your own cloud storage, you can also delete them manually at any time.

2.10 Preferences

• Theme, language, default view type, and thumbnail display: stored in your account to personalize your experience.

2.11 Technical logs

• HTTP request logs: method, URL, status code, IP, and User-Agent. These logs are written to the server console only and are not persisted to the database.

2.12 Labels

• Name and color of the labels you create to classify your files. They are stored linked to your account and deleted when the account is removed.

2.13 Contact and help form data

When you fill in the contact form on the public website or the help form in Settings, Nubbo collects:

• Name, email, subject and message: voluntarily provided.

This data is not stored in our database. It is sent directly by email (via Resend, see section 5) to Nubbo's support inbox and retained there for the time needed to address your request.

3. Purpose of processing

• Account management: creation, authentication, and maintenance of your account.
• Service delivery: connecting to your cloud providers, browsing and managing files, sharing via links, galleries, and file requests.
• Security: protecting your account through encryption, 2FA, and session management.
• Communications: sending verification, password recovery, account deletion notifications and one-time email links to reveal passwords of shared resources.

4. Legal basis

• Consent (Art. 6.1.a GDPR): by registering and accepting the terms.
• Performance of a contract (Art. 6.1.b GDPR): necessary to provide the requested service.
• Legitimate interest (Art. 6.1.f GDPR): system security, fraud prevention, and technical logs.

5. Recipients

• Resend: email delivery service, used exclusively for sending Nubbo transactional emails (verification, password recovery, account notifications and one-time links to reveal passwords of shared resources).
• We do not share data with any other third party. We do not use analytics, advertising, or tracking services.

You can consult the complete and updated list of subprocessors at /subprocessors/.

6. International transfers

To send emails (account verification, password recovery, account notifications and one-time links to reveal passwords of shared resources), Nubbo uses Resend, a service based in the United States. When sending these emails, your email address (or the recipient's email you provide in the case of password reveal) is transferred to Resend's servers in the US. This transfer is covered by the Standard Contractual Clauses (SCCs) approved by the European Commission, which ensure an adequate level of data protection.

Beyond this service, Nubbo does not transfer your personal data to third countries. The cloud storage providers you connect are chosen by you and your relationship with them is your responsibility. We recommend reviewing the privacy policies of your cloud providers.

7. Data retention

• Account data: retained while the account is active. Upon a deletion request, a 30-day grace period applies during which the account is suspended and data is retained. After 30 days, all data is permanently deleted. Users can request immediate deletion without a grace period from Settings.
• Sessions: refresh tokens expire automatically and are deleted.
• File metadata: retained while the associated cloud provider is active. When files are deleted, they are retained in a trash bin for 30 days before permanent deletion. Immediately deleted when the provider or account is removed.
• Galleries and visitor data: retained while the gallery is active. If the gallery folder is moved to trash, the gallery remains inactive and is reactivated upon folder restoration. Permanently deleted when the folder is permanently removed, or when the provider or account is deleted.
• File requests and visitor data: retained while the request is active. If the destination folder is moved to trash, the request is temporarily deactivated and reactivated upon folder restoration. Permanently deleted when the folder is permanently removed, or when the provider or account is deleted.
• Thumbnails and watermarks: stored in the user's bucket. Automatically deleted when the associated gallery is removed or when the account is deleted.
• Data export requests:
  • Request record (status, timestamps, failure reason): kept in our database for a maximum of 90 days after completion, then deleted automatically. Also deleted immediately if the user deletes their account.
  • Generated .json.gz file (bucket flow): if the user selects a provider, the file is uploaded to the Nubbo/Exports/ folder of their bucket. It belongs to the user and remains there until they delete it; Nubbo does not manage it nor delete it automatically, not even on account deletion (the bucket is the user's).
  • Generated .json.gz file (direct download flow): if the user has no active provider, the file is streamed directly to the browser and is not stored anywhere: not in Nubbo's infrastructure, not in any bucket. Once the download completes, no copy of the file remains in our systems.
• Technical logs: not persisted to the database.

8. Account deletion

You can delete your account at any time from Settings → Delete account. The deletion process has two stages:

1. Grace period (30 days): your account is marked as inactive but the data is preserved. During this time you cannot access Nubbo and all public links (galleries, shares, file requests) respond as unavailable. You can reactivate your account by logging in with your password. You will receive a reminder email 7 days before permanent deletion.
2. Permanent deletion (day 31): all data is permanently and irreversibly deleted. This includes your profile, provider connections, galleries, shares, file requests, thumbnails and watermarks generated in your storage.

If you need immediate deletion without the grace period (for example, exercising the GDPR right to erasure), it is available as an option within the same flow in Settings.

Important: files in your own cloud storage (DigitalOcean Spaces, AWS S3, etc.) are not deleted because they belong to your provider account and remain intact.

9. User rights

In accordance with the GDPR and Spanish LOPD-GDD, you may exercise the following rights:

• Access: know what data we hold about you.
• Rectification: correct inaccurate data.
• Erasure: delete your account from Settings (with grace period or immediate) or request it by email.
• Portability: you can request a copy of your personal data in compressed JSON format (.json.gz) from Settings → Export data. If you have one or more storage providers configured, you can choose which of your buckets to upload the file to: it will be generated in the background and saved to the Nubbo/Exports/ folder of the bucket you select; you will receive an email when it is ready. If you do not have an active provider, you can download the file directly from your browser. You may also request it by email at info@nubbo.app.
• Restriction: request restriction of processing.
• Objection: object to the processing of your data.

To exercise these rights through additional channels, send an email to info@nubbo.app.

Nubbo will respond to your request within a maximum of one month from receipt, in accordance with Article 12 of the GDPR. This period may be extended by a further two months when necessary, taking into account the complexity and number of requests, and we will inform you of any such extension and the reasons for it within the first month.

You also have the right to file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

10. Security measures

• Credential encryption with AES-256-GCM.
• Passwords stored with bcrypt hashing.
• Communications encrypted via HTTPS/TLS.
• Session tokens with automatic expiration.
• Optional two-factor authentication (TOTP).

11. Security breach notification

In the event of a security breach affecting your personal data Nubbo will notify the Spanish Data Protection Agency (AEPD) within a maximum of 72 hours from becoming aware of it in accordance with Article 33 of the GDPR.

If the breach is likely to result in a high risk to your rights and freedoms we will notify you directly without undue delay in accordance with Article 34 of the GDPR. The notification will describe the nature of the breach its likely consequences the measures taken to address it and the steps you can take to protect yourself.

12. Cookies and local storage

Nubbo uses a single strictly necessary cookie for security purposes:

• nubbo_rt (httpOnly cookie): stores the refresh token used to renew your session. This cookie is httpOnly (not accessible to JavaScript), secure (sent only over HTTPS in production), and scoped to the API path (/api). It expires after 7 days (or 30 days if you select "Remember me"). As a strictly necessary cookie for the operation of the service, it does not require prior consent under Spanish LSSI-CE Article 22.2.

We also use the browser's localStorage to store:

• Short-lived access token: needed for API authorization, expires after 15 minutes.
• Basic account data: name, email, and preferences to display in the interface without querying the server.
• Interface preferences: theme and language.
• Media player volume: to preserve your volume setting between sessions.
• Gallery session identifiers: a unique temporary identifier for each gallery you visit, stored in sessionStorage (automatically deleted when the browser tab is closed).

We do not use any analytics, advertising, or tracking cookies. This information is stored exclusively in your browser, is not sent to third parties, and is deleted when you log out or clear your browser data.

13. Data provision requirements

To create an account and use the service, you must provide your name, email address, and password. Without this data, it is not possible to register or access Nubbo.

Connecting cloud providers (Access Key ID and Secret Access Key) is required to use the file management features. Without these credentials, the account will exist but will not be able to operate on any storage.

All other data (2FA activation, gallery data, visitor data, preferences) is optional and is only collected when you choose to use the corresponding features.

14. Automated decision-making

Nubbo does not carry out automated decision-making or profiling within the meaning of Article 22 of the GDPR. No personal data is used to make automated decisions that produce legal effects or significantly affect you.

15. Information for gallery and file request visitors

If you have accessed a gallery or file request through Nubbo (for example, via a link sent to you by a photographer, professional or individual), you should know the following:

15.1 Joint controllership (Art. 26 GDPR)

Your data as a visitor (name, email, favorites, downloads or uploaded files) is processed under a joint controllership arrangement between Nubbo and the owner of the gallery or file request:

• Nubbo determines the essential technical means: the identification form shown to you, the fields requested, the storage of the data, session cookies and download or upload logs.
• The owner determines the specific purpose: why they create the gallery or request and what they do with the collected data (delivering photos, receiving files, contacting you, etc.).

Both of us are accountable to you for GDPR compliance.

15.2 How to exercise your rights

Pursuant to Article 26.3 of the GDPR you can exercise your rights (access, rectification, erasure, restriction, objection and portability) against either of the joint controllers:

• Against Nubbo: write to info@nubbo.app. We will handle your request directly and notify the owner so they can remove any local copy of your data they may have.
• Against the owner: contact them through the channels they have provided. The owner has the direct relationship with you and knows the context in which your data was collected.

We will respond to any request within a maximum of one month pursuant to Article 12 of the GDPR.

15.3 Complaints

If you are not satisfied with the response, you can file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.