Privacy Policy

• Your OAuth session token (JWT), stored in the OS application data directory (~/Library/Application Support/Flikt on macOS, %APPDATA%\Flikt on Windows, ~/.config/Flikt on Linux).
• Your chosen server URL and capture hotkey.
• Your signed-in email, cached for display.

The server keeps a JSON record per signed-in user containing:

• Your Google account ID (Google's opaque sub identifier).
• Your Google account email address.
• A Google Drive refresh token, encrypted at rest with AES-256-GCM. This token lets the server upload to your Drive on your behalf via the drive.file scope and nothing else.
• Per-upload metadata: a short opaque ID, the IV (initialisation vector) used to encrypt the image, an "encrypted: true" flag, and a creation timestamp.

The server does not store image bytes in plaintext. In Drive mode uploads stream straight through to your Google Drive folder; in encrypted mode (the default in v0.3.0+) the server only ever handles AES-256-GCM ciphertext — the decryption key never reaches the server.

Flikt v0.3.0+ encrypts every capture with a fresh AES-256-GCM key before upload. The key never leaves your device except as a URL fragment (the part after #), which browsers, proxies, and Cloudflare never send upstream. The viewer page at img.fisicaro.xyz/v/<id> reads the key from location.hash client-side and decrypts via the browser's built-in WebCrypto API.

What this means in practice:

• The Flikt operator (the maintainer with SSH/filesystem access) cannot view your uploads. They hold ciphertext + a few index fields (upload ID, encrypted flag, IV, creation time, owner user-ID).
• Anyone you share the full URL with — including the #k=... fragment — can decrypt and view the image. Same trust model as today's URLs; just made explicit.
• Link unfurlers (Slack, Discord, Twitter) cannot see the fragment, so encrypted images do not render inline by default. You can opt individual uploads in via the in-app History view's Make previewable toggle — that uploads a 256-pixel server-readable thumbnail. The full-resolution image stays encrypted either way.
• Decryption keys live in your device's local store. Lose the device without exporting your keys (Settings → Export keys…) and the encrypted images are unrecoverable.

Threat model

• The image files Flikt uploads, organised into Flikt/YYYY-MM/ subfolders by upload month inside a top-level Flikt folder Flikt creates in your Drive root.
• Each file is accessible only to you via your Google account, plus anyone you share a public Flikt URL with.
• The drive.file scope is "non-sensitive" by Google's classification: Flikt can only see files it created. It cannot read, modify, or list any other file in your Drive.

Encrypted captures (v0.3.0+) yield a URL of the form img.fisicaro.xyz/v/<random-id>#k=<base64-key>. Anyone with the full URL including the fragment can decrypt and view the image — anyone with only the prefix sees an inert viewer page that fails to decrypt. The random ID is 8 characters from a 64-character alphabet (effectively unguessable). Legacy uploads from pre-v0.3.0 builds are served as plaintext via the older img.fisicaro.xyz/<id> URLs and remain reachable that way until you delete them.

• From the app: open History (tray menu → History), click Delete on any image. This removes both the server's index entry and the file from your Drive.
• Directly in Drive: deleting the file from the "Flikt" folder in your Drive immediately breaks the public URL.
• Revoke access entirely: visit Google account permissions and remove Flikt. The server's cached refresh token becomes useless. Your existing images stay in Drive until you delete them.

The server enforces a per-user upload cap (default 1000). Once you hit the cap, the oldest image is automatically deleted from Drive when you upload a new one. Cap is configurable per server.

If you don't sign in to Flikt for 12 months, the maintainer reserves the right to delete your server-side record (Google account ID, email, refresh token, index). Your image files in your own Drive are not touched.

• Google — handles OAuth + Drive. Subject to Google's privacy policy.
• Cloudflare — fronts the public URL for DDoS protection. Sees IP addresses of viewers and request paths. Subject to Cloudflare's privacy policy.

Flikt itself uses no analytics, no advertising trackers, no telemetry. The server logs request metadata (path, status code, IP) to its own log file for debugging; logs rotate after 7 days.

• JWT sessions are signed with a 256-bit secret. Tokens expire after 14 days.
• Refresh tokens are kept server-side only and never sent to the desktop app. At rest they are wrapped with AES-256-GCM; the key lives in the server's environment, so the operator (who has both) can still decrypt them. This is defense in depth against a backup or file-level leak, not privacy from the operator.
• All traffic to the server is HTTPS-only via Cloudflare.
• The server source is open: github.com/FisiFla/flikt. If you find a vulnerability, please email [email protected].

Flikt is not directed at children under 13. We don't knowingly collect data from anyone under 13. If you believe a child has used Flikt, please email [email protected] and we'll remove their record.

If we materially change what's collected or shared, we'll publish a new policy here with an updated "Last updated" date. Substantial changes (new third-party processors, broader data collection) will also be announced via the GitHub repo's README.

Email [email protected] or open an issue at github.com/FisiFla/flikt/issues.