Get started

Privacy Policy

This privacy policy explains how WP Cloud Plugins (“we”, “us”, “our”) collects, uses, and protects your data when you visit synkivo.com or use the Synkivo plugin for WordPress.

Last updated: 28-05-2026

1. Our principles

We follow three simple rules:

  • We collect as little personal information as possible.
  • We only share personal information when it is needed to provide our services, comply with the law, or protect our rights.
  • We do not use analytics, advertising pixels, or other marketing trackers on our website.

2. Who we are

The data controller for this website and the Synkivo plugin is:
WP Cloud Plugins
Kwikstaartlaan 42 (Box C2957)
3704GS Zeist
The Netherlands

3. Website: synkivo.com

Server logs

When you visit synkivo.com, our hosting provider automatically collects standard server log data. This includes:

  • Your IP address
  • Browser type and version
  • Operating system
  • Date and time of your visit
  • Pages visited

 

This data is collected for security and stability purposes. It is not combined with other data sources and is not used to identify you. Server logs are automatically deleted within 30 days.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in maintaining website security and stability.

Cookies

synkivo.com does not use analytics cookies, advertising cookies, or marketing trackers.

We may rely on essential website technologies provided by our infrastructure and security providers, such as Cloudflare, to protect and deliver the website. These services may process technical data such as your IP address, browser information, and security-related request data.

If you purchase a license through a checkout provided by Freemius, Freemius may set cookies or similar technologies on their own domain during the payment process. See section 5 for details.

Contact and support forms

If you contact us by email or through our support channel, we collect the information you provide to us, such as your name, email address, and the content of your message. We use this information only to respond to your inquiry, provide support, and follow up when needed.

Support requests may be handled through a third-party help desk provider. If so, your message and contact details will also be processed by that provider on our behalf.

If you request technical support, you may also choose to send us diagnostic information such as your site URL, screenshots, configuration details, log excerpts, or sample files. We use that information only to investigate and resolve the issue.

We retain support correspondence for as long as needed to handle your request and maintain an accurate support history, after which it is deleted or anonymized where appropriate.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in responding to customer inquiries and providing support.

4. Plugin: Synkivo for WordPress

The Synkivo plugin runs on your own WordPress server. Once configured, all file and account communication is direct, encrypted, and runs between your server and your chosen cloud storage provider. With one exception described below — the optional one-click OAuth setup available in the paid versions — this communication does not pass through WP Cloud Plugins servers, and we do not have access to your files.

IMPORTANT: The OAuth proxy described in this section only applies to the OAuth 2.0 cloud providers (Dropbox, Google Drive, OneDrive & SharePoint, and pCloud) and only when you use Synkivo’s built-in one-click setup. If you configure your own app (your own client ID and secret), or if you use a non-OAuth provider such as Nextcloud, ownCloud, or an S3-compatible service, all authentication is handled directly between your server and the provider, and the proxy does not apply.

What the plugin does not do

  • The plugin does not send your files or file contents to WP Cloud Plugins.
  • File and API communication always happens directly between your server and your cloud storage provider. It never passes through WP Cloud Plugins servers.
  • For most providers, authentication is also direct between your server and the provider. The only exception is the optional one-click setup in the paid versions for OAuth providers (Dropbox, Google Drive, OneDrive & SharePoint, pCloud), where the OAuth authorization redirect briefly passes through synkivo.com. If you use your own app credentials, even this step is fully direct. See “Authenticating OAuth providers” below.
  • The plugin does not inject analytics, advertising code, or tracking pixels into your site.
  • The plugin does not send usage analytics to WP Cloud Plugins. License checks and related licensing features are handled through Freemius as described in section 5.

Data processed by the plugin

The Synkivo plugin processes data on your WordPress server. As a site operator using Synkivo, you are the data controller for your visitors’ data. The plugin processes:

Cloud account credentials

When you connect a cloud storage account, the plugin stores encrypted credentials on your server. Depending on the provider this may be an app password or secret key (for example Nextcloud, ownCloud, or an S3-compatible service), or an OAuth access token and refresh token (for Dropbox, Google Drive, OneDrive & SharePoint, and pCloud). These credentials are stored encrypted on your own server and are used only to connect your WordPress site to your configured cloud storage account. They are never transmitted to or stored by WP Cloud Plugins

Authenticating OAuth providers (Dropbox, Google Drive, OneDrive & SharePoint, pCloud)

The OAuth providers require an OAuth 2.0 authorization before the plugin can access your account. Synkivo supports two ways to do this:

  1. Your own app (all versions, required in the free/lite version). You register your own application with the cloud provider and configure its client ID, secret, and redirect URI. The entire OAuth flow then runs directly between your server and the cloud provider. No WP Cloud Plugins server is involved at any point.
  2. One-click setup using Synkivo’s built-in app (paid versions only). To save you from registering your own app, the paid versions can use a built-in app whose OAuth flow is routed through an authentication proxy on synkivo.com.

Server data collected during OAuth (built-in app / one-click setup only)

When you use the built-in app to authorize a provider, the OAuth flow briefly passes through our authentication server on synkivo.com. During that flow we record:

  • Your IP address
  • Browser type and version
  • Operating system
  • Date and time
  • Your WordPress site URL
  • Your Freemius license code
  • A short-lived authorization code generated by the OAuth flow

The authorization code can only be used once and becomes inactive after it has been exchanged for an access and refresh token, or within minutes if it is not used. The license code is validated for licensing purposes. None of this data is sold, shared, or transferred to third parties. It is deleted within 7 days unless required for an active investigation.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in operating the built-in authentication app and validating licenses.

How the one-click OAuth proxy works

After you grant access on the cloud provider’s consent screen, you are redirected to synkivo.com, which then redirects you back to your own site to finalize the authorization. The short-lived authorization code is exchanged on your own server for an access token and refresh token, which are stored encrypted on your server. From that point on, all communication runs directly between your server and the cloud storage provider. This redirect via synkivo.com exists only so that you do not need to create your own cloud app, configure redirect URIs, or maintain your own client credentials. It does not give us access to your account or files.

What WP Cloud Plugins does not have

Whether you use the built-in app or your own app, we do not have access to, store, or transfer:

  • Your files or file contents
  • The list of files in your cloud account
  • Your access tokens or refresh tokens (these stay encrypted on your server)
  • Personal data about visitors to your WordPress site

File metadata

The plugin retrieves and caches file metadata (names, sizes, modification dates, paths, share links) from your cloud storage. This data is stored temporarily in your server’s file cache and is automatically cleared based on the configured cache duration.

Visitor interactions

When visitors use a Synkivo module (file browser, gallery, upload box, etc.) on your site, the plugin processes their actions (browsing, downloading, uploading, searching) through your WordPress REST API. These actions are handled server-side and are subject to your own site’s privacy policy and server logging.

Statistics (optional)

If you enable the Statistics feature, the plugin logs file events such as downloads, uploads, previews, searches, and other file actions in your WordPress database. Logged data may include the WordPress user ID, file and folder identifiers, file name, file path, file size, event type, page location, module ID, and timestamp. All statistics data is stored on your server and is never transmitted to WP Cloud Plugins. You control retention and can delete this data at any time from the plugin settings.

Upload data

Files uploaded by visitors through the plugin are transferred directly from the visitor’s browser to your WordPress server, and then from your server to your cloud storage. Uploaded files are not stored permanently on your WordPress server. Temporary upload data is deleted after the transfer completes.

Cookies and Local Storage

The Synkivo plugin uses the browser’s sessionStorage to remember the viewer’s navigation state, such as the current folder and view mode, within a single browser tab. This data is automatically cleared when the tab is closed. It is not shared across tabs or sent to WP Cloud Plugins.

Some plugin features may also use a short-lived browser cookie when needed to support a specific interaction, such as preserving upload form state. These cookies are functional only and are not used for analytics or advertising.

5. Freemius (licensing and payments)

The Synkivo plugin uses the browser’s sessionStorage to remember the viewer’s navigation state, such as the current folder and view mode, within a single browser tab. This data is automatically cleared when the tab is closed. It is not shared across tabs or sent to WP Cloud Plugins.

Some plugin features may also use a short-lived browser cookie when needed to support a specific interaction, such as preserving upload form state. These cookies are functional only and are not used for analytics or advertising.

We use Freemius to handle licensing, plugin updates, checkout, and related customer account functions for Synkivo.

What Freemius collects

When you purchase a Synkivo license, Freemius processes the transaction and stores the customer and license data needed to complete the purchase, manage your subscription, and provide access to updates. This may include:

  • Name and email address
  • Billing details
  • Payment-related information processed through Freemius and its payment providers
  • License key and associated domain or site URL

 

Your use of Freemius is also subject to the Freemius privacy policy: https://freemius.com/privacy/

License validation

The Synkivo plugin includes the Freemius SDK, which periodically contacts Freemius servers for license verification, update delivery, and related account functions. This may include data such as:

  • Your site URL
  • Plugin version
  • License key or license identifier
  • PHP and WordPress version

 

This data is used for licensing and update-related functions. You can review the full details in the Freemius privacy policy: https://freemius.com/privacy/

Optional usage tracking

During plugin activation, Freemius may ask whether you want to opt in to anonymous usage tracking. This is entirely optional. If you opt in, Freemius collects non-personal technical data (PHP version, WordPress version, active plugins) to help us improve compatibility. You can opt out at any time from the plugin settings. If you skip or decline, no usage data is collected.

6. Cloud storage providers

Synkivo connects to cloud storage services that you configure. The plugin supports Nextcloud, ownCloud, AWS S3, Wasabi, DigitalOcean Spaces, Cloudflare R2, Backblaze B2, MinIO, and other S3-compatible providers, as well as the OAuth 2.0 providers Dropbox, Google Drive, OneDrive & SharePoint, and pCloud.

When you connect a cloud storage account, the data exchanged between your WordPress server and your cloud provider is governed by that provider’s terms and privacy policy. WP Cloud Plugins does not act as an intermediary in that communication and does not have access to your files unless you separately provide them to us for support purposes.

You are responsible for reviewing and accepting the privacy policies of your chosen cloud storage provider.

Some of our service providers or the providers you choose to use with Synkivo may process personal data outside your country or outside the European Economic Area. Where required, we rely on appropriate contractual, technical, or organizational safeguards.

Cloud provider permissions (OAuth scopes)

For the OAuth providers, Synkivo requests specific OAuth scopes when you connect an account. These scopes are granted by you during the standard OAuth consent flow on the cloud provider’s own consent screen. The non-OAuth providers (Nextcloud, ownCloud, S3-compatible, and others) do not use OAuth and are not covered here.

Google Drive

  • (optional) Google Drive — Application folder — https://www.googleapis.com/auth/drive.file Lets the plugin see, download, edit, create, and delete only the Google Drive files you use with the plugin. The plugin cannot access content on your Google Drive that was not opened or created via the plugin.
  • (optional) Google Drive — Read-only — https://www.googleapis.com/auth/drive.readonly Lets the plugin list and download files from your Google Drive.
  • (optional) Google Drive — Full access — https://www.googleapis.com/auth/drive Lets the plugin see, download, edit, create, and delete all of your Google Drive files. Required for full management of your files through the plugin modules (uploading, renaming, editing, deleting, sharing).
  • Google User Profile — https://www.googleapis.com/auth/userinfo.profile Used for locale detection and to display your name and profile picture in the plugin dashboard.
  • Google User Email — https://www.googleapis.com/auth/userinfo.email Used for locale detection and to display your email in the plugin dashboard.

Use of Google API Services

Synkivo’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.See also the Google Privacy Policy.

Dropbox

  • files.content.read — read file content and metadata. Used to list, preview, and download files.
  • files.content.write — create, edit, and delete files.
  • sharing.write — create and manage shared links and sharing settings.
  • account_info.read — read your name, email, and profile picture for account identification in the plugin dashboard.

See also the Dropbox Privacy Policy and the Dropbox Terms of Service.

OneDrive & SharePoint

  • offline_access — allows the plugin to maintain access to the content on behalf of the user. Required so that the plugin can refresh its access without prompting you on every action.
  • User.Read — used for locale detection and to display your name, email, and profile picture in the plugin dashboard.
  • (optional) Files.Read — allows the plugin to read the signed-in user’s files.
  • (optional) Files.Read.All — allows the plugin to read all files the signed-in user can access.
  • (optional) Files.ReadWrite — allows the plugin to read, create, update, and delete the signed-in user’s files.
  • (optional) Files.ReadWrite.All — allows the plugin to read, create, update, and delete all files the signed-in user can access.
  • (optional) Sites.Read.All — allows the plugin to read documents and list items in all site collections on behalf of the signed-in user.
  • (optional) Sites.ReadWrite.All — allows the plugin to edit or delete documents and list items in all site collections on behalf of the signed-in user.

See also the Microsoft Privacy Statement and the Microsoft APIs Terms of Use.

pCloud

pCloud uses OAuth 2.0 but does not expose granular permission scopes. When you authorize the plugin, pCloud issues an access token that lets the plugin access your pCloud account through the pCloud API (listing, previewing, downloading, uploading, editing, deleting, and sharing files through the plugin modules), together with your basic account details (name, email, profile picture) shown in the plugin dashboard.

See also the pCloud Privacy Policy.

7. Children

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

8. Security

We take appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. This includes:

  • Encrypted storage of sensitive plugin credentials on your server
  • HTTPS encryption for communication between the plugin and supported cloud storage providers
  • HTTPS encryption for communication with synkivo.com and our service providers
  • Access controls and operational safeguards appropriate to the data we process

 

No system is completely secure. If you discover a security vulnerability, please report it. You can follow the instructions in the documentation to report it.

9. Changes to this policy

We may update this privacy policy from time to time. Any changes will be posted on this page and the “Last updated” date will be revised accordingly.

10. Contact

If you have questions about this privacy policy or how your data is handled, contact us at [email protected]