Privacy Policy

Last updated: December 31, 2025

Overview

WhoHas ("we", "our", or "us") is a Google Workspace permission auditing tool. We are committed to protecting your privacy and being transparent about how we handle your data.

What Data We Access

When you sign in with Google, we request read-only access to your Google Drive file metadata. This includes:

  • File names and types
  • File ownership information
  • Sharing permissions (who has access to each file)
  • Last modified dates

We do not access the contents of your files. We only read metadata to analyze sharing permissions.

How We Use Your Data

Your file metadata is used to generate your permission audit report and help you manage file sharing across your Google Workspace.

Data Storage

When you use WhoHas with a paid account, we store the following data on our servers:

  • Your email address and workspace domain (for account identification)
  • Scan history (when scans were run, file counts)
  • Audit findings (file IDs, names, links, permission details, risk classifications)
  • Your actions on findings (ignored, snoozed, acknowledged status)
  • Starred/favorited files
  • Your subscription status and payment information (processed by Stripe)

This data is stored so you can track changes over time, manage findings, and maintain a history of your audits. We do not use this data for any purpose other than providing the WhoHas service to you.

Data Sharing

We do not sell, rent, or share your data with third parties for marketing purposes. We may share data only in the following limited circumstances:

  • With service providers who help us operate (e.g., Stripe for payment processing, Supabase for data storage)
  • When required by law or to protect our rights

Google API Services

WhoHas uses Google API Services. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Security

We implement security measures to protect your data:

  • All data is transmitted over HTTPS
  • We use secure OAuth 2.0 for Google authentication
  • Access tokens are stored securely and refreshed as needed
  • We request only the minimum permissions needed (drive.metadata.readonly)
  • Database access is restricted using row-level security policies

Your Rights

You have the right to:

  • Revoke our access to your Google account at any time via your Google Account settings
  • Request deletion of your account and all associated data by contacting us
  • Access information about what data we hold about you

Cookies and Analytics

We use Umami, a privacy-focused analytics tool, to understand how our service is used. Umami does not use cookies and does not collect personal information. We use this data to improve our service.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date.

Contact Us

If you have questions about this privacy policy or our data practices, please contact us at: hello@whohas.co