← Back to Top

Privacy Policy

This privacy policy describes how Vault-Sync ("the Plugin"), an Obsidian plugin developed by c-ardinal, handles your data.

Data We Access

Vault-Sync accesses your cloud storage account solely to synchronize your Obsidian vault files. The Plugin requests only the minimum permissions required for synchronization and cannot access files or folders that were not created by the Plugin itself.

Data We Collect

The Plugin does not collect, transmit, or store any personal data on external servers. All sync operations occur directly between your local device and your cloud storage account.

• No analytics or tracking
• No user data is sent to the developer
• No cookies or local identifiers for tracking purposes

Authentication Proxy

By default, the Plugin uses an authentication proxy hosted on Cloudflare Pages to facilitate the OAuth login flow. This proxy handles the following data transiently (in-memory only, never persisted):

• OAuth authorization codes (exchanged for tokens and immediately discarded)
• Access tokens and refresh tokens (forwarded to the Plugin and immediately discarded)

No vault data, file contents, or file metadata passes through this proxy. The proxy is used solely for the initial login and token refresh operations. You may opt out of using this proxy by configuring your own OAuth credentials in the Plugin settings.

Data Storage

• Authentication credentials (tokens, encryption secrets) are stored via Obsidian's SecretStorage API. In environments where SecretStorage is unavailable, the Plugin automatically falls back to local file storage encrypted with a device-specific key (AES-GCM). Credentials are used only to authenticate with your cloud storage provider.
• Vault files are synchronized between your local device and your cloud storage. If End-to-End Encryption (E2EE) is enabled, files are encrypted locally before being uploaded.
• Sync metadata (file hashes, timestamps) is stored locally and on your cloud storage to manage synchronization state.

End-to-End Encryption (E2EE)

When E2EE is enabled, all vault content is encrypted on your device before upload using AES-256-GCM. The encryption password is never transmitted or stored remotely. Only encrypted data is stored on your cloud storage, and decryption occurs exclusively on your local device.

Large files exceeding a configurable threshold are encrypted and uploaded in chunks (streamed transfer). All chunks are fully encrypted before leaving your device; no plaintext data is transmitted at any point.

Password changes re-wrap the master key locally without re-encrypting data. Recovery codes (Base64-encoded master key) are generated and displayed exclusively on your device and are never transmitted to any server. Key fingerprints are computed locally for visual verification.

Third-Party Services

The Plugin integrates with the following services. Only the services you choose to connect are accessed.

Cloudflare Pages

The default authentication proxy runs on Cloudflare Pages. Cloudflare may process request metadata (IP addresses, request headers) in accordance with their Privacy Policy. No vault data is sent to Cloudflare.

Google Drive

When using Google Drive as your sync provider, the Plugin uses the drive.file OAuth scope, which limits access to only files and folders created by the Plugin. The Plugin's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. For details, see Google's Privacy Policy.

Data Deletion

You can revoke the Plugin's access to your cloud storage at any time through your cloud storage provider's account settings. Uninstalling the Plugin removes all locally stored data, including authentication credentials and sync metadata. Files previously synced to your cloud storage will remain there until you delete them manually.

Contact

If you have questions about this privacy policy, please open an issue on the GitHub repository.

Last updated: March 4, 2026