Legal

Privacy Policy

Last updated: May 22, 2026

Excacloud ("we", "our", or "the extension") is a Chrome extension that syncs Excalidraw drawings to your cloud storage - Google Drive (Free) or GitHub Gist (Pro). This policy explains what information the extension handles and how.

Information we access

1. Google account (Free - Sign in with Google)

Uses Chrome's identity API and Google OAuth:

ScopePurpose
userinfo.emailShow signed-in email in the popup
userinfo.profileBasic profile for sign-in
drive.fileCreate, read, and update .excalidraw files that Excacloud creates - not your entire Drive

We receive your email and a Google access token stored locally until you sign out or the token expires. We do not receive your Google password.

2. GitHub account (Pro - Sign in with GitHub)

Uses Chrome's launchWebAuthFlow and a Cloudflare Worker to exchange the OAuth code (the Worker holds the OAuth client secret; it is not in the extension bundle).

We receive:

  • A GitHub access token (stored locally)
  • Your GitHub username (displayed in the popup)
  • Ability to read/write a secret Gist Excacloud creates for your drawings

Drawing files live inside that Gist. We do not receive your GitHub password.

3. Excalidraw drawing data

On excalidraw.com, when you sync:

  • The extension reads your current drawing from the page (localStorage).
  • It may merge with the cloud copy (another device or tab).
  • The result is saved to your Drive folder (Excacloud) or your Gist.

Drawing content is not stored on Excacloud-operated databases. Sync is between your browser and Google/GitHub APIs, except the short OAuth/license requests to our Worker.

4. License / purchase (Pro)

If you buy or activate Pro:

  • You may enter a Lemon Squeezy license key, validated via Lemon Squeezy's API.
  • Checkout may use a session id polled against our Worker after payment; the Worker stores the license key temporarily in KV until your extension retrieves it.

We do not receive your payment card details (handled by Lemon Squeezy).

5. Data stored on your device

In Chrome extension storage (chrome.storage.local):

DataPurpose
OAuth tokens (Google / GitHub)Cloud API access
Email / GitHub loginDisplay in popup
Folder or gist IDs and namesLocate your drawings
Active drawing file id and nameMulti-file library
Per-file last sync time and merge snapshotSync and reconcile
autoSyncEnabledUser preference
License key and Pro flagPro features

Incognito: sync snapshot keys use an :incognito suffix so regular and incognito canvases do not overwrite each other's merge state.

6. Host and network access

Content scripts run on excalidraw.com only.

Network endpoints may include:

  • Google APIs - Drive and Google sign-in
  • GitHub API - Gist storage (Pro)
  • Cloudflare Worker - GitHub token exchange, purchase status poll, Lemon Squeezy webhook receiver
  • Lemon Squeezy API - license activation
  • Lemon Squeezy checkout - payment (browser)

Information we do not collect

  • We do not operate servers that store your drawing files.
  • We do not sell, rent, or trade personal information for advertising.
  • We do not run analytics in the current version unless we add them later (this policy will be updated).

How we use information

  1. Authenticate you with Google and/or GitHub.
  2. Save, load, sync, and restore versions of your drawings in your cloud.
  3. Validate Pro licenses.
  4. Show sync status and account information in the popup and on-page widget.

Sharing with third parties

PartyWhenTheir policy
GoogleFree tier sign-in and Drive syncGoogle Privacy Policy
GitHubPro tier sign-in and Gist syncGitHub Privacy Statement
Lemon SqueezyPro purchase and license validationLemon Squeezy
CloudflareWorker hosting (OAuth + webhook + poll only)Cloudflare

We do not sell your data to other third parties.

Data retention and deletion

LocationRetention
Google DriveUntil you delete the Excacloud folder or files
GitHub GistUntil you delete the gist or sign out and remove access
Browser (extension storage)Until sign out, clear extension data, or uninstall
Worker KV (purchase poll)Short-lived license key delivery; not long-term drawing storage

To stop using Excacloud:

  1. Sign out in the popup.
  2. Uninstall the extension and/or clear its data.
  3. Delete the Excacloud folder in Drive and/or the Excacloud Gist on GitHub if you no longer want cloud copies.

Security

  • OAuth tokens stay in extension storage on your device.
  • HTTPS for all API calls.
  • Google uses drive.file least-privilege scope.
  • Pro Gist is secret (not listed publicly unless you share it).

No method of storage is 100% secure.

Children's privacy

Not directed at children under 13. We do not knowingly collect children's personal information.

International users

Google and GitHub may process data in facilities worldwide per their policies.

Changes to this policy

We may update this policy; the "Last updated" date will change. Material changes will be reflected in the Chrome Web Store listing where possible.

Your rights

Depending on your location, you may have access, correction, or deletion rights. Drawings are in your cloud accounts:

  • Access / export: Drive, GitHub, or Excalidraw.
  • Delete: Remove cloud files and uninstall the extension.
  • Questions: 1112264.lptai@gmail.com

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR) including the right to access, rectify, or erase your personal data, and the right to data portability. If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) including the right to know what personal information is collected and the right to request deletion. To exercise any of these rights, contact us at 1112264.lptai@gmail.com.

Relationship to Excalidraw

Excacloud is not affiliated with, endorsed by, or maintained by the Excalidraw team.

Chrome Web Store

Google may collect Store usage data per Google's policies.

Contact: 1112264.lptai@gmail.com