Last updated: 2026-05-11

Artifact Share ("we", "our", "the service") is provided by TechTalk, Inc. (株式会社TechTalk), 2-1-2 Tsukuda, Chuo-ku, Tokyo 104-0051, Japan. Representative: Coji Mizoguchi. The service is operated at artifactshare.com.

This Privacy Policy explains what data we collect, how we use it, and the choices you have. We've also called out the rights of users in the EU/UK, California, and Japan in their own sections below.

1. Information we collect

From Google when you sign in

• Your email address and verification status
• Your display name and profile picture
• Your Google account identifier (sub claim) and Workspace domain (hd claim), if applicable

From your Google Drive, with your permission

• drive.metadata.readonly (requested at sign-in). When you open a shared artifact, we call Drive's files.get with your own access token to read the file's name, last-modified time, and owner email. This lets Drive itself decide whether you can access the file — the same check Drive performs when you click any sharing link. The metadata also lets us display the artifact name in the viewer header (and the owner email, but only to viewers who are in the same Google Workspace as the artifact's registrant — external viewers never see the owner email).
• drive.file (requested incrementally, only at the moment you first try to add a file). We use this scope to fetch the HTML body of files you explicitly hand to us via Google Picker or Drive's "Open with Artifact Share" menu. drive.file grants access only to those specific files — we cannot read anything else in your Drive. You are not asked for this scope at sign-in; we ask only when you initiate a creator action.

As you use the service

• A record of each artifact view: viewer user ID, artifact ID, timestamp, and a one-way hash of your user-agent string with a salt that rotates daily. We do not store IP addresses directly.
• Standard server logs from our hosting provider (Cloudflare), retained per their policies.

2. How we use information

• Authentication and authorization — to identify you and verify Drive permissions on shared files.
• Rendering artifacts — to fetch and display HTML content you or your colleagues registered.
• Operational analytics — view counts shown to the artifact's registrant on their dashboard, plus aggregate usage to improve the service. We do not profile individual viewers or build behavioral segments.
• Communication — only essential service messages (account changes, security notices). We don't send marketing emails.

The rendered HTML may be cached briefly by Workers Cache (TTL ≤ 24 hours, keyed by the file's modifiedTime so edits invalidate the cache automatically). The viewer's permission verdict (the result of the Drive metadata check) may be cached for up to 60 seconds to skip a Drive round-trip on repeat views — meaning a sharing-permission change in Drive can take up to ~60 seconds to take effect.

3. Google API Services User Data Policy — Limited Use

Artifact Share's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

• We use Google user data only to provide or improve user-facing features that are prominent in the application's user interface.
• We transfer Google user data only to provide or improve such features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets — and only with continued user notification and protections.
• We do not use Google user data to serve advertisements.
• We do not allow humans to read Google user data except: (a) where you have given explicit consent for specific data; (b) where necessary for security purposes (such as investigating abuse); (c) to comply with applicable law; or (d) where the data has been aggregated and anonymized for internal operations.

We do not use any Google user data to train generalized or third-party machine-learning models.

4. Lawful basis for processing (EU/UK GDPR)

For users in the European Economic Area and the United Kingdom, we process personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR) — for providing the service you signed up to use: rendering artifacts, managing your account, and resolving share URLs.
• Legitimate interests (Art. 6(1)(f) GDPR) — for view-count display to the registrant, security monitoring, and abuse prevention. We've assessed these interests against your rights and freedoms; you may object to any of them (see §10).
• Consent (Art. 6(1)(a) GDPR) — for any optional features that require explicit opt-in. The current MVP has none.

Our use of "legitimate interests" is intentionally narrow. We do not profile users, target behavioral segments, or share data with third parties for their own purposes.

We are based in Japan and do not have an EU representative under GDPR Art. 27. Our processing of EU/UK personal data is occasional and limited to what is necessary to provide the service, so the Art. 27(2)(a) exemption applies. We will appoint a representative if our processing scope or volume changes to require it.

5. Who we share information with

We do not sell user data. We share only with the infrastructure providers needed to operate the service:

• Cloudflare, Inc. (hosting, content delivery, database, edge cache). See Cloudflare's Privacy Policy. Cloudflare's Data Processing Addendum — which incorporates Standard Contractual Clauses for international transfers — is automatically incorporated into our Cloudflare subscription, satisfying GDPR Art. 28.
• Google LLC (OAuth, Drive API, Workspace Marketplace, Cloud Console for project administration). See Google's Privacy Policy. We have accepted Google's Cloud Data Processing Addendum and certified that EU/UK/Swiss data protection law applies to our processing, so the Standard Contractual Clauses included in the Addendum are in effect. Our access to your Google account and Drive data is additionally governed by the Google API Services Terms of Service and the Google API Services User Data Policy, including Limited Use (see §3).

Each provider receives only the minimum data necessary for their role.

We disclose information when required by law, court order, or to protect the rights, property, or safety of users or others.

In the event of a merger, acquisition, or sale of all or part of our business, user information may be transferred as part of that transaction. We will notify affected users in advance and continue to honor the protections in this policy.

We do not engage in "joint use" (共同利用 under Japan's APPI) of personal data with affiliated entities — there are none.

6. International data transfers

Cloudflare's global edge network may process your requests in any region. Where personal data of EU/UK users is transferred outside the EEA/UK, we rely on:

• Adequacy decisions where applicable (for example, the UK-Japan adequacy regulations recognizing Japan as providing equivalent protection).
• Standard Contractual Clauses (Module 2: Controller-to-Processor) as incorporated in Cloudflare's Data Processing Addendum and in Google's Cloud Data Processing Addendum, both accepted by us.
• Supplementary technical measures including encryption in transit and at rest, and Workers' edge-only processing for content cache entries.

For users in other regions, equivalent contractual or technical safeguards apply.

7. Data retention

• Account data (email, name, Google account references): retained until you delete your account.
• Artifact metadata (file ID, file name, owner email, modifiedTime, registration timestamp): retained until you remove the artifact.
• View logs: currently retained for the life of your account. A scheduled 24-month purge is planned for a future release; until then we'll honor explicit deletion requests on demand.
• OAuth tokens (access, refresh): rotated on use; revoked when you delete your account.
• Workers Cache (rendered HTML): TTL ≤ 24 hours, keyed by file modifiedTime.
• Permission verdict cache: TTL ≤ 60 seconds.
• File contents: we do not persist file bodies. Each view re-fetches from Drive (or hits the short-lived cache).

Deletions take effect in our live database within seconds. Backup copies held by our infrastructure providers may retain deleted rows for up to 30 days before being overwritten by routine rotation.

8. Security

• Drive tokens are stored encrypted at rest. They are never exposed to your browser or to the iframe rendering an artifact.
• Artifact content is rendered in a sandboxed iframe served from sandbox.artifactshare.com. The sandbox has no access to authentication cookies on the apex domain, and its access is gated by a short-lived HMAC-signed URL.
• A strict Content Security Policy and Host-only cookie scoping prevent cross-origin data leakage.
• All connections require HTTPS/TLS.

9. Data breach notifications

If we discover a personal data breach affecting your information, we will notify the relevant supervisory authorities within the timeframes required by applicable law — within 72 hours under GDPR Art. 33, and "without delay" under APPI Art. 26 in Japan. We will notify affected users without undue delay where required (typically when the breach is likely to result in high risk to your rights and freedoms).

10. Your rights — Global baseline

All users can:

• Access your stored data by emailing the address in §15.
• Delete your account at any time. We will permanently delete your stored data and revoke our access to your Drive.
• Disconnect Google at any time via your Google account's third-party access settings. Existing artifacts you registered will become unviewable until you re-connect.

11. Your rights — EU/UK (GDPR)

In addition to §10, EU/UK residents have rights to:

• Access — confirm whether we process your personal data and receive a copy.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion, subject to legal exceptions.
• Restriction of processing — pause processing in certain circumstances.
• Data portability — receive your data in a structured, commonly used, machine-readable format. The MVP doesn't have an automated export tool yet; requests are honored manually.
• Object to processing based on legitimate interests, including any profiling.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your national data protection supervisory authority.

To exercise these rights, email privacy@artifactshare.com from the address linked to your Google account (this is how we verify your identity). We respond without undue delay and in any event within one month, with the option to extend by a further two months for particularly complex requests, as Art. 12(3) permits.

12. Your rights — California (CCPA/CPRA)

For California residents, in addition to §10:

Categories of personal information collected (in the 12 months prior to publication):

• Identifiers — email, Google account identifier.
• Internet or other electronic network activity information — artifact-view records, hashed user-agent string.
• Professional or employment-related information — Google Workspace domain (only if you sign in with a Workspace account).

Sources: directly from you (during sign-in and use), and from Google (via OAuth).

Business purposes: providing the service, security, operational analytics.

Sensitive Personal Information: We do not collect Sensitive Personal Information as defined by Cal. Civ. Code § 1798.140(ae).

Sale or sharing of personal information: We do not sell or share personal information (as those terms are defined under CCPA/CPRA). We have not done so in the preceding 12 months.

Your CCPA rights:

• Right to know what categories of personal information we collect, the sources, the business purposes, and the categories of third parties to whom we disclose.
• Right to delete your personal information.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — not applicable, since we do not sell or share.
• Right to non-discrimination — exercising these rights will not result in: denial of service; charging different prices or rates; providing a different level of quality; or suggesting that you will receive a different price or quality. We do not offer financial incentives for personal information.

To exercise these rights, email privacy@artifactshare.com. We verify your request via your Google sign-in and respond within 45 days (extendable to 90 days where CCPA permits). You may also designate an authorized agent to act on your behalf, in line with CCPA requirements.

13. Your rights — Japan (APPI)

Under the Act on the Protection of Personal Information (個人情報の保護に関する法律), users in Japan have the right to request disclosure, correction, addition or deletion, suspension of use, and disclosure of records of third-party provision regarding the personal information we hold about them.

To exercise these rights, email privacy@artifactshare.com from the address linked to your Google account. Identity is verified through the Google account associated with the request. There is no fee. We respond within a reasonable period — typically within 2 weeks.

The personal information protection officer (個人情報保護責任者) is the representative listed at the top of this policy. We are not currently certified under Privacy Mark (JIS Q 15001) or ISO 27001; certification may be pursued as the service grows.

14. Cookies and similar technologies

We use a single essential cookie: the better-auth session cookie, scoped Host-only to the apex domain. It is used to keep you signed in. We do not use analytics, advertising, or tracking cookies, so a cookie consent banner is not currently required under EU ePrivacy rules. If we add non-essential cookies in the future, we will request consent before setting them, in line with applicable law.

15. Children's privacy

The service is not directed to children under 13 (or 16 in jurisdictions where stricter rules apply). Google's OAuth flow has its own minimum-age requirements. We do not knowingly collect personal information from children below these thresholds; if we learn we have, we'll delete it promptly.

16. Marketing

We do not send marketing emails. We may send essential service messages — account changes, security notices, and material changes to these policies — and these aren't opt-outable while you have an account. There is nothing to opt out of beyond deleting your account.

17. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email and in-app banner at least 14 days before they take effect, except where a shorter timeframe is legally required. Continued use after a material change indicates acceptance — except where applicable law requires affirmative re-consent.

18. Contact

Email: info@artifactshare.com

For Google API Services User Data Policy inquiries (Limited Use), please mark your email "[Drive API Limited Use]".

For California residents: you may designate an authorized agent to make requests on your behalf, in line with CCPA requirements.

For copyright / IP complaints, see the takedown procedure in our Terms of Service.