Skip to content
Cachy
Security Privacy Terms
Download Cachy

Security

Account security, cloud sync, Gmail AuthFill, AI features, and internal access.

Updated July 8, 2026

Security modelAccountsGmail AuthFillCloud syncOperational controlsThird-party providersReport a vulnerability

Security model

Cachy is designed around scoped access and clear data boundaries. Product features should only request the data needed for the task, and sensitive credentials should not be exposed in logs, exports, support tooling, or user-visible diagnostics.

Accounts and authentication

  • Account sessions are server-managed and tied to authenticated Cachy users.
  • Password material and session tokens are not included in user data exports.
  • New Cachy accounts use the email and password flow needed for sync encryption setup.

Gmail AuthFill

Gmail AuthFill is optional. Cachy uses Google OAuth and the Gmail read-only scope to watch for inbox changes and inspect a limited set of recent or changed messages for sign-in codes and links. Cachy does not maintain a full mailbox archive.

Stored Google OAuth tokens are removed when you disconnect Gmail or delete your Cachy account. AuthFill logs should not include full message bodies or one-time codes.

Cloud sync

Cachy Cloud stores sync metadata in Postgres and larger synced objects in private object storage. Encrypted sync stores encrypted content and encrypted path metadata for supported flows. Local Cachy data may remain on your own devices after cloud deletion, depending on device state and local app storage.

Operational controls

  • Production access should be limited to people who need it to operate and support Cachy.
  • Secrets should live in environment or secret-management systems, not committed files.
  • Operational logs should avoid raw tokens, passwords, private keys, email bodies, and one-time codes.
  • Webhook endpoints should validate shared secrets or signed tokens before processing payloads.

Third-party providers

Cachy uses third-party providers for hosting, storage, email, payments, AI, search, and Google integrations.

Report a vulnerability

Please send security reports to hi@cachy.space. Include affected URLs, steps to reproduce, impact, and any logs or screenshots that do not expose other users' data.

Cachy

Files, clipboard, web apps, device sync, and AI with context.

Download Security Privacy Terms
Cachy © 2026