Privacy Policy
Effective Date: March 30, 2026 | Last Updated: March 30, 2026
Xiangenhu ("we," "our," or "us") operates the OAuth2 Proxy Gateway service accessible at oauth.xiangenhu.info (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
Please read this Privacy Policy carefully. By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.
1. Information We Collect
1.1 Information Collected Through OAuth Authentication
When you sign in through a third-party OAuth provider (such as Google), we receive and process the following information:
| Data Type | Source | Purpose |
|---|
| Full name / display name | OAuth provider | Account identification |
| Email address | OAuth provider | Account identification, communication |
| Profile picture URL | OAuth provider | User interface display |
| OAuth provider user ID | OAuth provider | Unique account linking |
| Authentication tokens | OAuth provider | Session management, authorized API access |
1.2 Information Collected Automatically
When you access the Service, we may automatically collect:
- Log data: IP address, browser type, access times, and pages viewed.
- Device information: Operating system, device type, and browser version.
1.3 Information We Do Not Collect
- We do not collect payment or financial information.
- We do not read, store, or access the contents of your emails or files.
- We do not collect information from minors. The Service is not directed at individuals under the age of 13.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Authentication: To verify your identity and grant access to connected applications.
- Session management: To maintain your login state and provide a seamless experience across connected applications.
- Email services: To send emails on your behalf when you explicitly use the email verification or SMTP proxy features of the Service.
- Security: To detect, prevent, and respond to fraud, abuse, or security incidents.
- Service improvement: To monitor usage patterns and improve the reliability and performance of the Service.
- Legal compliance: To comply with applicable laws, regulations, and legal processes.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), our legal basis for collecting and using your personal information includes:
- Consent: You have given consent by choosing to authenticate via an OAuth provider.
- Contractual necessity: Processing is necessary to provide the Service you have requested.
- Legitimate interests: Processing is necessary for our legitimate interests (e.g., security, fraud prevention) and does not override your rights.
4. How We Share Your Information
We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:
- With connected applications: When you use the Service to authenticate with a downstream application, that application receives your profile information (name, email, profile picture) as part of the authentication flow you initiated.
- Service providers: We may use third-party cloud infrastructure providers (e.g., Google Cloud Platform) to host and operate the Service. These providers process data on our behalf and are bound by contractual obligations to keep your information confidential.
- Legal requirements: We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5. Data Storage and Security
- Your data is stored on secure cloud infrastructure with encryption at rest and in transit.
- Authentication tokens are encrypted and stored in secured cloud storage (Google Cloud Storage).
- All communication with the Service is encrypted using HTTPS/TLS.
- We implement rate limiting, input sanitization, and security headers to protect against common attack vectors.
- Access to production systems is restricted to authorized personnel only.
While we use commercially reasonable measures to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
6. Data Retention
| Data Type | Retention Period |
|---|
| Session data | 24 hours after last activity, then automatically deleted |
| Authentication tokens | Duration of active session; deleted on logout or expiration |
| User profile information | Retained while account is active; deleted upon request |
| Server logs | Up to 30 days, then automatically purged |
You may request earlier deletion of your data at any time by contacting us (see Section 10).
7. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request that we restrict processing of your data.
- Portability: Request your data in a structured, commonly used, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw consent at any time where processing is based on consent.
- Revoke OAuth access: Revoke the Service's access to your account at any time through your OAuth provider's security settings (e.g., Google Account Permissions).
To exercise any of these rights, please contact us at the email address provided in Section 10. We will respond to your request within 30 days.
8. Cookies and Tracking Technologies
The Service uses session cookies strictly for authentication and session management. We do not use:
- Advertising or tracking cookies
- Analytics services that track individual users
- Cross-site tracking technologies
Session cookies are automatically deleted when your session expires or when you log out.
9. Third-Party Services
The Service integrates with third-party OAuth providers. When you authenticate through these providers, your use of their services is governed by their own privacy policies:
We encourage you to review the privacy policies of any third-party services you access through the Service.
10. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.
If we make material changes, we will provide notice through the Service or by other means as appropriate.
Back to Home