Last updated April 27, 2026
folio is a tool for showing off your work. The less data we hold onto, the better that tool gets. This page explains what we store, why, and the boundaries we hold ourselves to.
Account data from your OAuth provider (Google, GitHub, or Microsoft) — name, email, and a profile image. Content you create on the platform: profiles, projects, uploads, settings. Standard server logs (IP address, user agent, timestamps) for security and debugging.
To run your portfolio: render your pages, deliver your uploads, sign you in. To bill you if you're on a paid tier (handled by Stripe — we never see your card). To prevent abuse and keep the service up. That's it.
We don't sell your data. We don't ship it to advertising networks. We don't train models on your content. The only third parties that touch your data are the ones we need to run the product: your chosen identity provider, our object storage, our database host, and Stripe for payments.
You can export, edit, or delete any content you've created from the admin panel. You can delete your account at any time, which removes your profile, projects, and uploads. Email us if you want a full data export or have any other request — we'll handle it.
When you click Import (GitHub, Behance, Google Drive) we make a server-side request to that provider on your behalf using only the public URL you paste. We do not store any provider credentials, and we do not re-share fetched content with anyone except as part of your own portfolio page. GitHub: we hit api.github.com (no auth, or your server-side GITHUB_TOKEN if set) for repo metadata + README; README images get copied into your media library so links survive a repo rename. Behance: we never call Behance's HTML or API server-side — the official iframe (behance.net/embed/project/{id}) loads in each visitor's browser, so artist images stay on Behance. Google Drive: we hit docs.google.com/{...}/export and drive.google.com/uc as anonymous; only files set to 'Anyone with the link' return content. When you paste a YouTube, Vimeo, Loom, Spotify, SoundCloud, CodePen, Figma, Dribbble, Notion, Dev.to, GitHub Gist or Google Workspace URL, we map it to that provider's officially-documented embed endpoint and render the iframe — those providers see your visitors' IP addresses and may set their own cookies on the embed domain (we use youtube-nocookie.com where available). No provider OAuth tokens are stored today.
