Hasan Halabi

Privacy Policy

Product: Backup for Google Drive by Hasan Halabi
Effective date: May 20, 2026
Provider: Hasan Halabi
Website: https://hasanhalabi.com
Contact: support@hasanhalabi.com

This Privacy Policy explains how Backup for Google Drive by Hasan Halabi (the “Plugin”, “we”, “us”, or “our”) handles information when a WordPress site administrator installs, configures, and uses the Plugin to back up a WordPress website to Google Drive.

This Plugin is designed for WordPress site administrators. It is not intended to collect information directly from website visitors.

1. Summary

The Plugin helps a WordPress site administrator create backups of their WordPress site and upload those backups to a Google Drive folder selected by the administrator.

The Plugin uses a hosted Google Drive connection broker at hasanhalabi.com to complete Google OAuth authorization and issue short-lived access tokens. This broker exists so that Google OAuth client secrets and Google refresh tokens are not stored inside the public WordPress plugin package.

The broker does not store backup files. Backup files are uploaded directly from the administrator’s WordPress site to the administrator’s selected Google Drive folder.

2. Information processed by the Plugin on your WordPress site

Depending on the settings selected by the site administrator, the Plugin may process the following information locally on the WordPress site where the Plugin is installed:

  • WordPress site URL.
  • A generated site installation identifier (site_uuid).
  • Plugin version.
  • Backup job settings and status.
  • Selected backup scope, such as database, uploads, themes, plugins, and other configured backup items.
  • Operational logs, backup progress, timestamps, success and failure messages, and safe diagnostic information.
  • Google connection summary returned by the broker, such as connection ID, Google account email, selected Google Drive folder ID, and selected folder name.
  • A broker-issued installation secret used to sign server-to-server requests to the broker.

The actual backup content may include your WordPress database, uploaded media, themes, plugins, configuration files, or other files selected for backup. This backup content is controlled by the site administrator and is uploaded to the selected Google Drive folder. The Plugin does not intentionally inspect the content for marketing, profiling, advertising, or analytics purposes.

3. Information processed by the hosted broker

When a site administrator connects the Plugin to Google Drive, the hosted broker at hasanhalabi.com may process and store the following information:

  • WordPress site URL.
  • Generated site installation identifier (site_uuid).
  • Site administrator email address, when provided by the Plugin during the connection flow.
  • Public Plugin version.
  • Google account identifier and Google account email address returned by Google.
  • Google OAuth scopes granted by the administrator.
  • Encrypted Google refresh token.
  • Encrypted broker installation secret.
  • Selected Google Drive root folder ID and folder name.
  • Connection status, such as pending, connected, broken, disconnected, or revoked.
  • Token issuance timestamps, health check timestamps, last-seen timestamps, connection timestamps, revocation timestamps, and safe error summaries.
  • Broker-side operational and security logs.

The broker uses this information only to provide and maintain the Google Drive connection for the Plugin, including OAuth authorization, folder selection, short-lived access token issuance, connection health checks, disconnect handling, and security monitoring.

4. Google Drive access and Google user data

The Plugin requests access to Google Drive only for the backup functionality selected by the site administrator.

In version 1, the intended Google Drive permission is drive.file, which is used to create and manage files and folders that the Plugin creates or that the user selects for use with the Plugin.

The Plugin and broker may receive or process the following Google user data:

  • Google account email address or account identifier.
  • OAuth authorization response data required to establish the connection.
  • Google refresh token, stored encrypted by the broker.
  • Short-lived Google access tokens, used only to perform Google Drive operations required by the Plugin.
  • Selected Google Drive folder ID and folder name.
  • Minimal Google Drive API responses needed to confirm folder accessibility and upload backup files.

The broker does not use Google user data for advertising, retargeting, profiling, credit decisions, sale to third parties, or unrelated analytics.

Google API Limited Use Disclosure: Backup for Google Drive by Hasan Halabi’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Backup files

Backup files are uploaded directly from your WordPress site to the Google Drive folder selected by the site administrator.

We do not intentionally store backup files on hasanhalabi.com or on the hosted broker. The broker is responsible for connection authorization and token issuance, not for backup storage.

Your backups may contain personal data, confidential business data, website content, uploaded files, database records, user information, orders, form submissions, customer data, or other sensitive information depending on what exists on your WordPress site. You are responsible for deciding what to back up, where to store it, who can access the selected Google Drive folder, and how long to retain those backups.

6. Logs and diagnostics

The Plugin and broker may keep operational logs to help the administrator understand backup results, connection status, failures, and security-related events.

Logs are designed to avoid storing raw secrets. The broker is designed to redact:

  • Google access tokens.
  • Google refresh tokens.
  • Broker installation secrets.
  • Raw authorization codes.
  • Raw OAuth payloads.
  • Raw request signatures.

Logs may include safe diagnostic information such as site URL, connection ID, site UUID, Google account email, event category, timestamps, and safe error messages.

7. Why information is processed

We process the information described in this Privacy Policy for the following purposes:

  • To connect the Plugin to the administrator’s Google Drive account.
  • To let the administrator select a Google Drive folder for backups.
  • To issue short-lived access tokens needed for direct Google Drive uploads.
  • To run backup jobs and display backup status.
  • To test connection health and selected-folder accessibility.
  • To handle disconnects, revoked permissions, broken connections, and safe error reporting.
  • To provide support, diagnose operational problems, and protect the broker from abuse or security incidents.
  • To comply with legal, security, and platform requirements.

The site administrator controls whether to install the Plugin, connect a Google account, select a Google Drive folder, and create backups.

If your WordPress site contains personal data, you are responsible for determining the lawful basis for backing up that data, informing your users where required, configuring access to your Google Drive account appropriately, and complying with laws that apply to your website, business, location, and users.

The Plugin is a technical backup tool. It does not determine whether your backups comply with GDPR, HIPAA, local privacy laws, professional confidentiality rules, sector-specific regulations, or contractual obligations.

9. Sharing and third-party services

The Plugin uses Google APIs and Google Drive to provide the backup storage functionality selected by the administrator. Google may process information according to Google’s own terms and privacy policies.

We do not sell personal data. We do not share Google user data with advertisers. We do not use Google user data for advertising or unrelated profiling.

Information may be disclosed when necessary to:

  • Provide the Plugin and broker functionality.
  • Maintain security and prevent abuse.
  • Respond to support requests initiated by the administrator.
  • Comply with applicable law, legal process, or enforceable government request.
  • Protect rights, property, users, or the security of the Plugin, broker, or related systems.

10. Data retention

Data stored locally by the Plugin on your WordPress site remains under your control. Depending on Plugin settings and uninstall choices, local settings, logs, job records, and related Plugin data may remain until deleted by the administrator or removed during uninstall.

Broker-side connection records are retained while the Plugin remains connected and for a reasonable period afterward for security, audit, abuse prevention, support, and operational purposes. When a connection is disconnected or revoked, the broker is designed to revoke or clear the Google refresh token when practical, clear the stored refresh token, clear the installation secret, and preserve only minimal audit history.

Backup files stored in Google Drive remain in the administrator’s Google Drive account until deleted by the administrator or by configured retention rules.

11. Security

The Plugin and broker are designed with the following security measures:

  • HTTPS-only broker traffic.
  • Hosted OAuth broker so Google OAuth secrets are not bundled inside the public Plugin.
  • Encrypted storage of Google refresh tokens and broker installation secrets on the broker.
  • Short-lived Google access tokens.
  • Signed server-to-server broker API requests.
  • Timestamp and nonce replay protection.
  • Strict return URL validation during connection flows.
  • One-time exchange codes with short expiration.
  • Redaction of raw secrets from broker logs.
  • WordPress capability checks and nonces for administrative actions.

No method of transmission or storage is completely secure. Site administrators should also secure their own WordPress installation, hosting account, administrator accounts, Google account, and Google Drive sharing permissions.

12. Your choices and controls

A site administrator can:

  • Choose whether to install and activate the Plugin.
  • Choose whether to connect a Google Drive account.
  • Choose the Google Drive folder used for backups.
  • Disconnect the Google Drive connection from the Plugin.
  • Revoke the Plugin’s access from the Google Account permissions page.
  • Delete backup files from Google Drive.
  • Delete or clear Plugin logs and settings where the Plugin provides those controls.
  • Uninstall the Plugin and choose the available uninstall cleanup option, where applicable.

13. International processing

The broker is operated from systems controlled by Hasan Halabi. Google Drive and Google APIs may process data in locations determined by Google. If you use the Plugin, you understand that information may be processed outside your country depending on your hosting provider, Google account settings, Google infrastructure, and broker infrastructure.

14. Children’s privacy

The Plugin is intended for WordPress site administrators and is not directed to children. We do not knowingly collect information directly from children through the Plugin.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Plugin, broker, Google API requirements, legal requirements, or operational practices. The updated version should identify the effective date. Continued use of the Plugin after an update means the administrator accepts the updated policy.

16. Contact

For privacy questions, support requests, or deletion requests related to broker-side connection records, contact:

Hasan Halabi
Email: support@hasanhalabi.com
Website: https://hasanhalabi.com