Skip to content
a0 a0.gg
InitiativesSecurityPrivacyContact Terms

Legal

Privacy Policy

Effective date: June 26, 2026 · Governing law: Spain (European Union)

This Privacy Policy explains what data a0.gg handles, why, how long it is kept, and the choices and rights you have. a0.gg is a personal, non-commercial identity-engineering project that brokers OAuth connectors and tokens on top of Auth0.

1. Who we are

a0.gg (“we”, “us”, the “service”) is an independent personal project operated by Ariel Bravo Ayala (“operator”). a0.gg is not affiliated with, endorsed by, or associated with Okta, Inc., Auth0, Google LLC, or any other company. Trademarks belong to their respective owners.

Contact: support [at] a0.gg (general and privacy requests) or abuse [at] a0.gg (abuse and security).

2. Scope of this policy

This policy covers the public a0.gg website and the identity-brokering service it represents. It does not cover the independent websites or services of any identity provider (such as Google), your Auth0 tenant, or any third-party application that uses the service. Their own policies apply to them.

3. What we collect

We practice data minimization. Depending on how you interact with the service, this may include:

  • Authentication identifiers. When you authorize a connector, we process basic OpenID Connect profile information — the openid, email, profile scopes — to identify the session and route it to the correct tenant.
  • Connected-service data (pass-through). When you grant a sensitive scope, the service brokers requests to that provider on your behalf and relays the results to the initiating tenant. This content is processed in transit and is not durably stored by a0.gg.
  • OAuth tokens. Refresh tokens for connected services are held and rotated by Auth0 Token Vault, not stored in a0.gg-controlled databases. Access tokens are short-lived and used only to fulfill a request.
  • Operational logs & metadata. Standard technical data such as timestamps, coarse request metadata, and error traces, used for debugging, security, and abuse prevention.

We do not use tracking cookies, advertising identifiers, or third-party analytics on this website, and we do not request Gmail or full Google Drive access.

4. Sensitive scopes we may request

We request the minimum scopes a feature requires. Sensitive scopes are limited to:

  • Google Calendar — to create and manage calendar events on the user’s behalf.
  • Google Sheets — to read and write spreadsheet data the user explicitly connects.

5. Google API Services — Limited Use disclosure

a0.gg’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve the user-facing features for which access was granted.
  • We do not transfer Google user data to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with user notice.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read Google user data unless we have your affirmative consent for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data has been aggregated and anonymized.

Equivalent limited-use principles apply to data received from other providers (such as Microsoft, GitHub, Slack, or Salesforce) as we add those connectors.

6. How we use data

  • To authenticate sessions and route them to the correct Auth0 tenant.
  • To broker authorized requests to connected services and return results.
  • To operate, debug, secure, and improve the service.
  • To prevent abuse and comply with legal obligations.

7. Legal bases (GDPR)

Where the EU/UK General Data Protection Regulation applies, we rely on:

  • Consent — for connecting a provider and granting specific scopes (you can withdraw it at any time by disconnecting or contacting us).
  • Legitimate interests — for security, abuse prevention, and basic operation of the service, balanced against your rights.
  • Legal obligation — where we must process data to comply with the law.

8. Retention

We keep data only as long as needed. Operational logs and metadata are retained for no more than 14 days and then deleted or anonymized. Pass-through connected-service content is not durably retained. Token lifecycle is governed by Auth0 Token Vault and the relevant provider; revoking access at the provider or your tenant invalidates the associated tokens.

9. Sharing

We do not sell or rent personal data. We share data only with:

  • Infrastructure processors that run the service — Cloudflare (edge hosting) ,Auth0/Okta (identity platform and Token Vault), Grafana (Ephemeral and transactional logs) — acting on our behalf.
  • The identity provider you choose to connect, and the Auth0 tenant that initiated your session.
  • Authorities, where required by law or to protect rights and safety.

10. International transfers

Our infrastructure providers may process data in countries other than yours. Where required, such transfers rely on appropriate safeguards (for example, the European Commission’s Standard Contractual Clauses).

11. Your rights (GDPR / UK GDPR)

Subject to applicable law, you may have the right to access, rectify, erase, restrict, or object to processing of your personal data, and to data portability. You may also withdraw consent and lodge a complaint with a supervisory authority.

To exercise any right, email support [at] a0.gg with the subject “Data request.” We will respond within the timeframe required by law (generally one month under the GDPR).

12. California privacy rights (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect and how it is used, to request deletion or correction, and to not be discriminated against for exercising these rights. We do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA, and we do not use or disclose sensitive personal information beyond the purposes described in this policy. Submit requests to support [at] a0.gg.

13. Deletion

You can request deletion of data associated with your use of the service at any time by emailing support [at] a0.gg. You can also revoke a connector’s access directly from your Google Account (Security → Third-party access) or the equivalent settings of another provider, which invalidates the associated tokens.

14. Children

The service is not directed to children and is not intended for anyone under 16. We do not knowingly collect data from children.

15. Changes

We may update this policy as the service evolves. Material changes will be reflected by updating the effective date below. Continued use after an update constitutes acceptance.

16. Contact

Questions or requests: support [at] a0.gg · Abuse & security: abuse [at] a0.gg.

Effective date: June 26, 2026. Operated by Ariel Bravo Ayala. Governing law: Spain (European Union).

Note: This document is provided in good faith for a personal, non-commercial project.