Privacy Policy

Last Updated: January 12, 2026

1. Introduction

Welcome to Handover. We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we look after your personal data when you use our desktop application (built with Tauri) or interact with our backend services (handover-backend), and tell you about your privacy rights and how the law protects you.

Handover is a desktop application built with Tauri (Rust) that facilitates secure peer-to-peer file transfers and messaging. Our backend server (handover-backend) handles authentication, presence management, and WebRTC signaling, but does not access or store your file contents.

2. Information We Collect

We may collect, use, store and transfer different kinds of personal data about you:

  • Authentication Data: We use Google OAuth for authentication. When you sign in, we receive your Google ID, email address, and display name from Google. We do not store your Google password.
  • Profile Information: includes your display name, email address, and optional profile picture URL
  • Presence Data: includes your online/offline status and last activity timestamp to facilitate friend connections
  • Friendship Data: includes your friend list, friend requests, and block list stored in our PostgreSQL database
  • Technical Data: includes IP address (for WebRTC signaling only, not permanently stored), operating system (Windows/macOS/Linux), and Tauri application version
  • Room and Signaling Data: includes WebRTC signaling messages (ICE candidates, SDP offers/answers) temporarily stored to facilitate P2P connections
  • Usage Data: includes information about how you use the desktop application, such as connection attempts and presence pings
  • File Transfer Metadata: We do NOT store file names, sizes, or contents. File transfers occur directly peer-to-peer between users via WebRTC data channels.

3. How We Use Your Information

We use your personal data for the following purposes:

  • To provide and maintain our service
  • To notify you about changes to our service
  • To provide customer support
  • To gather analysis or valuable information to improve our service
  • To monitor the usage of our service
  • To detect, prevent and address technical issues

4. Data Security

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. Key security features include:

  • Peer-to-Peer Architecture: All file transfers and messages occur directly between users via WebRTC data channels. The handover-backend server never sees or stores your file contents.
  • End-to-End Encryption: WebRTC connections are encrypted by default using DTLS-SRTP. Your files and messages are encrypted during transfer.
  • Secure Authentication: We use Google OAuth 2.0 for authentication and JWT tokens (signed with HS256) for API authorization. No passwords are stored.
  • Backend Security: The handover-backend is built with Rust and uses secure practices including parameterized SQL queries to prevent injection attacks.
  • Database Encryption: User data is stored in a PostgreSQL database with encrypted connections (SSL/TLS).
  • Desktop Security: The Tauri application runs with restricted capabilities and follows platform security best practices.
  • Limited Access: Personal data access is limited to essential backend operations only (authentication, presence, signaling).

5. Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

File Content: Files transferred through Handover are NEVER stored on our servers. All file transfers occur directly peer-to-peer between users via encrypted WebRTC data channels.

Signaling Data: WebRTC signaling messages (ICE candidates, SDP offers/answers) are temporarily stored in memory during connection establishment and deleted immediately after the P2P connection is established or the room is closed.

Account Data: Your profile information, friend list, and presence data remain in our PostgreSQL database as long as your account is active. You can request account deletion at any time.

Authentication Tokens: JWT tokens expire after a set period and are not permanently stored on the backend.

6. Your Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Object to processing of your personal data
  • Request restriction of processing your personal data
  • Request transfer of your personal data
  • Withdraw consent

7. Third-Party Services

We integrate with the following third-party services:

  • Google OAuth 2.0: We use Google's authentication service to verify your identity. When you sign in, Google shares your basic profile information (Google ID, email, display name) with us. Please review Google's Privacy Policy for information on how Google handles your data.
  • WebRTC/STUN Servers: We may use public STUN servers to facilitate NAT traversal for P2P connections. These servers help establish direct connections but do not access your file content.

These third parties have access to your personal data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

8. Cookies

We use cookies and similar tracking technologies to track activity on our website and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

9. Children's Privacy

Our service is not directed to children under the age of 13. We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us.

10. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Privacy Policy.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us:

  • By visiting our homepage
  • By visiting our GitHub repository