Privacy Policy

Effective date: 2025-08-15

FireExport helps you export Firebase Authentication users from your own Google Cloud / Firebase projects to a CSV file. We designed the app to minimize data collection and processing. We do not sell or rent any information.

What data we access

  • Google account and OAuth token: When you sign in with Google, we receive an OAuth access token via NextAuth to call Google APIs on your behalf.
  • Granted scopes: We request the following read-only scopes: https://www.googleapis.com/auth/cloud-platform and https://www.googleapis.com/auth/firebase.readonly.
  • Projects list: We list projects you can access to let you choose one.
  • Firebase Auth users: For the selected project, we read user records via Google Identity Toolkit to generate the CSV with the following columns: uid, email, disabled, creationTime.

How data is processed

  • API requests to Google are made with your OAuth token and are limited to the scopes you granted.
  • User data is aggregated in memory solely to generate a CSV for download to your browser.
  • We do not persist Firebase user data or your project list on the server or in a database.
  • The CSV is streamed back to your browser; it is your responsibility to store and secure the downloaded file.

Cookies and session

We use NextAuth (JWT session strategy) to keep you signed in. The session contains your Google OAuth access token and the granted scopes. Session cookies are used for authentication and are not used for advertising or cross-site tracking.

Third-party services

  • Google APIs: Cloud Resource Manager and Identity Toolkit are used to list projects and fetch Firebase Auth users.
  • Hosting: If deployed, the app may be hosted on a platform such as Vercel. Operational logs may include basic request metadata (e.g., timestamps, response codes) for reliability.

Data retention

  • Firebase user data retrieved from Google APIs is not stored server-side.
  • Session data persists only as long as your sign-in session is valid.
  • Operational logs (if any) are retained per hosting provider defaults and do not include exported user lists.

Data sharing and disclosure

We do not share, transfer, sell, rent, or disclose your Google user data to any third parties. Specifically:

  • No data sharing: Firebase Authentication user data retrieved through Google APIs is never shared with external parties, partners, advertisers, or other services.
  • No data transfer: User data is processed entirely within our application's server memory and streamed directly to your browser as a CSV download.
  • No third-party access: Your OAuth tokens and the Firebase user data we access are never provided to, or accessible by, any external services beyond the hosting infrastructure required to operate the application.
  • No commercial use: We do not use your data for advertising, analytics, marketing, or any commercial purposes beyond providing the core export functionality.

The only "sharing" that occurs is the direct download of the CSV file to your browser, which you initiate and control entirely.

Your choices

  • You can revoke access in your Google Account under Security → Third‑party access.
  • You can sign out at any time from within the app.
  • You can delete downloaded CSVs from your own systems at your discretion.

Security

  • OAuth scopes are limited to the minimum needed for listing projects and Firebase Auth users.
  • Transport uses HTTPS when communicating with Google APIs and when serving the app.
  • No long-term storage of Firebase user data on our servers.

Children’s privacy

FireExport is a developer tool and is not directed to children. We do not knowingly collect personal information from children.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the effective date above.

Contact

Questions or concerns? Contact us at durman.tolga@gmail.com.