Data Portability API user data and developer policy

As a developer using the Data Portability API, you often collect and manage highly sensitive user data. Keep these key data handling principles in mind:

  • Protect privacy: Don't use user data for prohibited uses.
  • Be transparent: Accurately represent and explain to users what data you collect, why you collect it, and how you use it.
  • Be respectful: Be a good steward of user data. When possible, allow users to transfer their data out of a product and honor user requests to delete their data.
  • Be secure: Handle all user data securely and demonstrate that you adhere to certain security practices.
  • Be specific: Don't request access to data that you don't need. All data access should be to provide only the features of your application or service that benefit users.

The Google APIs Terms of Service, Google API Services User Data Policy, and OAuth 2.0 Policies govern the use of all Google API Services when you, the developer, request access to user data. This Data Portability API User Data and Developer Policy contains additional information that governs your use and access to the Data Portability API. The Data Portability API provides end users in the European Economic Area (EEA) more control over their data by making it easier to move data out of Google.

Along with Google Takeout, the Data Portability API ensures that users have fine-grained, straightforward access and control over their data. Learn more about Google's Privacy Policy and privacy controls that put users in control.

Check this page periodically. These policies are updated occasionally. It is the developer's responsibility to monitor and ensure compliance with these policies on a regular basis. If at any time you cannot meet the policy requirements, or if there is a significant risk that you cannot meet them, stop using our services immediately and contact us. Google reserves the right to remove or restrict access to Google user data if you don't comply with this policy. In the event of a conflict between this policy or any other terms with regard to API services, this Data Portability API user data and developer policy takes precedence.

Appropriate data access and use of user data

Requests to export user data must be clear and understandable. The Data Portability API may only be used in accordance with the applicable policies, terms, and conditions, and for use cases benefiting users, as set forth in this policy. This means that developers may only request access to permissions when an application or service meets one of the approved use cases.

Approved use cases for access to permissions are:

  • Applications or services with one or more features that have the primary purpose of benefitting the user by allowing them to move, copy, or transfer user data from one Google service to another platform or service for the user's benefit.

Request the minimum relevant permissions

Developers may only request access to permissions that are critical to the implementation of features for an application or service. This means:

  • Don't request access to information that you don't need. If a product doesn't require access to specific permissions, then you must not request access to these permissions. Don't attempt to "future proof" access to user data by requesting access to information that might benefit services or features that have not been implemented.

  • Request permissions in context where possible. Only request access to user data in context (whenever you can) by using incremental authorization. This allows users to understand why you need the data.

Transparent and accurate notice and control

The Data Portability API handles personal and sensitive information. All applications and services must contain a privacy policy, which must comprehensively disclose how an application or web service collects, uses, and shares user data. This includes the types of parties to which any user data is shared, how you use the data, how you store and secure the data, and what happens to the data when an account is deactivated or deleted.

Applications and services must also request access to user data in context by using incremental authorization so that users better understand what data is provided, why you need the data, and how the data is used. In addition to the requirements under applicable law, you must also adhere to the following requirements that reflect our OAuth 2.0 policies and Google API Services User Data policies:

  1. Developers must provide a disclosure of data export, access, collection, use, and sharing. The disclosure:
    1. Must accurately represent the identity of the application or service that seeks access to user data;
    2. Must be within the application if it's application based or in a separate dialog window if it's web based;
    3. Must be displayed in the normal usage of the application if it's application based or website if it's web based, and it shouldn't require the user to navigate a menu or settings;
    4. Must provide clear and accurate information explaining the types of data being accessed, requested, exported, or collected;
    5. Must explain how the data is used and shared; if you request to export data for one reason, but the data is also utilized for a secondary purpose, you must notify users of both use cases;
    6. Cannot be placed only in a privacy policy or in terms of service; and
    7. Cannot be included with other disclosures unrelated to personal and sensitive data collection.

  2. A developer's disclosure must accompany and immediately precede a request for user consent. You must not begin collection prior to obtaining affirmative consent. The request for consent:
    1. Must present the consent dialog in a clear and unambiguous way;
    2. Must require an affirmative user action in order to accept such as select to accept, checking a checkbox, or a verbal command in order to accept;
    3. Must not interpret navigation away from the disclosure as consent; this includes clicking away or pressing the back or home button; and
    4. Must not utilize auto-dismissing or expiring messages.
  3. You must provide user help documentation that explains how users can manage and delete their data from the app.

Limited use of user data

When you access the Data Portability API for an appropriate use, the developer's use of the data obtained must comply with the following requirements. These requirements apply to sensitive and Restricted Scopes, the raw data obtained from the Data Portability API, and data aggregated, anonymized, de-identified, or derived from the raw data.

  1. Limit the use of data to providing or improving the appropriate use case or features that are visible and prominent in the requesting application's user interface.
  2. Transfers of data are not allowed, except:
    1. To provide or improve the appropriate use case or user-facing features that are clear from the requesting application's user interface and only with the user's consent;
    2. For security purposes such as investigating abuse;
    3. To comply with applicable laws or regulations; or
    4. As part of a merger, acquisition, or sale of the developer's assets after explicit prior consent is obtained from the user.

  3. Don't allow humans to read user data, unless:
    1. You have obtained and documented the user's explicit consent to read specific data; an example would be helping a user regain access to the product or a service after they lost their password;
    2. The data, including derivations, is aggregated and used for internal operations in accordance with applicable privacy and other jurisdictional legal requirements;
    3. It's necessary for security purposes such as investigating abuse; or
    4. It's necessary to comply with applicable laws or regulations.

An affirmative or other similar statement that the application or service's use of the data complies with the Limited Use restrictions must be disclosed in the application or on a website belonging to the service or application. For example, a link on a homepage to a dedicated page or privacy policy that notes:

"The use of information received from the Data Portability API adheres to the Data Portability API user data and developer policy, including the Limited Use Requirements".

Similar sentences can be used that are aligned with the data sharing restrictions in the Limited Use section.

Maintain a secure operating environment

You must securely handle all user data. Take reasonable and appropriate steps to protect all applications or systems that make use of the Data Portability API against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure.

Applications that access Restricted Scopes must adhere to certain security practices. Recommended security practices include implementing and maintaining an Information Security Management System as outlined in ISO/IEC 27001 and ensuring that the application or web service is robust and free from common security issues as set out by the OWASP Top 10.

Required security measures include:

  1. Using an industry accepted encryption standard to encrypt user data that is:
    1. Stored on portable devices or portable electronic media;
    2. Maintained outside of Google's or the developer's systems;
    3. Transferred across any external network not solely managed by you; and
    4. At rest on the developer's systems.
  2. Transmitting data using secure modern protocols such as HTTPS.
  3. Keeping user data and credentials, specifically tokens such as OAuth access and refresh tokens, encrypted at rest.
  4. Ensuring keys and key material are managed appropriately, such as stored in a hardware security module or equivalent-strength key management system.

Required security measures for Restricted Scopes include following the Cloud Application Security Assessment (CASA). In addition, you may also be required to allow the application or service to undergo a periodic security assessment and to obtain a Letter of Assessment from a Google-designated third party.

You agree to promptly notify Google at security@google.com of any known or suspected unauthorized access to the systems, networks, accounts, or other locations where Google data is stored. This is called a Security Incident. You agree to cooperate fully with Google to correct any known or suspected Security Incident, and in any such event, to notify Google at security@google.com before you make any public statements regarding any known or suspected Security Incident.

OAuth 2.0 scopes

For a list of all Data Portability API scopes and resource groups, see the OAuth 2.0 Scopes for Google APIs.

For more information on restricted scopes, see the list of Restricted Scopes.