For Google Reviewers
App Verification Details
This page provides information specifically for Google's OAuth App Verification review process.
This page is intended for Google's OAuth verification team. It provides a transparent overview of what this application does, why it needs specific Google API scopes, and how user data is handled.
📱 Application Overview
| Application Name | FTM TG2DRIVE BOT |
| Application Type | Telegram Bot + OAuth Web Server |
| Operator | FTM BotZX |
| Contact Email | admin@ftmbotzx.dev |
| Application URL | https://tg2drivebot.ftmbotzx.dev |
| OAuth Callback | https://tg2drivebot.ftmbotzx.dev/oauth/callback |
| Privacy Policy | https://tg2drivebot.ftmbotzx.dev/privacy |
| Terms of Service | https://tg2drivebot.ftmbotzx.dev/terms |
| Data Deletion | https://tg2drivebot.ftmbotzx.dev/delete-data |
🎯 What This Application Does
FTM TG2DRIVE BOT is a Telegram bot that allows authorized users to connect their personal Google Drive account via OAuth 2.0. Once connected, users can send Telegram files or Telegram channel message links to the bot, and the bot will upload those files directly to the user's own Google Drive.
The application is a private, access-controlled service — users must be explicitly granted access by the service operator before they can connect their Google account. This is not a public sign-up service.
🔑 Google API Scopes Requested & Justification
| Scope | Reason Required |
|---|---|
https://www.googleapis.com/auth/drive |
Required to create files and folders in the user's Google Drive on their behalf. Used exclusively for file upload operations explicitly initiated by the user. |
openid |
Required to verify the user's identity during OAuth flow. |
https://www.googleapis.com/auth/userinfo.email |
Required to display the connected email address in bot confirmation messages. |
https://www.googleapis.com/auth/userinfo.profile |
Required to display the user's name in bot confirmation messages. |
Limited Use Compliance: The Drive scope is used exclusively to upload files the user explicitly requests through the Telegram bot. The application does not read, analyze, index, or otherwise process any existing Drive content. Access is strictly limited to creating new files as directed by the user.
💾 Data Stored and For How Long
| Data | Storage | Retention |
|---|---|---|
| Google OAuth refresh token | Encrypted in MongoDB (Fernet AES-128-CBC) | Until user runs /logout |
| Google account email | MongoDB | Until user runs /logout |
| Google display name | MongoDB | Until user runs /logout |
| Telegram user ID | MongoDB | Until user runs /logout |
| Drive folder preference | MongoDB | Until user runs /logout |
All data associated with a user is permanently and immediately deleted when they run the /logout command in the Telegram bot, or when we manually process a deletion request.
🔄 How Users Can Revoke Access
- Using
/logoutcommand in the Telegram bot (deletes all stored tokens and data immediately) - Visiting Google Account Permissions and removing the app directly
- Emailing us at admin@ftmbotzx.dev for a manual data deletion request
🛡️ Security Measures
- OAuth tokens encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before database storage
- All communications over HTTPS/TLS — no HTTP
- OAuth state parameter signed with HMAC and validated on callback to prevent CSRF
- Access to the service is restricted — users must be explicitly authorized
- No third-party data sharing — data is used solely for the described functionality
- Drive API calls are made only when users initiate uploads through the Telegram bot
📜 Policy Compliance
- Complies with Google API Services User Data Policy
- Complies with Limited Use requirements — data used only for stated functionality
- No data selling, sharing with third parties, or advertising use
- No human access to user data unless explicitly permitted, for security, or legally required
- Privacy Policy clearly states all data collection and use
- Users can delete their data at any time via
/logout
This application's use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements. User data received from Google APIs is used only to provide and improve the file upload service described in this page and in our Privacy Policy.