SUPPORT SFLC.IN

Google, Zoho, or Open Source: Who Handles Your Data Better? A Privacy Policy Comparison

Posts
GENERAL ANALYSIS

Zoho and Google are both proprietary software suites, while Nextcloud is a free and open-source software suite. This means that Nextcloud by nature allows for more transparency and community-based auditing. Nextcloud can also be self-hosted, ensuring that the users complete of control over their data and files.

The Privacy Policies of these software suites reflect these ideals, with Google and Zoho offering far too little user control over what data is collected and stored when compared to Nextcloud. Nextcloud’s privacy policy only covers the data that is collected and stored when the user accesses their website, as its service can be self-hosted and no data can be collected by Nextcloud in that case.

Through our comparison of the privacy policies of Zoho, Google, and Nextcloud, and the subsequent analysis, it is clearly seen that Nextcloud offers the most security and privacy to the user’s data. Google’s Workplace suite of products is one of the most popular ones in the market, and offers the benefits that come with such popular adoption like easier collaboration. Nextcloud’s policies are more comprehensive, defined, and robust, offering more user control for specific types of data and maintaining a blanket objection/cancellation policy.

There are some concerns with how Zoho handles user data. Zoho shares user data with a list of partners it considers “authorized experts” to help with onboarding into the Zoho ecosystem, which could prove dangerous if these experts do not ascribe to strict data protection standards. Zoho also provides limited options for user control over data, even when compared to other proprietary suites like Google Workplace. On the encryption front, Zoho provides only the industry-standard level of encryption and data protection, with End-to-End Encryption being something the user has to choose for specific secure emails. Full-disk encryption is only provided by Zoho to data that is earmarked as sensitive, while Google offers it by default.

With regards to the Data Collection policies of these companies, all three-collect information for similar purposes, such as compliance with laws, service delivery, analytics etc. Nextcloud, which only collects data from users accessing its website, provides a robust, detailed list of heads under which it collects data for specific, limited purposes, and does not collect or store data for promotional or commercial use, and allows for users to object to data collection under any head, resulting in its deletion. Google collects the broadest spectrum of data including search history, identifiers, and user activity across services, but it also allows users to retain some control over some specified fields of data collection through its various tools like Privacy Checkup and Activity Dashboard. Zoho collects less data than Google, but it offers significantly less user control in the form of opt-out provisions or optional disclosures. The privacy policy also includes certain ambiguous language when dealing with Service Data, which is concerning. 

The same dissonance also shows itself with respect to Data Retention, where Google retains more data for longer time periods, but provides more transparency and deletion options. Nextcloud, once again, retains specific data for limited purposes related to fulfilling contractual obligations or for legal compliance reasons. Zoho, however, has a blanket policy that data will be retained for as long as the services are used, post which the data will be deleted from backups within 9 months.

With respect to Data Sharing, only Nextcloud maintains that it ensures strict data protection and user privacy when sharing or transferring data to jurisdictions that the European Committee does not consider to be having an “adequate data protection regime.” Nextcloud’s policy states that these standards are enforced through standard-clause contractual obligations. Google also adheres to the European adequacy decisions along with other legal frameworks (like Brazil’s for example) when transferring data to another country. Zoho makes no mention of any compliance with adequacy decisions.

It might be easier for the Government of India to keep Zoho accountable and ensure compliance with access requests as Zoho appears to process Indian data on Indian servers, and is headquartered in India. With foreign companies like Google or even Nextcloud, compliance may depend on the Mutual Legal Assistance Treaty (MLAT) that India has with the company’s home country. This problem was seen very recently in M. Moser Design Associates (India) Pvt. Ltd. vs. Union of India & Ors. WP. (C) No. 2358 of 2025 , where Proton Mail denied compliance with specific requests to user data as it was governed by Swiss law.

While none of the privacy policies we analyzed are tailored to the DPDP Act, 2023, they are mostly aligned with the principles of the GDPR. In this respect, Nextcloud makes extensive reference to the GDPR in its policy and Zoho has special provisions in place for users in the European Economic Area. Google does not make any reference to any laws in its policy. It is also worth noting that all users that use Nextcloud are considered data subjects under GDPR by the company’s privacy policy and their rights to erasure, portability, objection, etc. are recognised explicitly, whereas Zoho only recognises these rights for EEA users.


SPECIFIC PRIVACY POLICY COMPARISON

ZOHO WORKPLACE GOOGLE WORKSPACE
(formerly G SUITE) 		NEXTCLOUD HUB Analysis
Nature of Software Proprietary Proprietary Free and Open Source Software
Hosting Cloud-based hosting Cloud-based hosting Can be hosted on premise or with a trusted provider
Products
  • Zoho Mail
  • Zoho Calendar
  • Zoho Writer
  • Zoho Sheet
  • Zoho Show
  • Zoho Cliq (Messaging)
  • Zoho Meeting
  • Zoho WorkDrive (Sync)
  • Zoho Connect (Business Intranet)
  • Zoho Vault
  • Gmail
  • Google Calendar
  • Google Docs
  • Google Sheets
  • Google Slides
  • Google Chat
  • Google Meet
  • Google Drive
  • Google Gemini
  • Google Vids
  • Google Keep
  • Google Sites
  • Google Forms
  • Google NotebookLM
  • Google Apps Script (bundled with Gmail)
  • Google AppSheet (Codeless App Creation) – Add On
  • Nextcloud Files
  • Nextcloud Talk
  • Nextcloud Groupware
  • Nextcloud Office
  • Nextcloud Assistant
 Zoho: Also includes a Notes app built-in with Zoho Mail
Privacy Policy Available here Available here Available here

The Privacy policy does not cover what happens on individual Nextcloud instances, when users use the software. It explicitly deals only with the data collected and stored when users visit their websites.



As Nextcloud offers the user the ability to either self-host or use a trusted provider to host its services, the user retains complete control over their data (in the case of self-hosting) or retains a significant amount of control (depending on the privacy policy of the hosting provider)

Zoho: Tailored for compliance with European regime, no mention of the DPDP Act, 2023 or the obligations thereunder.

Google: Does not explicitly mention any compliance regime in its privacy policy.

Nextcloud: Explicit reference only to GDPR, as Nextcloud is a European company based in Germany.
Nature of Data Collected A. Information provided by user
  1. Compulsory: name, contact number, email address, company name and country
  2. Optional: photo, time zone and language
  3. Information submitted when interacting with any Zoho activity, event, survey, customer support, payment processing etc.

B. Information collected automatically
  1. From browsers, devices, and servers: IP address, browser type, language preference, time zone, referring URL, date and time of access, operating system, mobile device manufacturer and mobile network information
  2. From cookies and trackers: first-party cookies on Zoho websites to identify visitors, track navigation, gather demographic information about visitors and users, understand email campaign effectiveness and for targeted visitor and user engagement. Third-party cookies and trackers are not used, as per Zoho.
  3. From application logs and mobile analytics: clicks, scrolls, features accessed, access time and frequency, errors generated, performance data, storage utilised, user settings and configurations, and devices used to access and their locations.

C. Information collected from third-parties
  1. Information shared when logging in through supported authentication service providers (Linkedin, Microsoft, Google)
  2. Information shared under referral programs
  3. Information received through reselling partners, or events sponsored by Zoho
  4. Information received from social media sites and other publicly available sources: feedback or reviews, marketplace engagement. May collect profile information as well.

D. Service Data (Information collected through use of services and products) framed in policy as optional and opt-in
  1. Information on customers and employees (for controllers) or data held and used on behalf of another person for a specific purpose, such as a customer (for processors).
  2. Some mobile applications may have access to camera, microphone, call history, contact information, photo library, files and other information stored on mobile devices.
  3. Location-based information is also collected for locating nearby contacts, location-based setting reminders, and other purposes.
A. Information provided by user
  1. Information that personally identifies the user, such as name, email address, or other data that can be reasonably linked to such information
  2. Phone number and payment information is optional
  3. Content the user creates, uploads, or receives from others when using Google services.

B. Information collected automatically
  1. Information from apps, browsers, and devices: including unique identifiers, browser type, settings, device type and settings, operating system, mobile network information.
  2. Activity information: Search terms, watch history, views and interactions with content and ads, voice and audio information (for audio activation), purchase activity, people with whom the user communicates and shares content, activity on third-party sites and apps that use Google services. If Google services are used to make and receive calls/messages, then call and message log information is collected.
  3. Location information: When using Google services, GPS and sensor data, IP address, search terms and labelled places, information about things near your device like WiFi-access points, cell towers, and bluetooth-enabled devices.

C. Information collected from third-parties
  1. Information of the user indexed in publicly accessible sources, provided from trusted partners like directory, marketing, and security partners
  2. Cookies, pixel tags, browser web storage, application data caches, databases, and server logs are used to collect and store information
Nextcloud offers self-hosting of its services, in which case the user would retain complete control over their data.

If Nextcloud is hosted using any of its trusted service providers, in such case, the data collection policies would depend on the provider.

Nextcloud collects certain data from users who access their website, however their privacy policy comprehensively outlines what kind of data is collected, for what purpose, and specifies its deletion and objection policies as well in a robust manner. 		Zoho: Vague language in the Service Data section, where the purposes listed for mobile devices is an inclusive list, when it ought to be exhaustive. The policy also allows Zoho access to “other information stored” on mobile devices without specifying what this information could be. For data collected automatically and service data, no clear user control mechanism is provided.

Google: Provides more methods to erase data, and more settings to opt-out of certain data collection practices. However, the range of data collected by Google through its services is much higher than it is for Zoho.

Nextcloud: Self-hosting Nextcloud would mean that no user data is collected by Nextcloud. With respect to website data collected, it provides a robust list of what sorts of data is collected, and collects less data overall than both Google and Zoho.
Basis for Data Collection Zoho’s privacy policy mentions three bases:
– Contractual necessity
– Legitimate interests of Zoho or a third party that are not overridden by user’s data protection interests
– Consent (which can be withdrawn at any time) 		Does not mention any legal bases explicitly Within the framework of the GDPR, and Germany’s Federal Data Protection Act, State Data Protection Acts, and Telemedia Act.

Processing is done under these broad heads related to Article 6, GDPR:
  • Processing of personal data if the data subject has given consent.
  • For performance of contract with the data subject is a party, or for operations necessary for performance of pre-contractual measures.
  • For fulfilment of legal obligations under Regulation on Terrorist Content Online and the Digital Services Act.
  • When processing is necessary for protecting vital interests of the data subject or any other natural person
  • For safeguarding a legitimate interest of the company/third party and when fundamental rights and freedoms of the data subject do not outweigh these interests.
    The policy also mentions that if Nextcloud processes any user’s data, that user is a data subject within the meaning of the GDPR and recognises their rights to: objection, information, erasure, data portability, revoke consent, and register complaint.
Zoho: The legal bases are addressed to EEA users alone, and are tailored to be compliant to GDPR and other European regulations primarily.

Nextcloud: Legal bases are tied explicitly to GDPR, without any explicit mention of DPDPA. However, the policy grants the rights under GDPR to any user whose data is processed by Nextcloud.
Purpose of Data Collection
  • Manage accounts,
  • Deliver product and service updates,
  • Understand user behaviour,
  • Customer support,
  • Prevent fraud or misuse.
  • Promotions, surveys, and offers.
  • Service Delivery,
  • Maintain and Improve services,
  • Develop new services,
  • Personalisation in services,
  • Measure performance,
  • Communicate with users,
  • Improve safety and reliability of services
 Specific purposes are mentioned for each type of data collected. Broadly, these limited purposes include:
  • Specified Service Delivery,
  • Analytics,
  • Compliance with laws and regulations,
  • Improve safety of services for other users,
  • Business Interests or Contractual Obligations,
  • Prevent abuse, spam, misuse etc.
Data Storage Service Data is either stored on Zoho servers when using Zoho services, or transferred/shared to Zoho as part of technical support/other service request.

Data from mobile devices including location data will be stored locally on devices if using products and on Zoho servers if using Zoho services. 		Data is stored on Google’s global, interconnected network of data centers. These data center locations can be found here. Personal data collected and generated through the website, during the provision of relevant products and services, are stored on Nextcloud servers in the European Union, but may be transferred to or accessed from other jurisdictions by providers of Nextcloud software solutions. If these jurisdictions do not meet the adequacy standards, strict data protection is enforced through standard contractual clauses. Zoho: Policy explicitly mentions storage mechanism for Service Data alone. No clarity on storage mechanism for data collected under any of the other heads.

Google: Notably, none of the data centers listed are located in India.

Nextcloud: Maintains that it follows strict data protection standards regardless of the country where data is being processed, ensuring this through contractual obligations.
Data Retention For as long as Zoho services are used.

On termination, data will be deleted from the active database within 6 months, and from backups within 3 months of deletion from the active database. 		Data is retained according to this policy, for different periods of time depending on what it is, how Google uses it, and how the user settings are configured.
  1. Data that can be deleted whenever. (Personal information, content created or uploaded, activity information – can also be set to auto-delete periodically).

  2. Data that expires after a specific period. (retention timeframe is based on the reason for collection, eg: Browser width and height may be retained for up to 9 months. Some data used for advertising and analytics are anonymized in server logs by removing part of the IP address after 9 months, and cookie information after 16 months. Pseudonymization is done on search queries disconnected from users, and it will be retained for a set period of time).
  3. Information retained until the account is deleted. (Data that helps Google understand how users interact with features).
  4. Information retained for extended time periods. (Required to be retained due to business or legal obligations, eg: payment data. This information is stored for limited purposes like: security, fraud and abuse prevention, keeping of financial records, legal and regulatory compliance).
Data will be deleted or blocked once the purpose of storing that data no longer applies. Data may be retained for longer if required under European and national regulations or laws, and will be deleted or blocked once such storage mandate expires. Data may also be stored for longer if necessary for the conclusion of fulfilment of a contract. Google: Retains more data for longer periods of time, but provides specifically what kind of data it is, and for what reason it is retained. Also provides more opportunities for the users to delete specific personal information they have shared with Google.

Zoho: Most of the data that is non-optional and that does not have any opt-out feature will be stored for as long as the services are used. There is no periodic expiration like in Google. Further, even after account termination, this data is not deleted immediately. It may take up to 9 months for the data to be removed from all of Zoho’s servers.

Nextcloud: Does not retain any data other than what is required to be stored for specified purposes. This goes hand-in-hand with the extensive user control over what data is stored or collected.
Data Sharing Details are shared with Zoho entities and authorized partners (resellers, analytics, marketing, eventorganizers etc.)

  • Zoho entities are other subsidiaries and global subprocessors of the Zoho Group, like Zoho EU, Zoho Japan, etc., and the operators of data centers in other countries.
  • Authorised partners are third parties that are considered “Zoho-accredited experts” who help tailor and optimise the User’s Zoho Suite experience. Service Data is shared with the Zoho group entities and with specified third-party subprocessors. Data is also shared with third-party service providers like marketing and advertising partners, event organizers etc. The policy states that this data is shared in aggregated or de-identified form.
Information can be shared publicly by the user themselves on certain services like YouTube.

Google shares personal information (with consent) when Google services are used to interface with other services – like using Google Home to book a reservation, or when Google is used to authenticate a log-in. Explicit consent is asked before sharing sensitive personal information

If the user’s organization/school uses Google services, the domain administrator and resellers who manage the account will have access to:

  1. Information stored in the account, like email
  2. Statistics regarding the account, like number of apps installed
  3. Password, and the ability to change it
  4. Suspension or termination powers
  5. Information needed to comply with laws and regulations
  6. Powers to restrict ability to manage, edit, and delete information


Google also shares personal information to affiliates (entities that belong to the Google group of companies) and other trusted businesses to externally process the information. Eg: Data Center operation, product and service delivery, additional support, YouTube content reviewers etc. Non-personally identifiable information (NPII) may also be shared publicly and with partners like publishers, advertisers, developers etc.

Specific partners may also be allowed to collect information from browsers or devices for advertising and measurement purposes, eg: YouTube analytics, Merchants that use their own cookies to track data, etc.

Google also shares personal information if there is good-faith belief that the information is needed to enforce Terms of Service; Prevent or address fraud, security, technical issues; Respond to applicable laws and regulations or government requests; or Protect against harm to safety, rights, property of Google, users, or public.

Data may be transferred to servers around the world for processing. This data transfer will be compliant with certain legal frameworks, like UK, USA, Swiss, European, and Brazilian Adequacy Decisions. 		When self-hosted, Nextcloud does not collect any data to be able to share with partners. User data collected from contracts is shared to ensure contractual obligations are fulfilled, but this is done with express consent of the user, and in accordance with European adequacy decisions. If the countries do not meet these adequacy standards, Nextcloud specifies that it ensures strict data protection through standard contractual clauses and feedback mechanisms. Zoho: Shares user information with third-parties to help users get acclimatised with Zoho services and to optimise them. It is possible that partners may misuse the information to contact users unwantedly. This could be dangerous and risky for the users.

Google: Shares the data with more entities, owing to its larger, global user base. Both proprietary systems share data with their entities based in other countries for data processing. Only Google mentions specific legal frameworks overseeing these transfers, but the DPDPA is missing.

Nextcloud: Shares information only with explicit user consent for specified purposes, and in accordance with European adequacy decisions. Nextcloud acknowledges that data may be shared to countries that do not meet these adequacy standards and specifies how it ensures strict data protection in those cases.
User Control Users can opt-out of non-essential communications like newsletters by unsubscribing. Essential communications include account notifications, security incident alerts, security and privacy updates, and transaction and payment related emails.

Users can disable cookies before interacting with Zoho’s sites. Users can also choose to not provide, edit, or delete optional profile information or when filling in forms.

Users in the European Economic Area (EEA) are guaranteed rights to access, rectification, erasure, restriction of processing, data portability, objection, and complaint. 		If signed up, users can review and update information by visiting the services.
The Google Account also includes the Privacy Checkup feature which offers an overview of key privacy settings:
  1. Activity Controls: Decide what types of activity data is saved
  2. Ad settings: Modify interests, choose whether personalisation is necessary, and turn off certain advertising services
  3. Personal Information: Control who can see it and what information is in the account
  4. Shared endorsements: Choose whether personal information appears next to activity that appears in ads, like reviews and recommendations
  5. Sites and Apps that use Google services: Manage information that may be shared with Google when you access them.
Other than the afore-mentioned ‘Privacy Checkup’ feature, Google allows users to manage information associated with specific products through the ‘Google Dashboard’.
    Users can also:
  1. Request to remove content from specific Google services
  2. Delete information associated with specific Google services
  3. Deactivate cookies in the browser
  4. Modify device-level settings to not share location information, for example.
Users have the ability to object or cancel their consent for all types of data collected by Nextcloud, except that data which is required to be stored for certain legitimate purposes like contractual enforcement or for legal compliance reasons. Zoho: There are no explicit opt-out mechanisms put in place, the policy describes voluntary disclosure of optional information and unsubscribing from certain kinds of communications alone. The data collected through application logs and mobile analytics seems to not be part of any opt-out provision. Further, only the rights of EEA users are explicitly recognised in the policy.

Google: Provides users with more control over specific types of data and allows users to manage and edit their tracked data in a more structured, compartmentalized manner. However, there are some dark patterns employed here as most of these user control mechanisms are either hidden deep within the privacy settings of the user account, or found in specific sites or pages that are not easily accessible or notified to the users.

Nextcloud: Offers the most user control over what data is collected and stored by providing a vast provision to object or cancel the service or revoke consent.
Encryption Most Zoho services provide Encryption at Rest (EAR) and Encryption in Transit (TLS) by default. This is the basic standard of encryption offered by most cloud-based email providers.

End to End Encryption is not built-in to any service yet, but Zoho Mail has a feature called ‘Secure Mail’ that allows users to send an encrypted email, using S/MIME or PGP encryption.

For other services, data marked as sensitive is given full encryption protection. 		Google does not have End to End Encryption built into any of its services yet.

Google provides default Encryption at Rest (EAR) for all its data. Gmail offers Encryption in Transit (TLS) automatically. This is the basic standard of encryption offered by most cloud-based email providers.

Google also enforces full encryption by default for all data. 		Nextcloud offers the industry-standard Encryption at Rest (EAR) on the server side as well as for local storage. TLS is also employed for Encryption in Transit.

Additionally, Nextcloud provides End to End Encryption client-side from the Nextcloud desktop client 3.0 on a folder-level option. 		Zoho only provides full encryption by default for data earmarked as sensitive, but
Google does so for all data. Otherwise, both provide the industry standard level encryption for cloud-based services with slightly stronger encryption for certain specific Google services.
Nextcloud, on the other hand offers End to End Encryption (E2EE) through the desktop client for folders.

 

PrintLinkedIn

Policy Analysis of Messaging Applications

Global Encryption day banner

Rights, Risks and the Future of Encryption – Global Encryption Day 2025

Security and Privacy Features Analysis of Messaging Applications (Arattai, Whatsapp, Signal, Prav and Element)