Privacy Policy

1. Scope & who we are

This Privacy Policy explains how [COMPANY LEGAL NAME]("SnapTransfer," "we," "us," or "our") collects, uses, shares, and protects personal information when you use SnapTransfer, a web-based service for sending and receiving large files (the "Service"). It applies to visitors, account holders, and recipients who download files shared through the Service.

Our registered address is [COMPANY ADDRESS]. For the purposes of the EU and UK General Data Protection Regulation ("GDPR"), SnapTransfer is the data controller for the personal information described in this policy, except where we act as a processor on behalf of an account holder (for example, when we store files an account holder chooses to transfer). This policy works alongside our Terms of Service, our Acceptable Use Policy, and our DMCA / copyright policy. The effective date of this policy is [EFFECTIVE DATE].

2. Information we collect

We collect information you provide directly, information generated as you use the Service, and information from the sub-processors that help us operate it.

Account information (Clerk)

When you create an account, our authentication provider, Clerk, processes your name, email address, password credentials, and authentication metadata (such as sign-in events and multi-factor settings) to verify your identity and secure your account. We never see or store your raw password.

Payment information (Stripe)

If you subscribe to a paid Pro or Business plan, our payment processor, Stripe, collects and processes your payment-card and billing details to complete the transaction. Card numbers are handled entirely by Stripe's PCI-compliant systems; we never store your full card details. We retain only limited billing records such as plan, subscription status, and the last four digits and brand of your card for receipts and accounting.

Files and file metadata (Cloudflare R2)

When you upload a transfer, the file contents are stored in Cloudflare R2 object storage. We also record file metadata such as file names, sizes, types, upload and expiry timestamps, the transfer link or share token, and the recipients you choose to send to. We do not inspect the substantive contents of your files except as described in Section 6 (File scanning) and as needed to operate, secure, and troubleshoot the Service.

Email addresses & transactional mail content (Resend)

When you send a transfer by email, or when we send you account, billing, security, or download notifications, we use Resend to deliver that mail. This involves processing sender and recipient email addresses, the subject and body of the message (including any note you add to a transfer), and delivery events such as sends, bounces, and failures.

Usage, device & IP information

As you interact with the Service, we automatically collect technical data including your IP address, browser and device type, operating system, referring pages, and timestamps and details of actions such as uploads, downloads, and sign-ins. We log IP addresses and basic device and usage data to operate rate limiting, prevent abuse, secure accounts, and generate download notifications for senders.

Error and performance logs (Sentry)

We use Sentry to capture error reports and performance diagnostics. These logs may include technical context such as the URL, browser, device, IP address, and a stack trace describing what went wrong, which helps us detect, debug, and fix problems with the Service.

Cookies & bot protection (Turnstile)

We use a small number of cookies and similar technologies to keep you signed in and to remember preferences, and we use Cloudflare Turnstile to distinguish humans from bots on sign-up and other sensitive actions. See Section 10 (Cookies & similar tech) for details.

3. How we use information

We use the information described above to:

• Provide, maintain, and operate the Service, including uploading, storing, and delivering transfers;
• Create and authenticate your account and keep it secure;
• Process payments and manage subscriptions for paid plans;
• Send transactional messages such as transfer links, download notifications, receipts, and security alerts;
• Enforce rate limits, detect and prevent fraud, spam, abuse, and other prohibited use;
• Scan uploaded files for malware as described in Section 6;
• Monitor, debug, and improve the reliability, performance, and quality of the Service;
• Comply with legal obligations and enforce our agreements, including our Terms of Service and Acceptable Use Policy.

4. Legal bases for processing (GDPR)

Where the GDPR applies, we rely on the following legal bases to process your personal information:

• Performance of a contract— to deliver the Service you sign up for, including authenticating your account, storing and delivering transfers, and processing payments for paid plans.
• Legitimate interests— to secure the Service, prevent fraud and abuse, apply rate limits, scan for malware, monitor performance and errors, and improve our product, where those interests are not overridden by your rights and freedoms.
• Consent— where required, for example for certain non-essential cookies; you may withdraw consent at any time without affecting prior processing.
• Legal obligation— to comply with applicable laws, respond to lawful requests, retain records, and meet tax and accounting requirements.

5. Sub-processors

We rely on the following service providers (sub-processors) to operate the Service. Each processes personal information only as needed to perform its function and under contractual data-protection obligations:

• Clerk— authentication and account identity.
• Stripe— payment processing and card data; we never store full card numbers.
• Cloudflare R2— storage of uploaded files.
• Cloudflare Turnstile— bot detection and CAPTCHA.
• Resend— delivery of transactional email.
• VirusTotal— malware scanning of uploaded files; file hashes and, for small files, file content may be submitted (see Section 6).
• Sentry— error and performance monitoring.
• Vercel— application hosting and content delivery (CDN).
• Supabase / PostgreSQL— the application database storing account and transfer metadata.

6. File scanning

To protect recipients and keep the Service free of malware, uploaded files are checked against VirusTotal. For most files we submit only a cryptographic hashof the file and look up whether that hash is already known to be malicious, which does not disclose the file's contents. For some small files, the file content itself may be submitted to VirusTotal so it can be analyzed. You should not transfer confidential material you would not want analyzed by a third-party scanning service; if that is a concern, do not upload the file.

If a file is flagged as malicious or otherwise prohibited, we may block downloads, quarantine or delete the file, suspend the associated transfer or account, and take any further action described in our Acceptable Use Policy. Scanning results and related metadata may be retained as part of our abuse-prevention records.

7. Data retention

We keep personal information only for as long as it is needed for the purposes described in this policy, and then delete or anonymize it.

• Transfers and files— transfers expire based on your plan tier (between 7 and 90 days). After a transfer expires, the underlying files are automatically deleted from storage.
• Account deletion— when you delete your account, we trigger a full purge of your stored files and associated account data, subject to limited records we must keep for legal, accounting, or abuse-prevention reasons.
• Logs and security data— operational logs, IP records, error reports, and abuse-prevention data are retained for a limited period appropriate to their purpose and then deleted or aggregated.
• Billing records— payment and invoice records are retained as required by tax and accounting law.

8. Security

We use technical and organizational measures designed to protect personal information, including encryption in transit, access controls, authentication safeguards, bot protection, malware scanning, and reliance on reputable infrastructure providers. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security; you are responsible for keeping your account credentials confidential and for choosing what you upload and with whom you share transfer links.

9. Your rights

Depending on where you live, you may have rights over your personal information. Subject to applicable law and verification of your identity, these may include the right to:

• Access the personal information we hold about you and request a copy or export of it;
• Correct inaccurate or incomplete information;
• Delete your personal information (for example, by deleting your account);
• Object to or restrict certain processing, and withdraw consent where processing relies on consent;
• Request data portability where applicable.

GDPR (EU/UK). If you are in the European Economic Area, the United Kingdom, or Switzerland, you may exercise the rights above and have the right to lodge a complaint with your local data protection authority.

California (CCPA/CPRA). If you are a California resident, you may request access to, deletion of, and details about the personal information we collect, and you have the right not to be discriminated against for exercising these rights. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

To exercise any of these rights, contact us at privacy@snaptransfer.app. You may also be able to manage much of your information directly from your account settings.

10. Cookies & similar technologies

We use cookies and similar technologies to keep you signed in, remember preferences, secure the Service, and support bot detection through Cloudflare Turnstile. Strictly necessary cookies are required for the Service to function and cannot be switched off. Where the law requires consent for non-essential cookies, we will ask for it. You can also control cookies through your browser settings, though disabling some cookies may affect how the Service works.

11. International data transfers

We and our sub-processors may process and store personal information in countries other than the one in which you live, including the United States. Where we transfer personal information across borders, we rely on appropriate safeguards required by applicable law, such as the European Commission's Standard Contractual Clauses or other recognized transfer mechanisms, to protect your information.

12. Children

The Service is not directed to children. You must be at least 16 years old (or at least 13 where permitted by local law with appropriate consent) to use SnapTransfer. We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information, contact us and we will take steps to delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "last updated" date above and, where appropriate, provide additional notice such as an email or an in-product message. Your continued use of the Service after an update takes effect means you accept the revised policy.

14. Contact

If you have questions, requests, or concerns about this policy or your personal information, contact us at privacy@snaptransfer.app or by mail at [COMPANY LEGAL NAME], [COMPANY ADDRESS]. Where applicable, our data protection officer or EU/UK representative can be reached via [DPO / EU REPRESENTATIVE].