← Help

How safe are my files?

TLS in transit, EU storage with encryption at rest, hashed links, bcrypt PIN, and automatic deletion when the transfer expires.

1. 01

   Encrypted in transit

   All upload and download traffic uses HTTPS (TLS). Files never travel over an unsecured connection.

2. 02

   EU storage on Cloudflare R2

   Files are stored in a Cloudflare R2 bucket with EU jurisdiction and server-side encryption at rest. Downloads go through short-lived presigned URLs that are valid for at most 10 minutes.

3. 03

   Hashed download links

   The token in your link only exists in your browser and the recipient's email. Our database stores only a SHA hash, so even we cannot reconstruct your link if you lose it.

4. 04

   PIN with bcrypt

   If you set a PIN we store it with bcrypt (one-way, salted). Brute-force attempts are rate-limited per hashed IP; we never store raw IP addresses.

5. 05

   Automatic expiry and hard delete

   When the expiry passes (1–90 days depending on plan), a scheduled job removes the file from storage and the metadata row. No soft-delete, no lingering backups.

6. 06

   Row-level security

   Metadata (sender, recipients, message) is in Postgres with row-level security. Only the owner of a transfer can read their own rows.

7. 07

   Who touches your data

   We run on Cloudflare (storage and edge) and Supabase (database and auth, EU region). Payments go through Stripe. We don't read or scan your files and never share data with third parties for advertising. Full subprocessor list on the privacy page.