Privacy Policy

Last updated: 14 May 2026 (revised to disclose operator monitoring)

SendSafe is designed to share files privately and temporarily. We've kept this policy short and plain because there isn't much to say — we deliberately collect as little as possible.

What we collect

When you upload a file, we store the file itself (AES-256 encrypted at rest), the original filename, the file size, the transfer's expiry date, an optional password hash (using bcrypt — we never see your plain-text password), and the IP address of the uploader. The IP is retained for the lifetime of the transfer for abuse prevention only.

When a file is downloaded, we record the timestamp and the IP address of the downloader. This is used for operational monitoring, abuse detection, and to support the download counter feature.

We do not require accounts, ask for your name, ask for your email, or use cookies for tracking. There are no third-party analytics, advertising, or telemetry scripts loaded by this site.

What we don't collect

We do not read, scan, or decrypt the contents of your files. We have no way to recover a password-protected transfer if the password is lost. We do not share, sell, or transfer your data to third parties.

How long we keep your data

Files are deleted permanently when your transfer expires (between 24 hours and 7 days, your choice at upload time) or when the download limit is reached, whichever comes first. The metadata record is deleted at the same moment. After expiry, nothing remains on our systems.

Server logs (which record request times, IP addresses, and response codes for security and debugging) are retained for 30 days and then automatically rotated out.

For operational monitoring, the service operator receives a daily summary email containing transfer activity, file metadata, and IP addresses for the previous 24 hours. These summaries may be retained by the operator for up to 90 days for security investigation, abuse detection, and capacity planning.

Where your data is stored

All files and metadata are stored in a UK-based data centre at IONOS / Fasthosts. Data does not leave the UK. Files are encrypted at rest using AES-256 and transmitted over TLS.

Your rights under UK GDPR

You can request information about, correction of, or deletion of any data we hold about you. Because we don't link uploads to identifiable accounts, in most cases the simplest exercise of this right is to wait for your transfer to expire — at which point everything we held is automatically deleted.

For formal requests, or to report a privacy concern, contact us via the support channel listed on our homepage. The UK supervisory authority for data protection is the Information Commissioner's Office (ico.org.uk).

Cookies

This site does not set cookies for tracking, analytics, or advertising. The application does not use cookies at all in normal operation.

Changes to this policy

If we change how the service handles data, we'll update this page and revise the date above.