Privacy Policy

How GetFiles processes personal data. This policy applies to getfiles.app.

1. Controller (Art. 4 GDPR)

2. What we process

Server access logs

The web server records: IP address, timestamp, requested URL, HTTP status, referrer and user agent. Access logs are rotated daily and the most recent 14 days are kept. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service stability and abuse prevention).

File requests

When you create a file request we store: title, description, your email (if provided for upload notifications), settings (max file size, expiry, password, allowed file types, branding) and your IP address (for abuse prevention). Legal basis: Art. 6(1)(b) GDPR.

Uploaded files

When someone uploads to a request we store: the file itself, original filename, file size, SHA256 checksum and uploader IP address. Optionally collected if the request creator enabled it: uploader name and email. Files are stored on a server we operate (no third-party cloud storage like S3 is used). Default expiry is 7 days, maximum 10 days. After expiry files are automatically and irreversibly deleted. Legal basis: Art. 6(1)(b) GDPR.

Automated malware scanning

Every uploaded file is scanned by ClamAV, an open-source antivirus engine that we run on our own server. Files are not sent to any third party for scanning. We store only the scan result (clean / infected) and a timestamp. Files flagged as infected are deleted immediately and are never delivered to the recipient; if the uploader provided an email, they receive a one-line notice that the file was rejected. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting recipients and infrastructure from malware).

Google sign-in (OAuth, optional)

You can sign in with Google to attach anonymous requests to a "My requests" dashboard. Google LLC (Mountain View, USA) transmits your email, name, avatar URL and a profile identifier. We store these only while your account exists. Legal basis: Art. 6(1)(a) GDPR (consent) plus (b) (contract). Transfer to Google in the USA relies on the EU-U.S. Data Privacy Framework (C(2023) 4745).

Transactional email (Maileroo)

Notification emails are sent through Maileroo Inc. as our processor (Art. 28 GDPR). Maileroo handles the recipient address and the message body on our behalf. We do not send marketing emails.

Analytics (Umami, self-hosted)

We use a self-hosted, cookieless instance of Umami Analytics. Only aggregated data is recorded (page URL, country, browser, device class) - no personal identifiers. Legal basis: Art. 6(1)(f) GDPR.

Error tracking (Sentry / GlitchTip)

We run a self-hosted GlitchTip instance at errors.alexkay.dev for crash reporting. Stack trace, request URL, IP address and (if signed in) user email may be transmitted. Retention 90 days. Legal basis: Art. 6(1)(f) GDPR.

3. Third-country transfers

The service runs on a VPS server outside the EU. The operator is based in Vietnam. Transfers to non-EU countries rely on Art. 49(1)(b) GDPR (necessary for the performance of a contract).

4. Your rights (Art. 15-22 GDPR)

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure (Art. 17)
• Restriction of processing (Art. 18)
• Portability (Art. 20)
• Objection (Art. 21)
• Withdraw consent at any time

Email legal@getfiles.app. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

5. Retention

Server logs: 14 days. Uploaded files: until request expires (max 10 days). Request metadata: until creator deletes the request. Account data: until account deletion. Analytics: 12 months. Error events: 90 days.

6. Security

HTTPS for all connections. Hashed credentials where applicable. No security measure is perfect; you use the service at your own risk.

7. Cookies

No tracking cookies. Only a strictly-necessary session cookie is used (consent-exempt under § 25(2) TTDSG / EU ePrivacy Directive).

Last updated: May 2026