Privacy Policy

1. Introduction

At FileShare, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information and files when you use our secure file sharing platform.

Our commitment: We believe you own your data. We will never sell your personal information or files to third parties, and we implement industry-leading encryption to protect your privacy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address: For account identification, notifications, and support
• Username: Your chosen login identifier
• Password: Stored as a salted, hashed value (we never store plain-text passwords)
• Company name (optional): For team organization and billing
• Company code (optional): For joining existing organizations

2.2 Payment Information

Payment processing is handled by Stripe, our PCI-compliant payment processor. We do not store your full credit card numbers. We receive and store only:

• Last 4 digits of your card (for display purposes)
• Card expiration date
• Billing address (if provided)
• Stripe customer ID (for subscription management)

2.3 File Data

Additionally, we collect file metadata for all uploads:

• Filename and file size
• Upload timestamp and uploader identity
• Encryption algorithm used
• Access permissions and share link settings

2.4 Usage Data

To improve our Service and ensure security, we collect:

• Log data: IP addresses, browser type, operating system, access times
• Device information: Device type, app version, unique device identifiers
• Audit logs: File access history, login attempts, configuration changes
• Performance data: Upload/download speeds, error rates, feature usage

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Store and sync your files, manage team access, process share links
• Process payments: Manage subscriptions, billing, and invoices via Stripe
• Send notifications: Account activity, security alerts, support responses, optional product updates
• Improve security: Detect unauthorized access, prevent abuse, monitor for suspicious activity
• Enhance features: Analyze usage patterns to improve performance and develop new features
• Provide support: Respond to your questions and troubleshoot issues
• Legal compliance: Comply with applicable laws, regulations, and legal processes

4. How We Share Your Information

We do not sell your personal information or files to anyone.

We share your information only in these limited circumstances:

4.1 Service Providers

• Stripe: Payment processing (they receive billing information only)
• Cloud infrastructure: Hosting providers that store encrypted data on our behalf
• Email service: Transactional email delivery (account notifications, password resets)

All service providers are contractually obligated to protect your data and may only use it to provide services to us.

4.2 Team Members

When you join a company account, your email, username, and role are visible to Configurators and Coordinators in your organization. Files you upload are accessible according to the permissions you set.

4.3 Legal Requirements

We may disclose information if required by law, court order, or government request. For E2E encrypted files, we can only provide encrypted data (which we cannot decrypt). For server-side encrypted files, we may be able to provide decrypted content if legally compelled.

4.4 Business Transfers

If FileShare is acquired or merged with another company, your information may be transferred to the new owners. We will notify you before any such transfer and provide options for data deletion if desired.

5. Data Retention and Deletion

5.1 Active Accounts

We retain your account information and files for as long as your account is active and in good standing.

5.2 Account Cancellation

When you cancel your account:

• You retain access until the end of your paid billing period
• After your subscription ends, files are retained for 30 days for recovery
• After 30 days, all files and account data are permanently deleted
• Deletion of encrypted files is irreversible

5.3 Legal and Compliance

Some data may be retained longer for legal compliance, security, fraud prevention, or financial record-keeping (e.g., billing records for tax purposes). Such data is kept only as long as legally required.

5.4 Backups

Deleted data may persist in encrypted backups for up to 90 days before being permanently purged from all systems.

6. Your Rights and Choices

You have the following rights regarding your personal information:

6.1 Access and Portability

You can access your account information and download all your files at any time through the desktop app or web interface. Contact support for a complete data export.

6.2 Correction

You can update your email, username, company name, and other account details in your account settings.

6.3 Deletion

You may delete your account at any time. This will permanently remove all your files and personal data after the 30-day grace period.

6.4 Object to Processing

You may opt out of optional data processing (e.g., product update emails). However, some processing is necessary to provide the Service (e.g., storing your files, processing payments).

6.5 GDPR Rights (EU Users)

If you are in the European Union, you have additional rights under GDPR:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with a supervisory authority

6.6 CCPA Rights (California Users)

If you are in California, you have rights under CCPA:

• Right to know what personal information we collect and how it's used
• Right to delete personal information
• Right to opt out of sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your rights

7. Security Measures

We implement industry-leading security practices to protect your data:

7.1 Encryption

• In Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
• At Rest: All files are encrypted in our database using AES-256-GCM
• E2E Option: End-to-end encryption provides zero-knowledge protection for your most sensitive files

7.2 Access Controls

• Role-based access control (Configurator, Coordinator, Member)
• Strong password requirements (12+ characters, complexity rules)
• Session timeouts after inactivity
• Audit logging of all access and configuration changes

7.3 Infrastructure Security

• Regular security audits and penetration testing
• DDoS protection and firewall rules
• Intrusion detection and monitoring
• Encrypted backups with geographic redundancy

While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials and encryption keys.

8. Cookies and Tracking

FileShare uses minimal tracking technologies. We do not use advertising cookies or third-party analytics.

8.1 Essential Cookies

We use session storage (not cookies) to maintain your login state. This data is stored locally in your browser and automatically cleared when you log out or close your browser.

8.2 CSRF Tokens

We use Cross-Site Request Forgery (CSRF) tokens to prevent unauthorized actions on your account. These are security features, not tracking mechanisms.

9. Children's Privacy

FileShare is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will delete it promptly.

10. International Data Transfers

Your data may be stored and processed in data centers located in various countries. We ensure that all international transfers comply with applicable data protection laws, including:

• EU-US Data Privacy Framework (for EU users)
• Standard Contractual Clauses where required
• Encryption of data in transit and at rest

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements.

• Material changes will be communicated via email or in-app notification
• Changes take effect 30 days after notification
• Continued use of the Service after changes constitutes acceptance
• Previous versions will be archived and available upon request

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us: