Help Center/Security/Encryption and Privacy

Encryption and Privacy

Most file-sharing tools say they're “secure” and leave it at that. Here's the actual rundown of how your files move, where they live, who can reach them, and when they go away.

How files travel

Every byte your browser or the iOS app sends or receives goes through TLS. Same encryption your bank uses. The connection is verified end to end and nothing in between can read what's passing through.

We also don't pre-upload anything in the background before you hit send. Some tools start streaming bytes as soon as you drop files in, “just in case.” We don't. Your files leave your device the moment you tell them to and not a second sooner.

Where files live

Once they land, your files sit on Cloudflare R2, encrypted at rest with AES-256. That's the encryption standard banks and governments rely on. They stay encrypted the whole time they're stored, and R2 sits behind Cloudflare's global edge network for fast access from anywhere.

On Pro and Max plans you can pin a transfer to a specific region: Eastern USA, Western USA, Europe, or Asia. Useful if you have client contracts or compliance requirements that say data has to stay on a particular continent.

Who can reach them

Every transfer gets a unique download URL with an unguessable id. Without that link, the files don't show up in any listing, search, or directory anywhere on the internet. There's no public index.

When someone hits download, we hand out a short-lived signed URL straight from R2. The signature expires within minutes, so screenshot links can't be passed around days later and still work. The actual download happens directly between your recipient and the storage layer, not through us.

For sensitive work, add a password to the transfer. The download page locks until the recipient enters it.

When files go away

Every transfer has an expiry. When it hits, the files are deleted from storage and the download link stops working. No backups, no archive, no “deleted but actually still there”.

  • Free without an account: 10 days.
  • Free with an account: 14 days.
  • Pro: up to 60 days.
  • Max: up to 365 days.

You can also delete a transfer manually any time. Or on Pro and Max, flip on “delete after download” and the files vanish the instant the first download starts. Good for one-time client deliveries.

What we don't do with your files

We don't train AI on your work. We don't scan, analyze, or inspect the contents of your transfers. We don't sell account data to advertisers or brokers. The full version of this is in the No AI Policy page. Short version: your files are yours, and the only thing we do with them is move them from you to your recipient.

On the iOS app

Same TLS, same encrypted storage, same signed download URLs. The app authenticates over Auth0 with refresh tokens stored in the iOS Keychain (which is hardware-backed on every modern iPhone), so your session is protected even if the device is lost.