Data Protection

GDPR & Data Privacy Compliance

1. Our Commitment

FileDroppy is committed to protecting the privacy and security of your personal data. We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This page outlines our data protection practices and your rights as a data subject.

2. Data Controller

FileDroppy acts as the data controller for personal data collected through our Service. For any data protection inquiries, you can contact us at:

Email: [email protected]

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to provide the Service you requested (file uploads, account management, transfers)
• Legitimate interest: Security measures, fraud prevention, virus scanning, and service improvement
• Consent: Where you explicitly consent to processing, such as receiving optional communications
• Legal obligation: Where processing is required by law

4. Data We Process

We process the following categories of personal data:

• Identity data: Display name, email address
• Account data: Hashed password, plan type, account creation date
• Transfer data: File names, file sizes, upload timestamps, expiration dates, download counts
• Technical data: IP address, browser type, session identifiers
• Payment data: Processed by Stripe; we only store Stripe customer and subscription IDs

5. Data Protection Measures

We implement the following technical and organizational measures to protect your data:

• Encryption in transit: All data transmitted via HTTPS/TLS
• Secure authentication: Passwords hashed using bcrypt
• CSRF protection: All forms protected against cross-site request forgery
• Access control: Users can only access their own data and transfers
• Automatic deletion: Files automatically deleted upon expiration
• Malware scanning: All uploaded files scanned for viruses and malware
• Minimal data collection: We only collect data necessary for the Service

6. Your Rights Under GDPR

If you are in the European Economic Area (EEA), you have the following rights:

• Right of access (Art. 15): Obtain confirmation and a copy of your personal data
• Right to rectification (Art. 16): Correct inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to restriction (Art. 18): Restrict the processing of your data in certain circumstances
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent (Art. 7): Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

7. Data Retention

We retain your data as follows:

• Uploaded files: Automatically deleted upon transfer expiration (7 or 30 days)
• Transfer metadata: Retained while your account is active; deleted upon account deletion
• Account data: Retained while your account is active; deleted within 30 days of account deletion
• Payment records: Retained as required by financial regulations

8. International Data Transfers

Your data may be processed by third-party services (Stripe, Gmail SMTP) that operate internationally. These services maintain their own GDPR compliance and data protection frameworks. We ensure that any international transfers are covered by appropriate safeguards.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected users without undue delay if the breach is likely to result in a high risk
• Document the breach and actions taken

10. Third-Party Processors

We use the following third-party data processors:

• Supabase (PostgreSQL): Database hosting for account and transfer data
• Stripe: Payment processing for Pro subscriptions
• Google (Gmail SMTP): Transactional email delivery

Each processor is bound by data processing agreements and maintains appropriate security measures.

11. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority. You can also contact us directly at [email protected] and we will do our best to resolve your concern.