Privacy Policy
This policy explains what personal data yasync.com processes, why we process it, where it is stored, and the rights you have under the EU General Data Protection Regulation (GDPR). This is a development deployment: a reachable privacy contact must still be published before public launch.
Last updated: July 12, 2026
Controller
The production controller has not yet been published. Before launch this block must name:
[Verified legal controller required before launch]
[Registered address and jurisdiction required before launch]
Privacy contact: [reachable address required before public launch]
General contact: [reachable address required before public launch]
The incomplete operator checklist is visible on the imprint.
Scope
This policy covers the yasync.com website, the file-transfer service, and the yasync desktop app. It applies to visitors, to anonymous senders, to senders with accounts, and to the recipients of transfer links. Recipients never need an account to download files.
Website, hosting, and server logs
All traffic is TLS-encrypted. Uploaded files are stored in Cloudflare R2 object storage and delivered through Cloudflare’s content delivery network (see “Transfers and files” below). The production storage-residency configuration and the hosting provider of the application server will be named here before public launch.
Like almost every web server, ours writes technical logs when you access the site — typically the requested page, the time of the request, your IP address, and basic browser information. We use these logs to operate the service, diagnose problems, and defend against abuse. The legal basis is our legitimate interest in running a secure and reliable service (Art. 6(1)(f) GDPR). Logs are kept only for short operational windows and are then deleted.
Accounts and authentication
The account implementation uses an email address and password (with an optional display name), and stores passwords only as bcrypt hashes. Credentials registration is enabled only behind a development access code because email ownership cannot yet be verified. New registrations record the accepted Terms version and acknowledgement of this Privacy Notice. Existing controlled development accounts may sign in for testing.
Anonymous senders need no account and anonymous transfers are not linked to a user profile. Before open public registration is enabled, this policy must name the controller, legal basis, retention, and a reachable rights channel. Optional transfer-delivery addresses are not collected in this build.
Transfers and files
The files you upload are processed solely to store and deliver them to the recipients you choose (Art. 6(1)(b) GDPR). We do not scan file contents for advertising or profiling.
Files are stored in Cloudflare R2 object storage and delivered through Cloudflare’s global network. Cloudflare, Inc. (USA) acts as our storage and content-delivery processor under a data processing agreement pursuant to Art. 28 GDPR. The production storage region will be published before launch. Cloudflare, Inc. remains subject to US jurisdiction at the corporate level — the safeguards for this are described under “International transfers” below. Download URLs are HMAC-signed with an expiry, so files cannot be accessed without a valid link, and file names are never part of storage URLs. Optional transfer passwords are stored bcrypt-hashed.
Anonymous and Free transfer links expire 24 hours after upload. Their files then leave active storage and remain recoverable for no more than seven days before permanent purge. Pro transfers are kept until the sender deletes them or the subscription ends, subject to the same recovery window after deletion.
What we do not do with your files
Beyond the legal bases above, we make the following commitments about file contents. They are binding promises under this privacy policy — not marketing — and they apply to every tier: Pro, Free, and Anonymous alike, with no exceptions:
- No scanning for advertising or profiling. We do not analyse or index file contents for those purposes. If a specific transfer is reported for abuse or illegality, authorised people may review the report and affected transfer.
- No AI training, period. Your files are never used to train machine-learning models — ours or anyone else’s.
- Never sold. We do not sell personal data. Our listed service providers process data only to supply storage and delivery, payments, or consent-gated advertising as described below.
- Ads are off. The planned advertising model for free tiers is not enabled in development and will never use file contents for targeting.
- Encrypted, and lockable. Files are TLS-encrypted in transit and encrypted at rest, and every transfer — on every tier — can carry an optional password.
Recipients and download logging
When someone downloads a transfer, we record a download event: the transfer, the kind of download (file or ZIP), a keyed (salted) hash of the IP address — never the raw IP — and basic browser information. We use this to show senders download counts, to enforce rate limits, and to defend against abuse. The legal basis is our legitimate interest in operating and protecting the service (Art. 6(1)(f) GDPR).
Recipient-email delivery is disabled in the current development environment, so the send forms do not collect recipient addresses. Senders copy and share the returned link themselves.
Abuse reports
Anyone can report a transfer they believe to be illegal via our report form (see the takedown & abuse policy for the full procedure). When a report is filed, we store the report itself: the reported transfer link, the category, the description, the reporter’s name and email where required, the time they confirmed the notice was accurate and complete, and a keyed (salted) hash of the reporter’s IP address — never the raw IP — used solely to prevent abuse of the reporting channel itself. The intended legal bases are compliance with the future notice-and-action obligations (Art. 6(1)(c) GDPR in conjunction with Art. 16 of the Digital Services Act) and a legitimate interest in protecting the service (Art. 6(1)(f) GDPR). The verified controller and counsel must confirm those bases before public launch.
Reports are stored for a staffed review process that remains a public-launch requirement; any authorised review is limited to the reported transfer. We keep abuse reports while they are open and for 12 months after they are closed — longer only where a report is needed for our repeat-infringer policy, to establish, exercise, or defend legal claims, or where the law requires it.
Advertising and consent (free tiers)
The business model plans consent-gated advertising on Anonymous and Free pages, but advertising is disabled in this development deployment. No Google ad script loads and no ad-related address, cookie, or measurement data is sent to Google.
Before ads can be enabled, yasync must install a Google-certified TCF v2.3 consent platform, name the provider here and on Compliance, and make consent the legal basis for ad-related processing (Art. 6(1)(a) GDPR, § 25(1) TDDDG). A stored development preference is not presented as production consent.
Pro is designed to remain ad-free. The current development deployment has no ad scripts on any tier.
Payments and billing
Protected development accounts can use a visibly labeled Stripe test-mode checkout. Stripe receives the test customer email, name, billing address, test payment details, tax ID if supplied, subscription state, and usage-meter events needed to exercise billing. Test mode cannot create a real charge. Stripe Payments Europe, Ltd. is the payment processor selected for Pro checkout. Before live activation, the operator, consumer/B2B scope, tax treatment, legal basis, retention, withdrawal flow, and processor disclosure must be completed and reviewed.
Transactional email
Transactional email is not enabled in the current development environment. Recipient fields and password-reset delivery are disabled, and no address is sent to an email provider. Before delivery is enabled, this notice and our processor list will name the selected provider and safeguards.
Service providers
The current implementation uses Cloudflare for file storage and delivery. Stripe is active only for protected test-mode billing, and Google is proposed for consent-gated advertising only after a certified consent platform is installed. Each active provider processes data only for the purpose described above. The full processor list, with locations and safeguards, is on our compliance page.
International transfers
The production location of file data will be documented before launch. Where a provider processes data outside the EU — or is a US-headquartered company, as Cloudflare is — transfers are protected by EU Standard Contractual Clauses and, where the provider is certified, the EU-U.S. Data Privacy Framework.
Retention and deletion
We keep personal data only as long as it is needed:
- Anonymous and Free links expire 24 hours after upload. Files leave active storage at expiry and are permanently purged from recovery storage within seven days.
- Pro transfers are kept until the sender deletes them or the subscription ends. Deleted Pro files are likewise purged from recovery storage within seven days.
- Account data is kept for the life of the account.
- Download events are kept for 90 days for statistics and abuse defense.
- Abuse reports are kept while open and for 12 months after closure — longer only for repeat-infringer enforcement, legal claims, or statutory duties.
- If paid billing launches, payment and invoice records will be retained for the applicable statutory commercial and tax periods.
- Server logs are kept only for short operational windows.
Production backup scope and retention will be published here after the production database provider is selected. The current development database is not a customer-data system.
Your rights
Under the GDPR, you have the right to:
- access the personal data we hold about you,
- have inaccurate data rectified,
- have your data erased,
- restrict processing,
- receive your data in a portable format,
- object to processing based on legitimate interests, and
- withdraw any consent you have given, at any time — this does not affect the lawfulness of processing carried out before the withdrawal.
A reachable channel for exercising these rights must be published before production accounts are accepted. It is not configured in this development deployment.
Right to lodge a complaint
You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on the verified legal controller and must be named before launch:
[Competent supervisory authority required before launch]
No automated decision-making
We do not use your personal data for automated decision-making or profiling within the meaning of Art. 22 GDPR.
Changes to this policy
We update this policy when our service or our providers change. The date at the top of this page shows the current version. For an overview of our security practices and the full processor list, see our compliance page.