Privacy Policy
Last updated: 14 June 2026
This Privacy Policy explains what data uploadtol.ink collects, why, how we protect it, and the choices you have. We are built privacy- and security-first: files are private by default, share links are unguessable and stored only as hashes, and uploads are deleted automatically when they expire.
1. Who we are
The Service is operated by PixelPleno LTDA, SP, Brazil. ("we", "us"). For any privacy question or request, contact [privacy@uploadtol.ink].
2. Information we collect
| Category | What it includes |
|---|---|
| Account data | Your email address and a securely hashed password. We never store your password in plain text. |
| File content & metadata | The files you upload and their metadata (file name, size, chosen retention period, timestamps), kept only until the file expires or you delete it. |
| Share links | Each download link is a random token; we store only a SHA-256 hash of it, plus its expiry and any download cap. |
| Billing data | Credit purchases and balances, and the Stripe identifiers needed to reconcile payments. Card details are handled by Stripe — we never receive or store full card numbers. |
| Technical & usage data | IP address, request and download events, and server logs, used to operate the Service, enforce rate limits, and detect abuse. |
| Cookies | A language-preference cookie and the session tokens that keep you signed in (see "Cookies" below). |
3. How we use information
- To provide the Service — store your files, generate and serve download links, and deliver files to recipients.
- To process payments and maintain your credit balance.
- To secure the Service — authenticate you, enforce rate limits, and detect, prevent, and investigate abuse, fraud, and security incidents.
- To send essential transactional messages, such as password-reset emails.
- To comply with legal obligations and respond to lawful requests.
We do not sell your personal data, and we do not use Your Content for advertising.
4. Legal bases
Where data-protection law such as the GDPR applies, we rely on: performance of our contract with you (to provide the Service and process payments); our legitimate interests (to keep the Service secure and prevent abuse); legal obligation (to meet record-keeping and lawful-request requirements); and consent where specifically requested. Your local rights are described in section 10. This policy is provided under [Jurisdiction] data-protection law.
5. How we protect your data
- In transit: all traffic is encrypted with TLS.
- At rest: stored files are encrypted in object storage.
- Passwords: hashed with PBKDF2-SHA-256 at a high iteration count — never stored or logged in plain text.
- Share tokens: stored only as SHA-256 hashes, so a database leak would not expose working links.
- Sessions: short-lived access tokens with rotating refresh tokens; a replayed refresh token revokes the whole session family.
- Abuse controls: public endpoints are rate-limited per IP, and download responses carry an
X-Robots-Tag: noindexheader so shared links don't end up in search engines.
No system is perfectly secure, and the Service is not end-to-end encrypted. If a file must be readable only by its recipient, encrypt it yourself before uploading. See our security guide for details.
6. Cookies
We use only the cookies needed to run the Service: a language-preference cookie that remembers your chosen interface language, and the session tokens that keep you signed in. We do not use third-party advertising or tracking cookies.
7. How long we keep data
- Files and their links are deleted automatically when the retention period you chose (1 hour to 30 days) ends, or sooner if you delete them. Deletion is permanent and we keep no backups.
- Account data is kept while your account is active; if you delete your account we remove your personal data, except where we must retain limited records by law.
- Billing records are kept as required by tax and accounting law.
- Logs are retained for a limited period for security and troubleshooting, then deleted or anonymised.
8. Service providers (sub-processors)
We share data only with the providers that make the Service work:
| Provider | Purpose |
|---|---|
| Cloudflare, Inc. | Hosting, edge compute, file storage, database, CDN, and rate limiting. |
| Stripe, Inc. | Payment processing for credit purchases. |
| Brevo | Delivery of transactional email (e.g. password resets). |
Each provider processes data on our behalf under its own terms and security commitments. We do not otherwise share your personal data, except to comply with the law or a valid legal request, or to protect the rights, safety, and security of users and the public.
9. People you share links with
Recipients do not need an account. When someone opens a link you created, we process the request — including their IP address and download events — to deliver the file and to enforce expiry, download caps, and abuse protections. What a file contains, and who you send its link to, is determined by you, not by us.
10. Your rights
Depending on where you live, you may have rights to access, correct, delete, export, or restrict the processing of your personal data, and to object to certain processing. You can manage your account data in the app or exercise these rights by contacting [privacy@uploadtol.ink]. You may also have the right to complain to your local data-protection authority.
11. International transfers
Our providers operate globally, so your data may be processed in countries other than your own. Where required, transfers rely on appropriate safeguards such as standard contractual clauses.
12. Children's privacy
The Service is not intended for anyone under 18, and we do not knowingly collect data from children. If you believe a child has provided us data, contact [privacy@uploadtol.ink] and we will delete it.
13. Content you share is your responsibility
We do not routinely monitor or screen the files users upload, and we are not responsible for their contents or for how links are used. Responsibility for what is uploaded and shared rests with the user who uploads and shares it, as set out in our Terms of Service. We may remove content and act on reports of misuse as described there.
14. Changes to this policy
We may update this policy from time to time. We will revise the "Last updated" date above and, for material changes, provide a more prominent notice. Your continued use of the Service after changes take effect means you accept the updated policy.
15. Contact
Privacy questions and requests: [privacy@uploadtol.ink].