GDPR Compliant

Privacy Policy & GDPR

Last updated: April 4, 2026

1 Who We Are

SecureEU Transfers ("SecureEU", "we", "us") is a file-transfer service operated from Denmark. We provide end-to-end encrypted file sharing where every file is encrypted entirely in your browser before upload. Our service is built on a zero-knowledge architecture — we have zero access to your file contents or your encryption keys at any time.

2 What We Provide

SecureEU Transfers is an encrypted file-sharing platform. The service includes:

  • Encrypted file transfers — upload files up to 50 GB with client-side AES-256-GCM encryption, delivered via a shareable link.
  • Batch transfers — send multiple files at once, grouped under a single download link.
  • Receive links — generate a branded upload page so others can securely send files to you.
  • Password protection — optionally require a password before recipients can decrypt and download.
  • Download limits & link revocation — set a maximum number of downloads or revoke a link at any time.
  • Selective download & ZIP download — recipients can choose individual files or download all files as a single ZIP archive, built entirely in the browser.
  • Branding — customise the download page with your logo and brand colour.
  • Download certificates — a PDF compliance certificate proving a file was downloaded, including SHA-256 hash verification.
  • Email notifications — optionally receive an email when your files are downloaded.

Free transfers are available for files up to 5 GB with a default 7-day expiry. Paid transfers unlock extended expiry (up to 30 days), larger file sizes (up to 50 GB), and additional features.

3 Zero-Knowledge Architecture

Client-side encryption: Files are encrypted with AES-256-GCM using the WebCrypto API directly in your browser before any data leaves your device.

We never receive your encryption key. The decryption key is embedded in the URL fragment (#key), which browsers never transmit to servers.

We cannot open, read, inspect, or decrypt your files. We store only encrypted blobs. Even if compelled by law, we could only hand over encrypted data that is useless without your key.

Direct-to-storage upload: Encrypted files are uploaded directly to object storage via presigned URLs. Our application servers never handle file data.

SHA-256 integrity verification: A cryptographic hash of each file is computed in your browser and stored alongside the transfer so recipients can verify file integrity.

Client-side decryption & ZIP: File decryption and optional ZIP archive creation happen entirely in the recipient's browser — our servers never see plaintext data.

4 Data We Collect

We collect the minimum data necessary to operate the service. No account or registration is required.

4a. Transfer Metadata

For every transfer we store the following non-encrypted metadata alongside the encrypted file blob:

DataPurposeRetention
File nameDisplay to the recipientUntil transfer expiry
File sizePrice calculation & displayUntil transfer expiry
SHA-256 file hashIntegrity verification & certificateUntil transfer expiry
Encrypted blob (S3 key)Storage & deliveryUntil transfer expiry
Password hash (bcrypt)Password gate — only if you set a passwordUntil transfer expiry
Download count & limitEnforce download restrictionsUntil transfer expiry
Sender messageDisplay to recipient — only if you provide oneUntil transfer expiry
Brand logo URL & colourCustom download page — only if you brand your transferUntil transfer expiry
Stripe session IDPayment verification — only for paid transfersUntil transfer expiry
Expiry & creation timestampsAutomatic cleanup schedulingUntil transfer expiry

Transfer expiry is configurable: 1, 3, or 7 days (free & paid) or 14 or 30 days (paid only). A background cleanup worker permanently deletes expired transfers — both the encrypted blob from object storage and all metadata from the database.

4b. Optional Personal Data

The following personal data is collected only when you voluntarily provide it. None of it is required to use the service:

DataWhen CollectedPurpose
Sender emailIf you opt in to download notificationsSend you an email when your file is downloaded
Recipient email(s)If you share a link via our email featureDeliver the download link to your chosen recipients (up to 20)
Receive-link creator label & emailIf you create a receive linkDisplay your name on the upload page & notify you of uploads
Contact form name & emailIf you send us a message via the contact formReply to your inquiry
Abuse report emailIf you report a transfer and choose to provide your emailFollow up on your report if needed

We do not use any of this data for marketing, profiling, or analytics. Emails are sent via SendGrid (see Section 7) and are not stored beyond what is listed above. Recipient email addresses are used only for immediate delivery and are not persisted in our database.

4c. Security & Operations Logs

For abuse prevention, rate limiting, and security monitoring we log:

Log TypeData RecordedPurpose
Request logsIP address, user agent, HTTP method, path, status code, timestampRate limiting, abuse detection, debugging
Download logsBatch ID, IP address, user agent, timestampDownload counting, abuse detection
Abuse reportsBatch ID, reason, reporter IP, reporter email (optional)Investigate reported transfers

IP addresses are classified as personal data under GDPR. We process them under our legitimate interest (Article 6(1)(f)) to protect the service from abuse. Request and download logs are retained for a limited period and purged automatically.

5 Data Storage & Location

All encrypted file data is stored on Hetzner Object Storage (S3-compatible) in their Helsinki, Finland (hel1) data centre. Transfer metadata is stored in a PostgreSQL database hosted within the EU. Hetzner Online GmbH is a German hosting provider fully subject to EU data protection law.

  • Data centre: Helsinki, Finland 🇫🇮
  • Provider: Hetzner Online GmbH (Germany 🇩🇪)
  • All data stays within the EU/EEA
  • Only encrypted blobs are stored — useless without your key
  • No data is transferred to or processed outside the EU/EEA by us

6 Data Retention & Deletion

All transfers have a configurable expiry period chosen at upload time. Once a transfer expires, a background cleanup worker permanently deletes the encrypted file blob from Hetzner Object Storage and all associated metadata from the database. There is no way to recover a transfer after expiry.

Expiry OptionAvailability
1 day, 3 days, 7 daysFree & paid transfers
14 days, 30 daysPaid transfers only

You may also revoke a transfer at any time via the management link, which immediately disables downloads. Revoked transfers are still permanently deleted upon their original expiry date. Receive links follow the same expiry model.

7 Third-Party Processors

We use a limited number of third-party services to operate SecureEU Transfers. Each is listed below with its role and data access:

💳 Stripe, Inc. — Payment Processing

Payments are processed by Stripe, Inc., a PCI DSS Level 1 certified payment processor.

  • You are redirected to Stripe's secure checkout page.
  • We never see or store your card number, CVV, or billing details.
  • We only receive a confirmation that payment succeeded, along with a session ID.
  • All prices are displayed and charged in EUR (€).

Stripe may process data outside the EEA under their own GDPR-compliant data processing agreements. See Stripe's Privacy Policy.

📧 Twilio SendGrid — Email Delivery

Transactional emails (download notifications, shared links, receive-link alerts) are sent via Twilio SendGrid.

  • Emails are sent from noreply@secureeu.eu.
  • SendGrid receives only the recipient email address and the email body — no file data or encryption keys.
  • We do not use SendGrid for marketing, newsletters, or tracking.

Twilio, Inc. processes data under GDPR-compliant data processing agreements. See Twilio's Privacy Policy.

🏢 Hetzner Online GmbH — Infrastructure & Storage

Encrypted file blobs are stored on Hetzner Object Storage (Helsinki, Finland). Application servers and the PostgreSQL database are also hosted by Hetzner within the EU.

  • Hetzner has no access to your encryption keys or plaintext data.
  • All infrastructure is located within the EU/EEA.

See Hetzner's Privacy Policy.

8 Cookies & Tracking

🍪 We use almost no cookies.

SecureEU Transfers sets a single cookie to remember your language preference. We do not use any analytics, tracking, or third-party cookies. We do not use Google Analytics, Meta Pixel, Facebook SDK, or any other tracking service.

We use your browser's sessionStorage to temporarily hold the encryption key and management link during the upload flow. Session storage is not a cookie — it is never sent to our servers and is automatically cleared when you close your browser tab.

9 Your Rights Under GDPR

Under the General Data Protection Regulation (EU) 2016/679, you have the right to:

Access — Request a copy of any personal data we hold about you.
Rectification — Correct inaccurate data.
Erasure — Request deletion of your data.
Portability — Receive your data in a portable format.
Objection — Object to processing of your data.
Complaint — Lodge a complaint with your national supervisory authority.

In practice, because we do not require accounts or collect personal identifiers by default, there is very little personal data for us to provide, correct, or delete. If you provided an email address (e.g. for notifications), you may contact us to request its deletion. All transfer data (encrypted blobs and metadata) is automatically purged upon transfer expiry. The Danish supervisory authority is Datatilsynet (datatilsynet.dk).

10 Legal Basis for Processing

Processing ActivityLegal Basis (GDPR)
Storing transfer metadata & encrypted blobsArt. 6(1)(b) — Performance of a contract (providing the service you requested)
Sending notification emailsArt. 6(1)(b) — Performance of a contract (you requested the notification)
Processing payments via StripeArt. 6(1)(b) — Performance of a contract (fulfilling your paid transfer)
Request & download logging (IP, user agent)Art. 6(1)(f) — Legitimate interest (security, rate limiting, abuse prevention)
Language preference cookieArt. 6(1)(f) — Legitimate interest (functional, strictly necessary)

11 Disclaimer & Limitation of Liability

⚠️ Important — Please Read Carefully

SecureEU Transfers is provided "as is" and "as available", without any warranties of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

We are not responsible for any loss, damage, or liability whatsoever arising from:

  • Loss, corruption, or unavailability of uploaded files for any reason.
  • Loss of encryption keys — we do not possess them and cannot recover them under any circumstances.
  • Unauthorized access to shared download links (you are responsible for sharing links securely).
  • Service downtime, interruptions, or data loss due to infrastructure failures, maintenance, or force majeure events.
  • Any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, or business opportunities.
  • Any misuse of the service by you or by third parties.
  • Failure to download files before the transfer expiry date.
  • Any reliance on the service as your sole or primary means of file storage or backup.
  • Actions taken by third-party processors (Stripe, SendGrid, Hetzner) under their own terms.

SecureEU Transfers is a temporary file-transfer tool, not a file-storage or backup service. Files are automatically and irreversibly deleted upon expiry. You are solely responsible for maintaining your own copies of any important files.

Our total aggregate liability for any and all claims related to the service shall not exceed the amount you actually paid for the specific transfer in question, or €10, whichever is less.

You use SecureEU Transfers entirely at your own risk. By using the service you acknowledge and accept this disclaimer in full.

12 Acceptable Use

You agree not to use SecureEU Transfers to upload, store, or distribute any content that is illegal, harmful, threatening, abusive, defamatory, or otherwise objectionable. While we cannot inspect the contents of encrypted files, we reserve the right to terminate access and delete data if we become aware of misuse. Users may report suspicious transfers via the abuse-report feature on the download page.

13 Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance of the revised policy.

14 Contact Us

If you have any questions about this privacy policy, wish to exercise your GDPR rights, or need to report a data protection concern, contact us at contact@benandliva.com.

We aim to respond to all data protection inquiries within 30 days, as required by GDPR.