This page is maintained by FylSend to answer common privacy questions about the FylSend service. It is not a certification or legal guarantee.

Privacy Policy

Last updated: July 2026

What FylSend does

FylSend lets you upload files and share them through temporary, time-limited download links. You choose when the link expires and whether to add a password or download limit. Files are stored in AWS S3 and transfer metadata is stored in our backend database.

Data we store and process

Uploaded files (AWS S3)

Every file you upload is sent directly to an AWS S3 bucket using a time-limited, signed upload URL. The object is stored under a unique key in the transfers/ prefix. We do not read, scan, or modify the contents of your files. Files are served back to recipients through separate signed download URLs that expire shortly after creation.

Temporary URLs

Upload and download URLs are generated by our server and signed by AWS. They are valid only for a short window (minutes, not days) and are tied to a specific object key. Recipients never get open or permanent access to your bucket; they can only request a fresh signed URL through the FylSend service, subject to the transfer's password, expiration, and download limit checks.

Transfer metadata

We store a record for each transfer that includes: file names, file sizes, MIME types, S3 object keys, total transfer size, optional sender name and email, optional recipient email, optional message, optional password, expiration date, download limit, and a unique public link identifier. This metadata is required to generate links, enforce limits, and display the transfer page.

Download counting

Each time a recipient begins a download, we record an anonymous download event. We store the timestamp, the transfer ID, and the file ID(s) downloaded. This is used to enforce download limits, show activity logs, and remove transfers that have reached their limit. We do not store the recipient's IP address, browser fingerprint, or any other personal identifier with the download event.

Authentication data

If you sign in to manage transfers, we store a session identifier and user ID provided by the authentication service. We do not collect passwords. Signed-in users can only view and manage transfers they created.

How long we keep data

Default retention: every transfer is set to expire 7 days after creation unless you choose a shorter period. The 7-day default is enforced in the upload form and backed by an S3 bucket lifecycle rule that expires objects under the transfers/ prefix after 7 days.

Expired transfers: when a transfer reaches its expiration date, an automated cleanup job removes the S3 objects and deletes the database record. A separate daily reconciliation job also checks for any mismatches between the database and S3 and deletes orphaned or leftover data.

Manual deletion: you can delete an active transfer at any time from the transfers dashboard. Deletion removes the files from S3 and the transfer metadata from the database immediately.

Operational logs: we may retain short-term, anonymous server logs for error tracking and security monitoring. These logs do not contain file contents or personal data and are kept only as long as technically necessary for troubleshooting and security, then removed automatically.

Security

Files are uploaded and downloaded over HTTPS using AWS-signed URLs. You can add a password to a transfer, which is verified server-side before a download URL is issued. Row-level security in the database ensures that only the transfer owner can view or manage a transfer's metadata. We do not use advertising or third-party analytics cookies.

Subprocessors and integrations

We use AWS S3 for file storage and our backend cloud provider for metadata, authentication, and database services. These providers handle data according to their own terms and security practices. Files are never stored in plain, publicly accessible URLs; access is always gated by a signed URL generated by our server.

Your rights and choices

You can delete an active transfer at any time from the transfers dashboard. Deletion removes the file from storage and the transfer metadata from our database. For other privacy requests, contact us at the email below.

Contact us

If you have questions about this policy or want to exercise your privacy rights, please contact privacy@fylsend.com.

Back to FylSend