Privacy Policy

Effective date: 5 May 2026

What we collect

• Uploaded files you submit through the upload page or via WebRTC. Stored encrypted at rest in object storage.
• IP address and User-Agent of every request that creates, uploads to, views, or downloads a transfer.
• Standard server logs (timestamps, URL paths, response codes) generated by the reverse proxy.
• Essential cookies needed for the service to function (session and CSRF protection).
• Cookies set by Google AdSense, our advertising partner, when you have consented to advertising. See the Cookies section below.

How long we keep it

• Uploaded files and transfer records: deleted automatically 15 minutes after the transfer is created. Deletion is enforced by an automatic process running every five minutes.
• Access logs (IP + user agent + URL): retained for 30 days, then deleted.
• Reverse-proxy access logs: rotated and discarded by the operating system on the same window.

Cookies and advertising

We use two categories of cookies:

• Essential cookies. A session cookie and a CSRF cookie set by our application. These are required for the site to work and do not track you across other sites. Set the moment you load any page; expire when you close your browser (session) or after one year (CSRF). You cannot opt out of essential cookies; without them the upload flow will not function.
• Analytics cookies. We use Google Analytics on our public marketing pages (home, terms, privacy, abuse) to understand how people find the site. Google Analytics sets cookies including _ga and _ga_<container> that let it distinguish unique visitors and recognize returning ones. We do not load Google Analytics on transfer URLs (the pages where you upload or print a document), so the contents of your transfers and the transfer codes themselves are never sent to Google.
• Advertising cookies. We use Google AdSense to show ads, which helps keep the service free. AdSense and its partners may set cookies (including the __gads, __gpi, and DoubleClick IDE cookies) to remember your ad preferences and measure ad performance. In regions that require it (the European Economic Area, United Kingdom, Switzerland, and any US state with a comparable law) we ask for your consent before any advertising cookie is set. Outside those regions you may still opt out at any time using the controls described below.

How to control cookies:

• You can change your consent at any time by clicking Cookie settings in the page footer.
• Google offers a personal-ad-settings dashboard at myadcenter.google.com.
• You can opt out of personalized ads industry-wide at aboutads.info/choices and youronlinechoices.eu.
• Most browsers let you refuse cookies entirely; the site will still function but session features will not persist.

Google AdSense is operated by Google LLC. Their use of advertising cookies is governed by Google's privacy policy at policies.google.com/privacy and Google's advertising policies at policies.google.com/technologies/ads. Under Google's terms we are required to inform you of these uses; we do not control the cookies Google sets, only whether AdSense loads.

Who we share it with

• Cloud infrastructure providers we use to operate the service: currently Hetzner Cloud (compute) and Cloudflare (DNS, edge, R2 object storage, TURN signalling).
• Google as our analytics and advertising partner via Google Analytics and Google AdSense. The data Google's tags receive is limited to what your browser sends (IP, user agent, the page URL, any consented cookies). Google Analytics is loaded only on our public marketing pages, never on transfer URLs, so your uploaded files, transfer codes, and admin credentials are never sent to Google.
• Law enforcement when required by valid legal process or when we have a good-faith belief disclosure is necessary to prevent imminent harm. CSAM is reported to the National Center for Missing & Exploited Children (NCMEC) as required by 18 U.S.C. §2258A.
• We do not sell, rent, or trade personal data.

Your rights

Because the service is anonymous and ephemeral, we have no account that maps back to you and no long-term records to provide. For specific requests (deletion, access), email abuse@xprinty.com with the transfer code. Note that after 15 minutes there is nothing left to delete.

Security

TLS 1.3 in transit. Files at rest in encrypted object storage (Cloudflare R2). 64-bit unguessable transfer IDs act as bearer tokens. Daily encrypted backups of metadata, retained for 14 days; uploaded files themselves are not backed up so the 15-minute deletion is final.

Children

The Service is not directed to children under 13 (or the equivalent age in your jurisdiction). We do not knowingly collect information from children. If you believe a minor has used the Service, contact us at abuse@xprinty.com and we will cooperate as required by law.

International transfers

Our infrastructure providers may operate in jurisdictions outside your country of residence. By using the Service you consent to the transfer of information across borders to the extent necessary to operate it.

Changes

We may update this policy. The current version is always at this URL. Material changes will be reflected in the effective date above.

Contact

Privacy questions or data-subject requests: abuse@xprinty.com.