Privacy Policy

The data controller for personal data processed through SendSafe is:

We collect the following categories of personal data:

• Account data — email address, display name, account creation date.
• Authentication data — hashed password (local accounts); OAuth provider ID (SSO accounts); MFA method and passkey names.
• Usage data — files you upload (metadata: name, size, type); file-request links you create; download counts.
• Access logs — IP addresses and timestamps of login attempts (successful and failed) and file downloads, retained for 90 days.
• Consent record — the date, time and IP address at which you accepted this policy at registration.

We process personal data for the following purposes:

• Providing the service — to authenticate you, store and deliver your files, and send file-request links. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
• Security and fraud prevention — to detect and block brute-force login attempts and unauthorised access. Legal basis: legitimate interests (GDPR Art. 6(1)(f)).
• Legal compliance — to maintain audit logs as required by applicable security regulations (ISO 27001, NIS2). Legal basis: legal obligation (GDPR Art. 6(1)(c)).

• Account and file data — retained until you delete your account or an administrator removes it.
• Uploaded files — deleted automatically when the expiry date is reached, when the maximum download count is hit, or when you delete them manually.
• Login and download logs — pruned after 90 days by the scheduled cleanup job.
• Audit log — retained for 90 days.

We do not sell or share your personal data with third parties for marketing purposes.

Your data is stored on servers operated by !!PLACEHOLDER — hosting provider name and country!!. If this is outside the EU/EEA, transfers are covered by !!PLACEHOLDER — safeguard, e.g. Standard Contractual Clauses!!.

We may disclose personal data if required to do so by law or in response to a valid legal request.

SendSafe uses a single session cookie (name: PHPSESSID) to keep you logged in. This cookie is strictly necessary for the service to function; no consent banner is required. No third-party analytics or advertising cookies are used.

Under the GDPR you have the right to:

• Access — request a copy of the data we hold about you.
• Portability — download your data in a machine-readable format (available directly from Privacy & Data).
• Erasure — delete your account and all associated data (available directly from Privacy & Data).
• Rectification — ask us to correct inaccurate data.
• Restriction — ask us to stop processing your data in certain circumstances.
• Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at durakovic.m@trusted-id.eu. We will respond within 30 days.

You also have the right to lodge a complaint with your national supervisory authority (e.g. the ICO in the UK, or your local EU data protection authority).

Our DPO can be contacted at durakovic.m@trusted-id.eu.

We may update this policy from time to time. Material changes will be communicated via a notice on the login page. The "Last updated" date at the top of this page always reflects the most recent revision.