Privacy Policy

1. Information Collection

Anonymous Uploads

When you use Stashr without an account, we collect only the minimal information necessary to operate the service:

• File data: The files you upload along with metadata such as file name, size, type, and upload timestamp
• Optional note: Only if you choose to add one to your upload
• Access preferences: Download limits and expiration settings you configure
• Sharing URL: A unique link generated for secure file distribution
• IP address: Retained for up to 30 days, used solely for rate limiting and abuse prevention

We never link your IP address to your uploads or build any kind of profile. No identity, no tracking.

Account Users

If you choose to create an account, we additionally store:

• Username: Used to login in to your account
• Password: Stored as a secure hash (we cannot see your actual password)
• Email: Optional, only if you provide it for password recovery
• Upload history: Links between your account and files uploaded while logged in

Stashr is built with privacy as a core principle. We want to be transparent: creating an account does require storing some personal information. However, account creation is entirely optional, it exists solely for users who want the convenience of a personal dashboard to manage their uploads, and who are comfortable providing limited data in return for that functionality. If privacy is your priority, we recommend using Stashr without an account. When you do, we know nothing about you, no identity, no email, no history.

Abuse Reports

When a file is reported through our report system, we collect the reporter's reason for reporting and optional contact information if provided. This data is used solely to investigate the reported content and take appropriate action. Report data is retained for as long as necessary to resolve the report and maintain records for legal compliance.

2. Client-Side Encryption

Stashr offers optional client-side encryption for your files. When you enable this feature:

• Your files are encrypted in your browser using AES-256-GCM before being uploaded
• The encryption password never leaves your device and is never transmitted to our servers
• We receive and store only encrypted data that we cannot decrypt
• We cannot recover encrypted files if you lose your password

3. How We Use Your Data

Your data serves three primary purposes within Stashr. First and foremost, we use it to operate the service itself—storing and delivering your files securely, enforcing the access controls you set, managing automatic file expiration, and generating secure sharing links. Every piece of data we collect directly supports these core functions.

Security and abuse prevention form our second priority. We actively monitor for malicious uploads, spam, and automated abuse attempts. When users report problematic content, we investigate and take appropriate action. This continuous monitoring helps maintain Stashr as a safe platform for legitimate file sharing while preventing misuse.

Finally, we analyze aggregated usage patterns to improve service performance and reliability. This helps us identify technical issues, optimize file transfer speeds, and develop new features that benefit all users. All analytics are conducted on anonymized, aggregated data to protect individual privacy.

4. Lawful Basis for Processing

We process your personal data on the following legal grounds:

• Contract performance: Processing necessary to provide the file sharing service you requested, including file storage, delivery, and access management
• Legitimate interest: Processing necessary for service security, abuse prevention, fraud detection, and service improvement, where these interests do not override your fundamental rights
• Legal obligation: Processing required to comply with applicable laws, such as responding to valid legal requests or reporting illegal content to authorities
• Consent: Where you have given explicit consent for specific processing activities, such as optional email collection for password recovery. You may withdraw consent at any time without affecting the lawfulness of prior processing

5. Data Storage & Security

Your files are stored on secure cloud infrastructure distributed across multiple data centers worldwide. We employ TLS/SSL encryption for all data transfers between your device and our servers, ensuring your files remain protected during upload and download. For files you choose to password-protect, we apply additional server-side protection. For files with client-side encryption enabled, the file content is encrypted before it ever reaches our servers.

Data retention follows your chosen settings:

• Files with expiration: Automatically deleted after your selected timeframe (1 hour to 30 days)
• Files set to "Keep forever": Stored indefinitely until manually deleted or terms violation
• Access Logs: Retained for 30 days, then automatically purged
• Account Data: Retained until you delete your account
• Metadata: Deleted simultaneously with associated files

6. Information Sharing

Information sharing at Stashr is limited to specific, legally necessary circumstances. We may disclose information when required by law, court order, or legal process. Valid requests from law enforcement agencies are carefully reviewed and fulfilled only to the extent legally required. In cases involving child exploitation material, we immediately report to NCMEC and appropriate authorities as mandated by law.

We work with trusted service providers who help operate Stashr's infrastructure, including hosting and content delivery network services. These partners are bound by strict confidentiality agreements and process data solely to provide their designated services. In emergency situations involving imminent harm or ongoing illegal activity, we may share necessary information with authorities to prevent such harm.

Important note on encrypted files: For files uploaded with client-side encryption, we can only provide the encrypted data in response to legal requests. Without your encryption password (which we never have), this data cannot be decrypted.

7. Your Rights & Control

You maintain complete control over your files throughout their lifecycle on Stashr. At any time, you can delete files you've uploaded, download them before expiration, or update their metadata and settings. When configuring uploads, you control critical privacy settings including password protection, client-side encryption, download limits, and expiration timeframes.

Rights under the GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, you are entitled to specific rights under the General Data Protection Regulation (GDPR). You may at any time:

• Access: Request information about the data we hold associated with your usage
• Rectification: Correct any inaccurate metadata or account information
• Deletion: Delete your files at any time using file management tools, or delete your account along with all associated files and data
• Restriction: Request that we limit the processing of your data under certain circumstances
• Data portability: Request a copy of your data in a structured, commonly used format
• Objection: Object to the processing of your personal data where we rely on legitimate interest as our legal basis
• Complaint: Lodge a complaint with a data protection supervisory authority in your country of residence if you believe your rights have been violated

To exercise any of these rights, please contact us using the details provided in Section 13 below. We will respond to valid requests within 30 days.

Rights under the CCPA (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You may request details about the categories and specific pieces of personal information we have collected about you
• Right to delete: You may request deletion of the personal information we have collected from you
• Right to opt-out: You have the right to opt out of the sale or sharing of your personal information. Stashr does not sell or share personal information for advertising purposes
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights

To submit a request under the CCPA, please contact us at privacy@stashr.wtf. We will verify your identity before processing your request and respond within 45 days.

8. Cookies & Tracking

Stashr uses cookies and similar technologies sparingly and only for essential purposes:

• Essential cookies: Enable core functionality like maintaining upload sessions and authentication states
• Security cookies: Assist in detecting and preventing abuse attempts
• Bot protection: We use Cloudflare Turnstile to verify that interactions come from real users. This may set cookies or collect limited technical data to distinguish humans from automated bots, without tracking individual users

We do not use third-party tracking cookies or analytics services that track individual users.

Do Not Track

Stashr honors Do Not Track (DNT) signals sent by your browser. Since we do not engage in cross-site tracking or serve targeted advertisements, our service operates in a privacy-respecting manner regardless of your DNT setting.

9. Third-Party Services

To deliver our service reliably and securely, Stashr relies on carefully selected third-party providers:

• Cloudflare: Provides CDN services, DDoS protection, and bot verification (Turnstile) for fast, reliable, and secure global access (Cloudflare Privacy Policy)
• Cloud Storage: Secure file storage with built-in redundancy and encryption

Each third-party service operates under its own privacy policy and security standards. We carefully vet all partners to ensure they meet high standards for data protection and security. If Stashr links to external websites, those sites operate independently under their own privacy policies, which we encourage you to review.

10. Additional Policies

Children's Privacy

Stashr is not designed for or directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will take immediate steps to delete it from our systems.

International Data Transfers

As a global service, your data may be transferred to and processed in countries different from your own. We ensure appropriate safeguards are in place for international data transfers, maintaining the same high standards of protection regardless of where data is processed.

Account Inactivity

Stashr does not delete accounts or associated files due to inactivity. Your account and all files linked to it will remain available indefinitely until you choose to delete them yourself. The only exception is files uploaded with a temporary expiration period, which are automatically removed once the configured timeframe has passed.

Data Breach Response

In the unlikely event of a security breach affecting user data, we have comprehensive response procedures in place. We will promptly investigate the incident, take immediate steps to mitigate any harm, and notify affected users if required by applicable law. We will also report the incident to relevant authorities as legally mandated. Note that files uploaded with client-side encryption remain protected even in a breach scenario, as the encrypted data is unusable without user passwords.

11. Policy Updates

This Privacy Policy may be updated periodically to reflect changes in our practices or legal requirements. When we make changes, we'll update the "Last Updated" date at the top of this page. For material changes, we may provide additional notice through the service. Your continued use of Stashr after policy updates constitutes acceptance of the revised terms.

12. Data Controller

The data controller responsible for your personal data is:

Stashr
Based in the Netherlands
Contact: privacy@stashr.wtf

As the data controller, Stashr determines the purposes and means of processing your personal data as described in this Privacy Policy. For questions regarding data processing or to exercise your rights under applicable privacy laws, please use the contact details above or visit our contact page.

13. Contact Us

We welcome questions and concerns about this Privacy Policy or our data protection practices. You can reach us through:

• Email: privacy@stashr.wtf
• Contact Form: Submit a request
• Report Abuse: abuse@stashr.wtf