Foldr.Space

Privacy Policy

Last updated: December 17, 2025

Information We Collect

File Data: We store files you upload for sharing purposes. Free files are automatically deleted after 7-90 days depending on the upload type. Pro users can have permanent storage.

Technical Data: We collect basic technical information like IP addresses for security and abuse prevention.

Account Data: If you create a Pro account, we collect your email address for authentication and service delivery.

No Personal Data for Free Users: Free users do not need to provide personal information like names, emails, or phone numbers.

How We Use Information

File Storage: Uploaded files are stored securely to enable sharing and downloading.

Security: IP addresses are used for rate limiting, abuse prevention, and security monitoring.

Service Operation: Technical data helps us maintain and improve our service.

Communications: If you have an account, we may send service-related emails (e.g., magic link authentication).

Data Retention

Free Files: Files uploaded without an account are automatically deleted after 7-90 days.

Pro Storage: Pro users have permanent storage that persists until manually deleted or account termination.

Security Logs: Basic security logs may be retained for up to 30 days for abuse prevention and legal compliance.

Account Data: Account information is retained until you request deletion.

Data Security & Encryption

We implement multiple layers of security to protect your files. For complete details, see our Security page.

Encryption in Transit

  • TLS 1.3: All data transferred between your device and our servers is encrypted using TLS 1.3
  • HTTPS Enforced: All connections use HTTPS with HTTP Strict Transport Security (HSTS)
  • Perfect Forward Secrecy: Ensures past communications cannot be decrypted if keys are compromised

Encryption at Rest

  • AES-256 Encryption: All stored files are encrypted using AES-256 on our infrastructure (Supabase/AWS S3)
  • Server-Side Encryption: Encryption is automatic and handled by our storage infrastructure
  • Geographic Redundancy: Data is stored redundantly across multiple data centers for durability

Client-Side Encryption (Pro Feature)

  • Zero-Knowledge Option: Pro users can enable client-side encryption where files are encrypted in your browser before upload
  • AES-256-GCM: Client-side encryption uses AES-256-GCM with keys derived from your password using PBKDF2
  • Key Never Transmitted: Your encryption key is derived locally and never sent to our servers
  • Unrecoverable: If you forget your client-side encryption password, we cannot recover your files

Password Security

  • Bcrypt Hashing: All passwords are hashed using bcrypt with 10 salt rounds
  • No Plaintext Storage: Passwords are never stored in plaintext
  • Rate-Limited Attempts: Password verification is rate-limited to prevent brute force attacks

Access Security

  • Cryptographic Tokens: Share links use cryptographically secure random tokens (using crypto.randomBytes)
  • Signed URLs: Download URLs are time-limited and signed to prevent tampering
  • Row Level Security: Database access is controlled by Row Level Security (RLS) policies

⚠️ Important Transparency Note

Without client-side encryption: While all data is encrypted in transit (TLS) and at rest (AES-256), Foldr.Space and our infrastructure providers (Supabase/AWS) technically have the ability to access stored files. This is similar to most cloud storage providers (Dropbox, Google Drive, etc.).

For truly sensitive data: We recommend enabling client-side encryption (Pro feature) or encrypting your files locally before uploading. With client-side encryption enabled, we have zero knowledge of your file contents.

File Scanning & Validation

For security purposes, we validate uploaded files:

  • Magic Byte Analysis: We verify file types by analyzing file signatures to prevent extension spoofing
  • Extension Verification: Files with mismatched extensions (e.g., .exe renamed to .jpg) are blocked
  • Malware Patterns: Files are scanned for known malicious patterns (crypto miners, obfuscated code)
  • No Content Reading: We do not read, analyze, or mine the actual content of your files

Third-Party Services

Supabase: We use Supabase for secure file storage and database services. Supabase uses AWS infrastructure with SOC 2 Type II certification.

Vercel: Our website is hosted on Vercel for fast, reliable service with edge caching.

Stripe: Payment processing is handled by Stripe. We never store your full credit card information.

See our Security page for more details on infrastructure security.

Google AdSense and Advertising

Third-Party Advertising: We use Google AdSense to display advertisements on our website. When you visit our site, Google and its partners may use cookies, web beacons, and similar technologies to collect information about your visit to this site and other sites in order to provide relevant advertisements about goods and services that may be of interest to you.

Data Collected by Google: Google and its advertising partners may collect and use the following types of information:

  • Cookies and similar technologies to identify your browser or device
  • Your IP address and approximate geographic location
  • Information about the websites you visit before and after ours
  • The ads you view, click on, or interact with on our site
  • Your device type, browser type, and operating system
  • The time and date of your visit to our site

Purpose of Data Collection: This information is used to:

  • Serve personalized advertisements based on your interests and browsing behavior
  • Limit the number of times you see the same advertisement
  • Measure the effectiveness of advertising campaigns
  • Understand user engagement with advertisements
  • Improve ad relevance and quality
  • Provide aggregate reporting to advertisers

Your Privacy Choices: You have control over advertising cookies and personalized ads:

  • Opt out of personalized advertising: Visit Google Ad Settings to manage your ad personalization preferences and opt out of personalized ads from Google.
  • Opt out of Google Analytics: Install the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics.
  • Industry opt-out tools: Visit Your Ad Choices or the European Interactive Digital Advertising Alliance to opt out of interest-based advertising from participating companies.
  • Browser settings: You can configure your browser to reject cookies or to alert you when cookies are being sent. However, some features of our service may not function properly without cookies.

Data Retention by Google: Google retains advertising data according to their data retention policies. The retention period varies by data type. You can learn more at Google's Privacy Policy.

How Google Uses Data: For detailed information about how Google uses data when you use our partners' sites or apps, please visit: How Google uses information from sites or apps that use our services.

Cookies and Tracking

Essential Cookies: We use essential cookies for session management and security.

Advertising Cookies: Third parties, including Google, may place and read cookies on your browser or use web beacons to collect information as a result of ad serving on our website.

Analytics: We use analytics services to understand how our service is used and to improve user experience.

Your Choices: You can control cookie settings through your browser preferences. You can also opt out of personalized advertising by visiting Google Ad Settings.

How Google Uses Data: For information about how Google uses data when you use our site, please visit How Google uses data when you use our partners' sites or apps.

Advertising and Personalization

Ad Personalization: We and our advertising partners may use information about your visits to this and other websites to provide relevant advertisements.

Interest-Based Advertising: You may see advertisements that are customized based on your interests. These ads are served by third-party advertising networks.

Opt-Out Options: You can opt out of interest-based advertising by visiting the Digital Advertising Alliance opt-out page or the European Interactive Digital Advertising Alliance for European users.

Your Rights

File Control: You control your uploaded files and can share the links as you choose.

Data Minimization: We keep your data minimal - only what's necessary for file sharing and security.

Data Deletion: Free files are automatically deleted after 7-90 days. Pro users can delete files at any time.

Account Deletion: Pro users can request complete account deletion by contacting us.

Data Export: Pro users can download all their files at any time.

Mobile App Privacy

Secure Local Storage: Our mobile app stores authentication tokens using platform-native secure storage:

  • iOS: Keychain Services with hardware-backed encryption
  • Android: EncryptedSharedPreferences using Android Keystore

No Background Data Collection: Our app does not collect data in the background or access device features beyond what's necessary for file uploads.

Contact Us

If you have questions about this Privacy Policy or our security practices, please contact us at:

Email: hello@foldr.space

For security-related inquiries, please include "Security" in the subject line.

View our complete Security documentation →