Privacy Policy

At Quickupload ("we," "us," or "our"), operated by Quickupload Limited, we are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your personal information when you visit our website at quickupload.io and use our file sharing and transfer services (collectively, the "Service").

We comply with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), the California Consumer Privacy Act (CCPA) for residents of California, USA, and the Personal Data (Privacy) Ordinance (PDPO) of Hong Kong where our company is based. This policy also addresses Google AdSense advertising practices in compliance with applicable data protection laws.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, please discontinue using our Service.

We collect information that you provide directly to us, as well as information collected automatically when you use our Service. Below is a detailed breakdown of all data types we collect:

Note: Download logs contain a SHA-256 hash of the recipient's IP address (not the raw IP), timestamp, and user-agent string. Raw IP addresses are never stored in download logs beyond transient processing.

Payment Data: We never handle, process, or store credit card numbers. All payment card data is processed exclusively by Stripe, Inc., a PCI DSS Level 1 certified payment processor. We receive only limited payment confirmation data (transaction ID, amount, currency, status) from Stripe via webhook callbacks.

We use the information we collect for the following purposes:

• Service Provision: To create and manage your account, process file uploads and downloads, generate secure share links, and deliver core Service functionality.
• Security & Fraud Prevention: To detect, prevent, and respond to security threats, unauthorized access attempts, spam, abuse, and fraudulent activity across our platform.
• Communication: To send you transactional notifications (upload confirmations, download alerts, expiration warnings), account-related messages, and — only if you have opted in — promotional communications about new features or offers.
• Analytics & Improvement: To analyze usage patterns, understand which features are most valuable, identify bugs and performance issues, and make data-driven decisions about product development and user experience improvements.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, including tax record-keeping obligations.
• Advertising: We display advertisements through Google AdSense. AdSense may use cookies and similar technologies to serve relevant ads based on your browsing activity. You can manage ad personalization through your Google Ads Settings. We do not share your personal information with advertisers directly.

We use cookies, web beacons, and similar tracking technologies to enhance your experience, maintain session state, and gather anonymized usage data. Below is a complete list of cookies and tracking technologies used by our Service:

Managing Cookies: You can control and/or delete cookies as you wish. You can delete all cookies that are already on your computer, and you can set most browsers to prevent them from being placed. However, doing so may require you to re-enter your preferences on each visit and may impair certain functionality of our Service. For instructions specific to your browser, consult your browser's help documentation.

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Our specific retention periods are:

• Active Account Data: Indefinitely while your account remains active. This includes your email, display name, password hash, upload metadata, and communication preferences. Data is retained until you explicitly close your account.
• Deleted Accounts: Upon account deletion, your personal data is soft-deleted immediately (rendering it inaccessible). Hard purging occurs within 30 days of deletion, at which point data is cryptographically shredded and irrecoverable.
• Expired Files: Files that reach their configured expiration date are automatically deleted within 7 days. Associated metadata is purged within an additional 14 days.
• Download Logs: Retained for 90 days for abuse investigation, bandwidth auditing, and security forensics. After 90 days, logs are automatically purged.
• Analytics Data: Aggregated and anonymized usage data retained for 13 months in alignment with Google Analytics' default data retention policy. Individual-level identifiers are anonymized after 26 months maximum.
• Payment Records: Transaction records (receipts, invoice data, subscription history) are retained for 7 years to satisfy Hong Kong Inland Revenue Department (IRD) tax record-keeping requirements under the Inland Revenue Ordinance (Cap. 112).
• Legal Holds: If we are involved in a legal proceeding, investigation, or regulatory inquiry, we may retain data longer than the periods above until the matter is fully resolved.

We engage trusted third-party service providers to help us operate, maintain, and improve our Service. These providers have access to personal information only to perform tasks on our behalf and are contractually prohibited from using it for other purposes. We never sell your personal information to third parties.

Quickupload is operated by Quickupload Limited, a company incorporated and based in Hong Kong SAR. Our primary application hosting is provided by Vercel, Inc. in the United States, and our CDN infrastructure is provided by Cloudflare, Inc. with edge nodes distributed globally.

This means that your personal data may be transferred to, stored, and processed in:

• Hong Kong SAR — Company headquarters and legal domicile
• United States of America — Primary cloud hosting (Vercel)
• Multiple jurisdictions globally — CDN edge locations (Cloudflare)

Safeguards for International Transfers:

• We rely on the European Commission's Standard Contractual Clauses (SCCs) — Module Two (controller-to-controller) and Module Three (controller-to-processor) — for transfers of personal data from the EEA to the United States and other non-adequate jurisdictions.
• Vercel and Cloudflare both maintain GDPR-compliant Data Processing Addendas (DPAs) incorporating SCCs.
• The EU-U.S. Data Privacy Framework adequacy decision (July 2023) provides an additional legal basis for transfers to certified U.S. service providers.
• All data transferred internationally is protected by AES-256-GCM encryption in transit (TLS 1.3) and at rest.

Hong Kong PDPO Compliance: As a Hong Kong-based data user, we comply with the Personal Data (Privacy) Ordinance (Cap. 486), including Data Protection Principle 1 (purpose and manner of collection), Principle 2 (accuracy and duration), Principle 3 (use), Principle 4 (security), Principle 5 (information openness), and Principle 6 (access and correction).

We employ defense-in-depth security architecture to protect your data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• AES-256-GCM End-to-End Encryption (E2EE): All uploaded files are encrypted client-side before transmission using AES-256-GCM authenticated encryption. File decryption keys are derived from your account credentials using PBKDF2 with 600,000 iterations, ensuring that even we cannot read your uploaded files.
• TLS 1.3: All data in transit is protected by Transport Layer Security version 1.3 with strong cipher suites. HSTS (HTTP Strict Transport Security) is enforced with a max-age of 365 days including preload.
• Password Hashing: User passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords. Passwords are validated server-side only; hashes are never exposed to client-side code.
• PBKDF2 Key Derivation: File encryption keys are derived from user credentials using PBKDF2-HMAC-SHA256 with 600,000 iterations and a cryptographically random salt per file.
• Access Logging: All authentication events, file access operations, and administrative actions are logged with tamper-evident audit trails. Logs are rotated and encrypted at rest.
• Encrypted Backups: Automated daily backups are encrypted at rest and stored in geographically separate regions. Backup keys are managed via hardware security modules (HSMs).
• Penetration Testing: We conduct annual third-party penetration testing and vulnerability assessments. Critical findings are remediated within 72 hours; high-severity findings within 14 days.
• Infrastructure Security: Our hosting provider (Vercel) maintains SOC 2 Type II certification. Cloudflare provides always-on DDoS protection and Web Application Firewall (WAF) rules.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

If you are located in the European Economic Area (EEA), you have certain rights under the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) regarding your personal data. These rights include:

• Right of Access (Article 15): You have the right to obtain confirmation from us as to whether we process your personal data and, where we do, access to that data and supplementary information about the processing.
• Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected without undue delay. Taking into account the purposes of processing, you also have the right to have incomplete personal data completed.
• Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to request that we erase your personal data without undue delay, subject to certain exceptions (e.g., legal obligations, legitimate interests).
• Right to Restriction of Processing (Article 18): You have the right to restrict our processing of your personal data in certain circumstances, such as contesting the accuracy of the data or objecting to processing.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller without hindrance.
• Right to Object (Article 21): You have the right to object at any time to processing of your personal data based on legitimate interests or for direct marketing purposes.

The California Consumer Privacy Act of 2018 ("CCPA") gives California residents specific rights regarding their personal information. If you are a California resident, you have the following rights:

• Right to Know (CCPA §1798.100): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you in the past 12 months, the categories of sources from which it was collected, the business purpose for collecting or selling it, and the categories of third parties with whom it was shared.
• Right to Delete (CCPA §1798.105): You have the right to request that we delete any personal information we collected from you, subject to certain exceptions (security, fraud detection, legal compliance, contract performance).
• Right to Opt-Out of Sale (CCPA §1798.120): You have the right to direct us not to "sell" your personal information. We do not sell personal information. Since we do not engage in the sale of personal information as defined by the CCPA, there is no opt-out mechanism required. However, if this changes in the future, we will provide clear notice and a "Do Not Sell My Personal Information" link in the footer of our website.
• Non-Discrimination (CCPA §1798.125): We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, provide you with a different level of quality, or suggest that you will receive a different price or quality of goods/services.

Quickupload is a general-purpose file transfer service and is not directed to children under the age of 16 (or the lower age of digital consent in your jurisdiction, such as 13 in some countries, 14 in the UK, Italy, and Spain).

We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without verified parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at privacy@quickupload.io. If we verify that a child's personal information was collected without consent, we will take reasonable steps to delete it from our systems.

COPPA Compliance: Although our service is not directed at children under 13, we are committed to complying with the Children's Online Privacy Protection Act (COPPA) to the extent applicable. We do not use our Service to knowingly collect personally identifiable information from children under 13.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. We will notify you of material changes by:

• Posting the updated policy on this page with a revised "Last updated" date
• Sending an email notification to registered users at least 30 days before substantive changes take effect
• Displaying a prominent banner on the Service upon your next visit after a material update

We encourage you to review this Privacy Policy periodically.

If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact our Data Protection Officer: