Privacy Policy
Last updated: May 27, 2026 · Effective: May 27, 2026
This Privacy Policy explains how Curious Objects (“LargeFileTransfer”, “we”, “us”) collects, uses, discloses, and protects personal data when you use the website at largefiletransfer.com, the related apps and APIs, and any associated services (the “Service”). It also explains the choices and rights you have.
For the purposes of the EU/UK General Data Protection Regulation (“GDPR”), we are the data controller for the personal data described here (other than files you upload, where we act as a data processoron your behalf as described in “User Content” below). For California residents, terms used below have the meanings given in the CCPA/CPRA. For users in India, this Policy is published under the Digital Personal Data Protection Act, 2023 (“DPDP Act”).
1. What we collect
1.1 Information you provide
- Account details: email address, name (if provided), password (stored hashed) or sign-in provider identifier, and account preferences.
- Transfer details: file names, sizes, MIME types, checksums, the recipient email addresses you enter (if any), the message you attach, the expiry you choose, and the share code we generate.
- User Content: the files themselves, processed as described in section 3.
- Billing: for paid plans, your billing name, address, last four digits and brand of payment card, invoice history, and tax identifiers. Full card details are collected and stored by our payment processor, not by us.
- Communications: messages you send to support, survey responses, and notice preferences.
1.2 Information collected automatically
- Usage data: pages viewed, features used, transfer and download events, error logs, and timestamps.
- Device & connection data: IP address, approximate location derived from IP (city/country level), browser type and version, operating system, device type, language, and referring URL.
- Cookies & similar technologies: see section 7.
1.3 Information from third parties
- Identity providers: if you sign in with Google or Apple, we receive your email address, name, and a stable user identifier from that provider.
- Payment processor: confirmation of payment and subscription status.
2. How we use personal data & legal bases (GDPR)
| Purpose | Legal basis |
|---|---|
| Providing the Service (creating transfers, generating share links, delivering downloads, sending recipient notifications you initiate) | Performance of a contract with you |
| Account creation, authentication, and account management | Performance of a contract |
| Billing, fraud prevention, and tax compliance | Contract; legal obligation |
| Service security, abuse prevention, debugging, capacity planning | Legitimate interests (in running a secure, reliable service) |
| Product analytics and improvement | Legitimate interests; consent where required (e.g. EEA/UK analytics cookies) |
| Sending service emails (security alerts, billing, policy changes) | Contract; legitimate interests |
| Sending marketing emails about LargeFileTransfer | Consent (with an unsubscribe link in every message) |
| Responding to legal requests, enforcing our terms, defending claims | Legal obligation; legitimate interests |
For users in India, we rely on your consentunder the DPDP Act for the purposes above, and on the “legitimate uses” permitted by the Act (such as compliance with law and enforcement of legal rights) where applicable.
3. User Content (files you upload)
Files you upload through the Service are stored on S3-compatible object storage provided by our cloud infrastructure partner. We process these files on your instructions: to host them, transmit them to the recipients you choose, generate previews where applicable, and delete them when the transfer expires or you delete it.
Retention. Files are automatically deleted at the end of the link expiry period you select (default 7 days; maximum as shown on the create-transfer screen). Residual copies may persist briefly in encrypted backups and operational logs before being purged on our standard rotation. We do not restore deleted transfers.
Access. Files are transmitted over TLS. Object storage uses provider-managed server-side encryption at rest. Access by our staff is restricted to a small number of personnel and only for operational, security, or legal-compliance reasons. We do not access the contents of your files to build advertising profiles or train machine-learning models, and we do not sell User Content.
Your responsibility. You are the controller of the personal data contained in files you upload. You must have a lawful basis to upload, share, and disclose that data and to provide it to recipients.
4. Sharing & disclosures
We share personal data only as described below. We do not sell personal data.
- Service providers (processors): cloud infrastructure, object storage, email delivery, payment processing, analytics, error monitoring, and customer support tools. They are bound by written contracts to use personal data only on our instructions and to protect it.
- Recipients you choose: anyone with the share link can download the transfer until it expires; recipients you email will receive notifications from us on your behalf.
- Legal & safety: to comply with law, valid legal process, or government requests; to enforce our Terms; to detect or prevent fraud, abuse, or security incidents; or to protect the rights, property, or safety of LargeFileTransfer, our users, or the public.
- Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to equivalent privacy protections.
- With your consent: for any other purpose disclosed to you at the time.
5. International transfers
Personal data may be processed in countries other than the one in which you live, including in the United States, the European Union, or India. Where we transfer personal data out of the EEA, UK, or other regions with cross-border transfer restrictions, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent mechanisms. You may request a copy of the safeguards by contacting us.
6. Retention
We keep personal data only as long as necessary for the purposes set out in this Policy or as required by law.
- User Content (files): until the link expiry you chose, or until you delete the transfer, whichever is earlier.
- Transfer metadata (file names, sizes, recipients, download counts): kept for up to 12 months after the transfer expires for support, abuse prevention, and analytics, then deleted or aggregated.
- Account data: for the life of your account, plus a short period after closure for backup rotation and audit.
- Billing & tax records: for the period required by applicable tax and accounting law (typically 6–10 years).
- Logs: typically 30 to 180 days, longer if needed for a security investigation.
7. Cookies & analytics
We use first-party cookies and similar technologies that are strictly necessary to operate the Service (for authentication, security, and remembering your preferences). With your consent where required, we also use a limited set of analytics and product-improvement tools (for example, Microsoft Clarity) to understand how the Service is used and to fix problems. You can control cookies through your browser settings; blocking essential cookies will break parts of the Service.
8. Security
We use administrative, technical, and physical safeguards designed to protect personal data, including TLS in transit, encryption at rest for object storage, hashed passwords, scoped access controls, audit logs, and least-privilege production access. No method of transmission or storage is 100% secure; we cannot guarantee absolute security. You are responsible for keeping your password and share links confidential.
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected users in accordance with applicable law.
9. Your rights
9.1 EEA, UK, and other GDPR-style regimes
Subject to applicable law, you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- request erasure of your data (“right to be forgotten”);
- request restriction of processing or object to processing;
- request portability of personal data you provided to us in a machine-readable format;
- withdraw any consent at any time, without affecting the lawfulness of prior processing;
- lodge a complaint with your local data-protection authority. We would appreciate the chance to address your concerns first. Please email us.
9.2 California (CCPA/CPRA)
California residents have the right to know what personal information we collect, use, disclose, and (if applicable) sell or share; to request deletion or correction; to opt out of sale or sharing of personal information (we do not sell or share personal information as those terms are defined under the CCPA); to limit the use of sensitive personal information (we do not use sensitive personal information beyond purposes permitted without the right-to-limit); and to be free from discrimination for exercising these rights. To exercise rights, email hello@curiousobjects.dev. We may need to verify your identity before responding. You may designate an authorized agent to make a request on your behalf.
9.3 India (DPDP Act)
If you are in India, you have the right to access, correct, and erase your personal data, to nominate another person to exercise your rights in the event of death or incapacity, and to grievance redressal. To exercise these rights or raise a grievance, contact our Grievance Officer at hello@curiousobjects.dev (name and full contact details available on request). We will respond within the timeframes required by the DPDP Act.
9.4 How to exercise your rights
Email hello@curiousobjects.dev from the address associated with your account. Where your request concerns files uploaded by another user (where they are the controller), please contact them directly; we will assist them as their processor.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Automated decision-making
We do not use your personal data for solely-automated decision-making that produces legal or similarly significant effects on you. We do use automated systems to detect abuse, malware, and spam.
12. Third-party links
The Service may link to third-party sites. Their privacy practices are their own. Review their policies before sharing personal data with them.
13. Changes to this Policy
We may update this Policy from time to time. If we make material changes we will notify you by email or by posting a notice in the Service before the change takes effect, and update the “Last updated” date above.
14. Contact us
Privacy questions, rights requests, grievances, or legal: hello@curiousobjects.dev
Postal: Curious Objects, Sharjah Media City, Sharjah, Dubai