Effective date: April 9, 2026
At Sendbl, we are committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use and protect it, who we share it with, and what rights you have in relation to your personal data. This policy applies to all users of the Sendbl file exchange API, website, and related services (collectively, the "Service").
1.1. The data controller responsible for your personal data is Sendbl, operated by Anton Efremov. For contact details, see Section 11 below.
2.1. We collect and process the following categories of information:
| Data Type | Details |
|---|---|
| Account information | When you sign in via Google OAuth, we receive your name, email address, and Google user identifier. This information is used to create and manage your Sendbl account. |
| API keys | When you register for an API key, we store a one-way cryptographic hash of the key. We do not retain the raw API key after it is displayed to you at the time of registration. |
| Files and content | When you or a third party uploads files through the Service, those files are stored temporarily in encrypted cloud storage. We do not access the content of your files. |
| Upload link metadata | Information you provide when creating an upload link, such as purpose, message, and recipient details. |
| Payment information | If you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your full credit card number or payment credentials on our servers. We receive and store only your Stripe customer identifier and subscription status. |
| Data Type | Details |
|---|---|
| Server logs | Our servers automatically record request metadata including IP address, request path, HTTP method, response status code, and timestamp. These logs are used for operational monitoring, security, and troubleshooting. |
| File metadata | We store technical metadata about uploaded files, including filename, file size, MIME type, checksum, and upload timestamp. |
| Usage data | We track API usage metrics such as request counts, upload link creation counts, and storage consumption. This data is used for rate limiting and tier enforcement. |
3.1. We process your information for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service, including file storage, transmission, and link management | Performance of contract |
| Authenticating users and validating API requests | Performance of contract |
| Processing payments and managing subscriptions | Performance of contract |
| Enforcing rate limits, usage quotas, and preventing abuse | Legitimate interest |
| Monitoring service health, diagnosing technical issues, and improving reliability | Legitimate interest |
| Ensuring the security of the Service and investigating potential violations | Legitimate interest |
| Complying with legal obligations, court orders, or regulatory requirements | Legal obligation |
3.2. We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. We do not use your files or personal data to train machine learning or artificial intelligence models.
4.1. We may share your information with the following categories of recipients, solely for the purposes described in this policy:
5.1. All files are stored in AWS S3 with AES-256 server-side encryption at rest. All data in transit is protected using TLS (HTTPS) encryption.
5.2. Access to files requires time-limited presigned URLs or valid authentication tokens. API key hashes are stored using industry-standard one-way cryptographic hashing.
5.3. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.
6.1. We retain your information only for as long as necessary to fulfil the purposes described in this policy or as required by law.
| Data Type | Retention Period |
|---|---|
| Uploaded files | Automatically and permanently deleted upon upload link expiration (default: 72 hours; maximum determined by service tier) |
| Upload link metadata | Deleted upon link expiration |
| File metadata | Deleted upon link expiration |
| API key hashes | Retained until the key expires or is revoked |
| Account information | Retained for the duration of your account; deleted upon account deletion request |
| Server logs | 30 days |
| Usage and rate-limiting data | Automatically expired via TTL (time-to-live) |
7.1. The Service is hosted on AWS infrastructure located in the United States (us-east-1 region). If you are accessing the Service from outside the United States, your data may be transferred to and processed in the United States.
7.2. Where we transfer personal data outside your jurisdiction, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws.
8.1. Depending on your jurisdiction, you may have the following rights regarding your personal data:
8.2. To exercise any of these rights, please contact us using the details in Section 11. We will respond to your request within the timeframe required by applicable law.
8.3. If you are located in the European Economic Area (EEA), you have the right to lodge a complaint with your local data protection supervisory authority.
9.1. The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly.
10.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will update the effective date at the top of this page.
10.2. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any modification constitutes your acceptance of the revised policy.
11.1. If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us: