Privacy Policy — How Transferify Handles Your Data | Transferify

Privacy Policy

Last updated: 5 July 2026

This Privacy Policy explains how EchoStream SRL ("Transferify", "we", "us" or "our") collects, uses, shares and protects personal data when you use the Transferify file-transfer service at transferify.ro and transferify.cloud (the "Service"). It is written to meet the requirements of the EU General Data Protection Regulation (GDPR) and applicable Romanian data-protection law.

For the purposes of the GDPR, the data controller is EchoStream SRL, a company registered in Romania under CUI RO46964705 and Trade Register no. J12/6242/05.10.2022, with its registered office at Str. Soporului nr. 8, bl. C, sc. 1, ap. 8, 400482 Cluj-Napoca, Romania. You can reach us about privacy at support@transferify.ro.

1. How Transferify works (and why it matters for your privacy)

Transferify lets you send files in two different ways, and each handles your data differently:

  • Instant peer-to-peer (P2P) transfers. Files stream directly from the sender's device to the recipient's device over WebRTC and are end-to-end encrypted. The file contents are never stored on our servers. Our servers only help the two devices find and connect to each other (signaling) and may relay the encrypted stream if a direct connection cannot be established; we do not retain the file contents.
  • Hosted transfers. Files are encrypted on your device (AES-256-GCM) and then uploaded to Amazon Web Services (AWS) S3 in the European Union (eu-central-1, Frankfurt). By default we hold the file's encryption key in escrow, wrapped by AWS Key Management Service (KMS), which means we are technically able to decrypt the file (for example to deliver it or comply with a lawful request). If you use the paid "Zero-Knowledge" mode, the file key is kept entirely off our servers and we cannot decrypt your files.

2. Personal data we collect

Depending on how you use the Service, we may collect:

  • Account and identity data — the email address associated with your sign-in, your Firebase user identifier (UID), and the sign-in provider you used (Google or Microsoft). You may also use the Service with an anonymous session, in which case we hold only a temporary Firebase UID.
  • Transfer and file metadata — information about your transfers such as file names, sizes and types, timestamps, chosen expiry, download limits, whether a transfer is password-protected, recipient email addresses you enter, and delivery status. For hosted transfers this also includes the wrapped encryption key (except in Zero-Knowledge mode). For P2P transfers we do not store the file contents.
  • Optional feature data — if you use them: contacts you save, share links you email, reminders, and settings for password protection, download limits and link expiry.
  • Payment data — if you subscribe to a paid plan, payment and subscription metadata (plan, billing status, subscription period, and identifiers) processed through Stripe. We do not collect or store your full card number; card details are handled directly by Stripe.
  • Technical, device and usage data — your IP address, browser and device type, operating system, and how you interact with the Service. This includes Firebase Analytics (Google Analytics 4) product-analytics data, which is only collected where you have consented (see Section 9, Cookies and analytics).

3. Why we use your data, and our legal bases

Under the GDPR we must have a legal basis for each use of your personal data. We rely on the following:

  • To provide the Service — creating your account, authenticating you, accepting uploads, delivering transfers, enforcing expiry, download limits and password protection, and managing your subscription. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
  • To keep the Service secure and working — preventing abuse and fraud, debugging, ensuring reliability, and understanding aggregate demand. Legal basis: our legitimate interests (GDPR Art. 6(1)(f)), balanced against your rights.
  • To take payment — processing subscription payments through Stripe. Legal basis: performance of a contract (GDPR Art. 6(1)(b)), and compliance with legal (e.g. tax/accounting) obligations where applicable.
  • Product analytics — measuring how the Service is used so we can improve it, via Firebase Analytics / Google Analytics 4. Legal basis: your consent (GDPR Art. 6(1)(a)). You can withdraw this consent at any time.
  • To communicate with you — sending share links and reminders you ask us to send, and service messages about your account or transfers. Legal basis: performance of a contract and/or our legitimate interests (GDPR Art. 6(1)(b) and Art. 6(1)(f)).

4. Who we share your data with

We do not sell your personal data. We share it only with the service providers (sub-processors) that help us run the Service, each acting under contract and only as needed:

  • Google (Firebase Authentication and Firebase Analytics / Google Analytics 4) — for sign-in and, where you consent, product analytics.
  • Amazon Web Services (AWS) — for hosted-file storage (S3, EU eu-central-1) and encryption-key management (KMS).
  • Stripe — for processing subscription payments.

We may also disclose personal data where required by law, to respond to lawful requests from public authorities, or to protect our rights, users and the Service. A current list of sub-processors can be provided on request at support@transferify.ro.

5. International data transfers

Hosted files are stored in the EU (AWS Frankfurt, eu-central-1). However, some of our sub-processors — in particular Google and Stripe — may process certain data (such as authentication, analytics or payment metadata) outside the European Economic Area, including in the United States. Where a processor processes personal data outside the EEA, that transfer is covered by the European Commission's Standard Contractual Clauses (SCCs), together with any applicable adequacy decision.

6. How long we keep your data (retention)

  • Hosted files automatically expire and are deleted according to the expiry the sender chooses (and any download limit that is reached first). After expiry, the encrypted file is removed from S3.
  • P2P transfers are not stored: file contents exist only during the live transfer.
  • Account data is retained while your account remains active and for a reasonable period afterwards, to the extent needed to meet our legal and accounting obligations. If you delete your account, we delete or anonymize your personal data, except where we must keep certain records to meet those legal obligations (for example, payment and invoicing records).
  • Server logs are kept only for the short term, for security, abuse prevention and troubleshooting, and transfer metadata and analytics are retained only as long as needed for the purposes described above.

7. Your rights

Subject to the conditions and exceptions in the GDPR, you have the right to:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your personal data ("right to be forgotten").
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on our legitimate interests.
  • Withdraw consent — where we rely on consent (such as analytics), withdraw it at any time, without affecting processing already carried out.

To exercise any of these rights, contact us at support@transferify.ro. You also have the right to lodge a complaint with a supervisory authority. In Romania this is the National Supervisory Authority for Personal Data Processing (ANSPDCP). The governing law and jurisdiction for this Service is Romania / European Union.

8. How we protect your data (security)

We use technical and organizational measures designed to protect your data, including:

  • Encryption in transit for connections to and within the Service.
  • Client-side encryption of file contents (AES-256-GCM) before hosted uploads, with keys managed via AWS KMS.
  • End-to-end encryption for peer-to-peer transfers, so file contents are not exposed to our servers.
  • Encryption at rest for hosted files stored in AWS S3.
  • Zero-Knowledge mode (paid), where the file key never reaches our servers and we cannot decrypt your files.

No method of transmission or storage is completely secure, so while we work to protect your data we cannot guarantee absolute security.

9. Cookies and analytics

We use a small number of essential cookies and similar technologies to run the Service, and — only with your consent — Firebase Analytics / Google Analytics 4 for product analytics. For details of what we use and how to control it, please see our separate Cookie Policy, which you can open from the same legal menu as this Privacy Policy.

10. Children

The Service is not directed at children under the age of 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us at support@transferify.ro and we will take appropriate steps to delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Service. We encourage you to review this page periodically.

12. How to contact us

For any questions about this policy or your personal data, contact EchoStream SRL at support@transferify.ro, or by writing to our registered office at Str. Soporului nr. 8, bl. C, sc. 1, ap. 8, 400482 Cluj-Napoca, Romania.