1. Introduction

At Files App GmbH ("we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our file hosting service ("Service"). We are committed to transparency and to complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This policy applies to all users of Files App, including visitors to our website, free account holders, and paid subscribers. By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

We collect the minimum amount of data necessary to provide and improve our Service:

Account Data: When you create an account, we collect your name, email address, and hashed password. If you subscribe to a paid plan, we also collect billing information (processed by our payment provider, Stripe).

Usage Data: We collect basic usage information including login timestamps, features used, storage consumption, and general interaction patterns. This data helps us improve the Service and diagnose technical issues.

Device Data: We collect limited device information such as browser type, operating system, and IP address. IP addresses are used for security purposes (detecting unauthorized access) and are not used for tracking or profiling.

Important: We do NOT collect, access, or analyze the contents of your files. Files are encrypted client-side before upload using your encryption key, which we never see. Our zero-knowledge architecture means we cannot read your files even if compelled to by law enforcement.

3. How We Use Your Data

We use the data we collect for the following purposes:

• Service delivery: To create and manage your account, process payments, and provide our file storage features.
• Security: To detect and prevent unauthorized access, fraud, and abuse of the Service.
• Communication: To send you important service updates, security alerts, and (with your consent) product announcements. You can opt out of non-essential communications at any time.
• Improvement: To analyze aggregate usage patterns and improve our Service. We do not build individual user profiles for this purpose.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

4. Data Storage and Security

All data is stored on servers located in Frankfurt, Germany, operated by certified data center providers (ISO 27001 compliant). We implement multiple layers of security:

• Encryption at rest: All data stored on our servers is encrypted using AES-256 encryption.
• Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3.
• Zero-knowledge architecture: File contents are encrypted client-side before upload. We do not store or have access to your encryption keys.
• Access controls: Access to our infrastructure is restricted to authorized personnel using multi-factor authentication and audit logging.
• Regular audits: We conduct regular internal and external security audits and penetration tests.

5. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We do not share your data for advertising purposes.

We may share limited data with the following parties, under strict data processing agreements:

• Payment processor (Stripe): To process subscription payments. Stripe's privacy policy governs their handling of your payment data.
• Email delivery service: To send transactional emails (account verification, password resets). We share only your email address for this purpose.
• Law enforcement: We may disclose account metadata (not file contents, which we cannot access) in response to valid legal orders from German or EU courts. We will notify you of such requests unless legally prohibited from doing so.

6. Cookies

We use a minimal number of cookies, limited to those strictly necessary for the operation of our Service:

Cookie Name	Purpose	Duration
session_id	Maintains your login session	Session (expires on browser close)
preferences	Stores your display preferences (theme, language)	1 year
csrf_token	Protects against cross-site request forgery	Session

We do not use analytics cookies, tracking cookies, or any third-party cookies. We do not use Google Analytics or similar tracking services. Your browsing behavior on our site is not tracked or profiled.

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

• Right of access: You can request a copy of all personal data we hold about you.
• Right to rectification: You can request correction of inaccurate or incomplete personal data.
• Right to erasure: You can request deletion of your personal data ("right to be forgotten").
• Right to data portability: You can request your data in a structured, machine-readable format.
• Right to restriction: You can request that we limit how we process your data.
• Right to object: You can object to our processing of your data for specific purposes.

To exercise any of these rights, email us at privacy@files-app.com. We will respond to your request within 30 days, free of charge. If your request is complex, we may extend this period by an additional 60 days, and we will inform you of any such extension.

You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

8. Data Retention

We retain your data only for as long as necessary to provide the Service and fulfill the purposes described in this policy:

• Account data: Retained while your account is active, plus 30 days after account deletion to allow for recovery.
• Files: Deleted immediately and permanently upon your request. Files in trash are automatically purged after 30 days.
• Backups: Encrypted backups containing account metadata are purged within 90 days of account deletion. File contents are not included in backups due to our zero-knowledge architecture.
• Usage logs: Anonymized after 90 days. IP addresses are removed after 30 days.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has created an account, we will take steps to delete the account and associated data promptly.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us at privacy@files-app.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email at least 30 days before they take effect.

We encourage you to review this policy periodically. The date of the most recent revision is indicated at the top of this page.

11. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable regulations.

You can contact our DPO at:

Email: dpo@files-app.com
Address: Files App GmbH, Attn: Data Protection Officer, Friedrichstraße 123, 10117 Berlin, Germany

12. Contact

For any privacy-related questions or concerns, please contact us:

Files App GmbH
Friedrichstraße 123
10117 Berlin, Germany

Email: privacy@files-app.com
Phone: +49 30 1234 5678