Privacy Policy
Last updated: 2026-07-08
YAFL runs no analytics, no ads, and no tracking scripts. This page explains, in plain language, the small amount of data the service needs to run and who touches it.
1. Controller
YAFL is operated by Marcus Horndt. For any privacy question, correction, deletion, or complaint, contact:
Controller contact: [email protected]
2. What we process
To run an account and a file transfer, we store:
- Your account email and an Argon2id hash of your password, never the password itself.
- API key hashes (SHA-256) so a key can be looked up and revoked, plus a short public prefix shown in your dashboard.
- Transfer metadata: file size, created/expiry timestamps, and status (uploading, complete, expired).
File contents and filenames are end-to-end encrypted on your device before upload. We store only ciphertext, and only for up to 24 hours, on Cloudflare R2, and we cannot read either.
3. Waitlist and early access
Joining the waitlist uses double opt-in: we send a confirmation email with a magic link, and your address is only added once you click it. Outbound mail for this step is sent through All-inkl SMTP, our email processor.
4. Cloudflare as a processor
YAFL runs behind Cloudflare for DNS, reverse-proxy protection, and object storage (R2, where encrypted transfer ciphertext lives). Cloudflare also provides Turnstile, a bot check shown on signup and login.
Turnstile can collect your IP address and behavioral, timing, and device signals to distinguish humans from bots. Its purpose is bot mitigation for account security, on the legal basis of legitimate interest (Art. 6(1)(f) GDPR). Cloudflare is a US-headquartered processor; where data leaves the EU, the transfer relies on the EU-US Data Privacy Framework (DPF) adequacy decision.
6. Log data
Our nginx access logs and pino application logs record ordinary request metadata: path, status code, and
timing. Share links carry their decryption key in the URL's #fragment, which browsers never
send to any server, so full links with keys are never written to any log.
7. Your rights
Under GDPR you can ask us for access to your data, rectification of anything inaccurate, erasure of your account, or portability, a copy of your data in a common, portable format. You can also lodge a complaint with your local data protection authority. Reach us at [email protected] for any of these.
8. Retention
Transfer ciphertext and its metadata are deleted after 24 hours; there is no way to extend this. Account data is kept until you ask us to delete it.
9. Changes to this policy
If this policy changes, we will update the "Last updated" date above. Meaningful changes will also be announced through the waitlist channel where practical.