Privacy Policy

Last updated: July 2026

1. Data Controller

The data controller responsible for your personal data within the meaning of Regulation (EU) 2016/679 (the "GDPR") and Act CXII of 2011 on Informational Self-Determination and Freedom of Information of Hungary (the "Info Act") is:

Daniel Zemen
Sole Entrepreneur
Hungary
Email: [email protected]

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at the email address above.

2. Introduction

ZettaSend ("we," "us," or "our") is a peer-to-peer (P2P) file transfer application that enables users to send and receive files directly between devices without intermediate cloud storage. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website (zettasend.com), the ZettaSend desktop application, and related services (collectively, the "Services").

We are committed to complying with the GDPR, the Info Act, and all applicable EU and Hungarian data protection laws. Since our servers and infrastructure are located within the European Union, your data is not transferred to or processed in any third country outside the EU/EEA.

3. Peer-to-Peer Architecture

ZettaSend is designed with privacy at its core. The fundamental principle of our architecture is that file contents are never stored on, processed by, or accessible to our servers.

  • File transfers occur directly between the sender's and receiver's devices using end-to-end encryption (TLS 1.3 with mutual authentication).
  • Our signaling server only facilitates the initial peer discovery and connection establishment. It does not inspect, store, or relay file contents.
  • When direct P2P is not possible due to network restrictions (e.g., restrictive firewalls, NAT), transfers may be routed through a fallback relay server. The relay server forwards encrypted traffic only and cannot decrypt or access file contents.

4. Data We Collect

4.1 Account Data

When you register for a ZettaSend account, we collect:

  • Email address — used as your account identifier and for service-related communications (verification, password resets, billing notifications, security alerts).
  • Password — stored only as a cryptographic hash (Werkzeug security hashing). We cannot see your plain-text password.
  • Email verification status — whether you have verified ownership of your email address.
  • Two-factor authentication (2FA) settings — whether 2FA is enabled. If enabled, a one-time verification code is stored temporarily (expires after 10 minutes) for authentication purposes.
  • Account creation timestamp — the date and time your account was created.

4.2 Billing Data

When you subscribe to a paid plan, we process payment through Stripe, our payment service provider. We do not store your credit card or banking details. We retain the following data:

  • Stripe Customer ID — a reference identifier linking your account to your Stripe customer profile.
  • Stripe Subscription ID — identifies your active subscription.
  • Subscription status — current state (e.g., active, trialing, past_due, canceled).
  • Plan type — Solo or Team.
  • Seat count — for Team plans, the number of seats purchased.

4.3 Technical Data — IP Addresses

When you use ZettaSend, IP addresses are processed in the following contexts:

  • P2P Session IPs (stored only with audit logging) — during peer discovery, IP addresses are relayed between peers as part of the connection protocol. IP addresses are only persisted to our database when at least one peer in the transfer has audit logging enabled. In that case, the IP addresses of both the creator (sender) and the joiner (receiver) are stored as part of the session record. If an individual who is not a workspace member joins a transfer (e.g., an external collaborator) and audit logging is enabled, their IP address will also be stored. When audit logging is not enabled, IP addresses are not stored — they are used only transiently for connection establishment.
  • Rate limiting — your IP address is used in-memory for rate limiting and abuse prevention. This data is ephemeral and not permanently stored.
  • Server logs — standard web server access logs may include IP addresses, browser type, and access times. These are retained for security and operational purposes.

4.4 Audit Log Data

Audit logging is an opt-in feature that can be enabled by the workspace administrator. When enabled on a workspace, the following data is collected and stored for each file transfer event:

  • Envelope JSON — a structured data record containing: Transfer ID, Deterministic ID, Batch ID, Session ID, CSV hash, total bytes transferred, byte offset, file count, sender user ID, receiver user ID, sender workspace ID, receiver workspace ID, and transfer status.
  • Cryptographic signatures — ECDSA P-256 digital signatures from both the sender and receiver, verifying the authenticity of the transfer record.
  • Signature validity flags — whether each signature was successfully verified against the session's public keys.
  • Envelope SHA-256 hash — a cryptographic fingerprint of the envelope data for integrity verification.
  • Public keys — Ed25519/ECDSA P-256 public keys generated per session, used to verify signatures.
  • Uploader identity — the user ID of the person who submitted the audit record.
  • Timestamp — when the audit event was recorded by the server.

4.5 File Manifest Data (Cloud Storage)

When audit logging is enabled, a file manifest in CSV format is uploaded to and stored in Cloudflare R2 (EU data residency). This manifest contains:

  • File names — the names of the files included in the transfer.
  • File paths — the directory paths of the transferred files.
  • File sizes — the byte size of each file.

The file manifests do not contain file contents. Only metadata (names, paths, sizes) is stored. The actual file data is transferred directly between peers and never passes through or is stored on our infrastructure.

4.6 Workspace Data

For Team plan subscribers, we store workspace configuration including: workspace name, public display name, logo image (stored in Cloudflare R2), member email addresses, and workspace settings (internal-only mode, anonymous user blocking, audit logging status, mandatory 2FA, retention period).

4.7 Team Invitation Data

When a workspace admin invites a team member, the invitee's email address is stored along with a cryptographic hash of the invitation token until the invitation is accepted or canceled.

5. Legal Basis for Processing

We process your personal data under the following lawful bases as defined by GDPR Article 6:

  • Article 6(1)(b) — Performance of a contract: Processing your account data, billing data, and P2P session data is necessary to provide the Services you have subscribed to.
  • Article 6(1)(c) — Legal obligation: We retain certain billing records and audit logs to comply with applicable accounting and legal requirements.
  • Article 6(1)(f) — Legitimate interests: We process IP addresses and server logs for security, fraud prevention, and service stability. We process audit log data to provide the audit logging feature that workspace administrators have explicitly enabled for dispute resolution and compliance purposes.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy:

Data Category Retention Period
Account data (email, password hash)Until account deletion
Billing data (Stripe references)Until subscription cancellation + legal retention period
API keysDeleted on logout; otherwise until account deletion
2FA OTP codes10 minutes from generation
P2P session data (IPs, public keys)90 days after the session has no remaining audit logs, or as long as referenced by audit logs
Audit logs (envelope, signatures, hashes)Configurable per workspace: 90 to 3,650 days (default: 90 days)
File manifests in R2 (CSV files)Deleted when the corresponding audit logs expire
Team invitation recordsUntil accepted, canceled, or expired
Server logsAs long as operationally necessary; routinely purged

7. Third-Party Processors

We use the following third-party services to operate ZettaSend. All processors are located within the EU, and no personal data is transferred to countries outside the EU/EEA:

  • Stripe — payment processing and subscription management. Processes your email address and billing details. Stripe's privacy policy is available at stripe.com/privacy.
  • Cloudflare — CDN, DNS, DDoS protection, and R2 object storage. Processes IP addresses (at the edge) and stores file manifests and workspace logos (in EU data residency).
  • Amazon Web Services (AWS SES) — email delivery service. Processes your email address and email content for the purpose of delivering transactional emails (verification, password resets, billing notifications, security alerts). AWS SES is configured in the EU (eu-central-1, Frankfurt) region.
  • Google Fonts — font delivery. Your browser may make a request to Google's servers, which could expose your IP address. We use the Google Fonts CSS API.
  • cdnjs (Cloudflare) — Font Awesome icon delivery. Your browser may make a request to cdnjs servers, which could expose your IP address.

For Team and Enterprise customers, a Data Processing Agreement (DPA) is available at zettasend.com/dpa.

8. Cookies

Our website uses only strictly necessary cookies required for the functioning of the Service. We do not use analytics, tracking, advertising, or third-party cookies.

  • Session cookie — maintains your authenticated session while logged in.
  • Remember-me cookie — enables persistent login across browser sessions when you select "Stay logged in."
  • CSRF token cookie — protects against Cross-Site Request Forgery attacks.

Under the ePrivacy Directive (Directive 2002/58/EC) and Hungarian implementing legislation, strictly necessary cookies do not require prior consent. They are essential for the Service to function and cannot be disabled.

9. International Data Transfers

All personal data is processed and stored within the European Union. Specifically:

  • Our web servers and PostgreSQL database are hosted in the EU.
  • Cloudflare R2 storage is configured with EU data residency.
  • AWS SES email delivery operates from the EU (Frankfurt) region.
  • Stripe processes payment data in accordance with its own data residency commitments.

We do not transfer personal data to any third country outside the EU/EEA. No Standard Contractual Clauses (SCCs) or other transfer mechanisms are required.

10. Your Rights Under GDPR

Under the GDPR and the Info Act, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): You may request the deletion of your personal data. To exercise this right, please contact us at [email protected]. Note that certain data may need to be retained to comply with legal obligations.
  • Right to restriction of processing (Art. 18): You may request that we limit the processing of your data under certain conditions.
  • Right to data portability (Art. 20): You may receive your personal data in a structured, machine-readable format and transmit it to another service.
  • Right to object (Art. 21): You may object to the processing of your personal data that is based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time.
  • Right to lodge a complaint with a supervisory authority (Art. 77): You have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one (1) month, as required by GDPR Article 12(3).

Hungarian Data Protection Authority:

Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Website: naih.hu
Email: [email protected]

11. Data Breach Notification

In the event of a personal data breach, we commit to:

  • Notifying the NAIH within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
  • Notifying affected data subjects without undue delay if the breach is likely to result in a high risk to your rights and freedoms, in accordance with GDPR Article 34.

12. Children's Privacy

The Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have collected personal data from a child under 16, please contact us immediately at [email protected] so we can delete such data.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the Services or by email. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.

14. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Daniel Zemen
Sole Entrepreneur
Email: [email protected]