Privacy Policy

Last updated: May 2, 2026

This Privacy Policy explains what information FileTransferFree (“we”, “us”, “the service”) collects, how we use it, and the choices you have when you visit www.filetransferfree.com or use the file-transfer application.

1. Who we are (data controller)

FileTransferFree is operated as an independent project. The operator can be reached at [email protected] for any privacy request. The service is operated from the United States (California). This Privacy Policy is governed by the laws of the State of California to the extent permitted, and by other applicable laws where you reside.

2. The files you transfer

File bytes are sent directly between your browser and the receiving browser over an encrypted WebRTC data channel. The file contents are never uploaded to, stored on, scanned by, or logged by our infrastructure. Transfers do not pass through any cloud relay we operate.

3. Signaling (how two browsers find each other)

To pair two browsers we run a small “signaling” server at signal.filetransferfree.com on Cloudflare Workers. This server only relays the WebRTC handshake messages (SDP offers/answers and ICE candidates). It briefly sees:

• your IP address (handled by Cloudflare for security and routing);
• a randomly generated 6-character room code;
• a randomly generated peer ID;
• opaque WebRTC handshake blobs.

The signaling server does not see your file contents, filenames, sizes, mime types, nicknames, chat messages, or anything else from inside the transfer. We do not write request logs of signaling traffic. Cloudflare may retain edge logs (IP, timestamp, request line) for a short period for security and abuse-prevention purposes; see the Cloudflare Privacy Policy .

4. STUN servers

To negotiate a direct path between two browsers, your browser contacts free public STUN servers (currently provided by Google and Twilio). STUN tells your browser its public IP. We do not operate these servers and they do not see file contents.

5. Information we collect on the website

The marketing pages (Home, About, FAQ, Privacy, Terms, etc.) are static HTML served by a CDN (Cloudflare Pages). The CDN may automatically collect standard request information — IP address, user agent, referrer, requested URL, timestamp — for security and abuse prevention. We do not run our own analytics. We do not sell visitor data. We do not attempt to identify visitors.

6. Cookies and local storage

FileTransferFree itself does not set any first-party tracking cookies. We use browser localStorage on your device to remember a few user preferences entirely on your machine (these never leave your browser):

• fft_nick – the nickname you optionally choose;
• fft_recent – the last few room codes you connected to (for convenience);
• fft_pin – an optional PIN you set to gate incoming connections;
• fft_cookie_consent – whether you accepted or declined the cookie banner.

You can clear these at any time in your browser settings. If we display Google AdSense advertising on the marketing pages, Google and its partners may set advertising cookies on your device subject to your consent (see Section 7).

7. Advertising & Google AdSense

The marketing pages may display advertisements served by Google AdSense and other third-party ad vendors. These vendors may use cookies, web beacons, and similar technologies to:

• serve ads based on your prior visits to this and other websites;
• measure the effectiveness of advertising campaigns;
• limit the number of times you see a particular ad.

Google’s use of advertising cookies enables it and its partners to serve ads based on your visit to FileTransferFree and/or other sites on the internet. You may opt out of personalised advertising by visiting Google Ads Settings or, for EU/EEA/UK visitors, the Your Online Choices portal. You may also opt out of a third-party vendor’s use of cookies for personalised advertising by visiting www.aboutads.info.

8. Third-party services we use

• Cloudflare — CDN, static hosting (Cloudflare Pages), and the signaling Worker. See the Cloudflare Privacy Policy.
• Google Fonts — loads the Inter typeface. See the Google Privacy Policy.
• Public STUN servers — Google STUN (stun.l.google.com) and Twilio STUN (global.stun.twilio.com) help your browser discover its public IP for WebRTC connections.
• Google AdSense (where shown) — advertising on marketing pages only. See the Google Ads policy.

9. Data retention

Because we do not store your files, peer IDs, room codes, chat messages, or any data you enter into the application, there is nothing to retain on the application side. Edge request logs maintained by our CDN/host (Cloudflare) follow Cloudflare’s retention policy.

10. Children’s privacy

FileTransferFree is not directed to children under 13 (or under 16 in jurisdictions that require a higher age of consent). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact [email protected] and we will take appropriate action.

11. Your rights (GDPR — EEA/UK users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights to:

• access the personal data we hold about you;
• request rectification or erasure;
• request restriction of, or object to, processing;
• data portability;
• withdraw consent at any time, where processing is based on consent;
• lodge a complaint with your local data-protection authority.

Because we do not maintain user accounts and do not store personal data from the file-transfer flow, in most cases there is nothing for us to access, correct, or delete. For requests related to advertising cookies set by third-party providers (such as Google AdSense), please use the consent mechanisms described in Section 7. For all other requests, contact [email protected].

12. Your rights (CCPA / CPRA — California users)

California residents have the right to know what personal information we collect, the right to delete personal information we have collected, and the right to non-discrimination for exercising these rights. We do not sell personal information and we do not share it for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). To exercise any rights, email [email protected] with the subject line “CCPA Request”.

13. International data transfers

Our hosting provider (Cloudflare) operates a global network. Data may be processed in countries other than your own, including the United States. Cloudflare provides safeguards for international transfers as described in its privacy policy.

14. Security

File transfers are encrypted end-to-end by your browser with DTLS, a mandatory part of the WebRTC specification. The marketing site is served over HTTPS. We follow reasonable security practices, but no service can guarantee absolute security.

15. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date at the top of this page. Your continued use of the service after changes become effective constitutes acceptance of the revised Policy.

16. Contact

For any privacy-related question or to exercise any right described above, please email [email protected] or use our contact page.