TeleportLink Early Access Preview — Free to use with limits. We're collecting feedback before official launch.
Learn moreGive Feedback

Privacy Policy

Last updated: March 22, 2026

TeleportLink is built on a zero-knowledge architecture. We can't read your files, see your encryption keys, or recover lost links. This policy explains what we collect, why we collect it, and how we protect your privacy.

What We Collect

We collect only what's necessary to operate the service:

Account Information

  • Email address (via Google OAuth only) - Used for account creation, authentication, and billing communication
  • Google profile data (name, profile picture) - Displayed in your dashboard
  • Account creation date - For record-keeping and billing cycles

We don't store passwords. Authentication is handled by Google OAuth.

Payment Information

  • Razorpay customer ID - Links your account to payment records
  • Subscription status (Free, Plus, Ultimate) - Determines plan limits
  • Billing cycle dates - For subscription management

Card details are processed and stored by Razorpay (PCI-DSS compliant). We never see or store your full card number.

Transfer Metadata

  • Transfer ID - Unique identifier for each file transfer
  • File size - For quota enforcement and storage allocation
  • Encrypted filename (optional) - Encrypted before upload, we cannot decrypt it
  • Expiry time - When the transfer should auto-delete
  • Open count - How many times the link has been accessed
  • Max opens limit - For view-once or limited-access transfers
  • Anonymous sender ID - A random identifier, not linked to your account (for free users)

We do NOT store file contents, decryption keys, or any data that would allow us to reconstruct the original file.

Rate Limiting Data

  • IP address - Used with a short hash of the browser user-agent to form a rate-limit key
  • Request counters - Sliding window counts per key (in application memory, or in optional Redis/Upstash if configured for multi-instance deployments)

We do not use rate-limit keys for marketing, profiling, or product analytics. Upstash/Redis keys expire automatically with the limit window.

Aggregate usage statistics

  • Daily counters - We store coarse counts such as transfers started, finalized, claimed, and view-once completions
  • Size bands - Counts may be grouped into broad file-size bands (for example under 1 MB, 1–10 MB); we do not store exact byte sizes in this analytics table
  • Server health - We may increment counts of unhandled server failures by error class name only (for example TypeError); we do not store stack traces, error messages, or request URLs in this analytics table

These aggregates do not include transfer codes, filenames, account identifiers, or encryption keys. They cannot be used to see who sent what file. Older aggregate rows are deleted on a retention schedule (default: 730 days, configurable).

What We DON'T Collect

Our zero-knowledge architecture prevents us from collecting:

🚫

File Contents

Files are encrypted in your browser before upload. We only store encrypted fragments we cannot decrypt.

🚫

Encryption Keys

Decryption keys are embedded in the URL fragment (after #) and never sent to our servers.

🚫

Ad tech and cross-site tracking

No Google Analytics, Facebook Pixel, or ad networks. We do not build cross-site profiles or sell usage data.

🚫

Recipient Identity

We don't know who downloads files. Link access is anonymous unless the recipient creates an account.

🚫

File Metadata

No EXIF data, GPS coordinates, or file creation dates. We only see encrypted blobs.

🚫

Long-Term Logs

Server logs are ephemeral and don't contain identifying information beyond temporary rate-limit data.

Zero-Knowledge Model Explained

TeleportLink is designed so that we cannot access your data:

Client-Side Encryption

Your browser encrypts files using AES-GCM 256-bit encryption before they leave your device. The encryption happens in JavaScript using the Web Crypto API (native, audited, secure).

URL Fragment Security

The decryption key is stored in the URL hash (the part after #). Browsers never send this fragment to servers—not in HTTP headers, not in referrer logs, nowhere.

Server-Side Blindness

Our servers receive encrypted chunks with no context. We cannot decrypt them, preview them, scan them for content, or reassemble the original file without the key (which we never receive).

Permanent Deletion

When a transfer expires or is consumed, encrypted fragments are permanently deleted from storage. We cannot recover them—this is by design.

Third-Party Services

We use the following third-party services:

Google OAuth

Used for authentication. Google provides your email, name, and profile picture. See Google's Privacy Policy.

Razorpay

Processes payments for Plus and Ultimate plans. Razorpay stores your card details (we never see them). See Razorpay's Privacy Policy.

Cloudflare R2

Stores encrypted file fragments. Cloudflare cannot decrypt them (they don't have the keys). See Cloudflare's Privacy Policy.

Data Retention

Encrypted File Fragments

Retention: Until transfer expiry or consumption (whichever comes first)

Deletion: Automatic and permanent. Cannot be recovered.

Transfer Metadata

Retention: 90 days after transfer expiry (for debugging and billing disputes)

Deletion: Automatic. No file content is retained, only metadata (size, expiry, open count).

Account Data

Retention: Until you request account deletion

Deletion: Within 30 days of request. Email support@builtbysharan.com to delete your account.

Rate Limit Data

Retention: 1 hour

Deletion: Automatic. IP addresses are hashed and cleared after rate-limit window expires.

Your Rights (GDPR/CCPA Compliant)

You have the following rights:

Right to Access

Request a copy of all data we store about you. Email support@builtbysharan.com with "Data Access Request" in the subject line.

Right to Delete

Request deletion of your account and all associated data. Deletion is permanent and completes within 30 days.

Right to Export

Export your transfer metadata (file sizes, expiry times, open counts) in JSON format. Available in your dashboard or by request.

Right to Rectification

Update your email address or profile information via your account settings.

Right to Object

Object to data processing. Note: This may limit or prevent use of the service.

Right to Portability

Receive your data in a machine-readable format (JSON) for transfer to another service.

To exercise any of these rights, email support@builtbysharan.com. We respond within 14 days.

Security Measures

  • End-to-end encryption using AES-GCM 256-bit (industry standard)
  • HTTPS-only connections (no plaintext transmission)
  • Rate limiting to prevent abuse
  • Automatic deletion of expired transfers
  • No long-term storage of IP addresses
  • Regular security audits (planned as we scale)

Children's Privacy

TeleportLink is not intended for users under 13 years old. We do not knowingly collect data from children. If we discover a user is under 13, we will delete their account immediately.

International Data Transfers

TeleportLink is operated from India. If you access the service from outside India, your data may be transferred to and processed in India. By using the service, you consent to this transfer.

Changes to This Policy

We may update this policy as the service evolves. Material changes will be announced via email (if you have an account) or a prominent notice on the website. Continued use of the service after changes constitutes acceptance.

Contact Us

Questions about this privacy policy? Email us at support@builtbysharan.com. We respond within 24-48 hours.

TeleportLink is built by Sharan Iyengar.

Privacy-First File Sharing

Ready to share files the secure way?

Create TeleportSecurity Details