Privacy policy

We collect two distinct sets of data, with different lawful bases:

From sellers (people who sign in to manage products)

• Email address, used to sign you in (magic link) and to send transactional messages about your account.
• Shop name and optional shop avatar URL, displayed on the public access pages for your products so buyers see your branding.
• Product metadata: name, description, version history, changelog notes, file metadata (filename, size, mime type) or link URL.
• Aggregate counts (e.g. how many buyers have opted in) tied to your account.

Lawful basis: contract (we can't provide the service without these).

From buyers (people who open an access link)

• A cookie identifier (random token) so we recognise you on return visits without making you sign in.
• Best-effort download counters per access link (not tied to identity if you haven't opted in).
• Optionalemail address, only if you tick the opt-in box on the access page. We use it solely to email you when the seller publishes a new version of that one product. We don't use it for anything else and we don't share it.

Lawful basis: legitimate interest for the cookie + counters (running the delivery service); consent for the email opt-in (separate, unticked, timestamped).

What we do NOT collect

• Buyer names, postal addresses, or phone numbers.
• Payment information. Purchases happen on Etsy.
• Tracking pixels in emails or pages.
• Cross-site advertising identifiers.

Sellers' data lets you sign in, manage your products, and get paid (eventually, billing isn't live yet). Buyers' optional email is the only mechanism we have to fulfil the core promise: your purchase includes lifetime access to the latest version. Without a way to reach you, we can't tell you a new version exists.

We use a small set of vetted EU-region services to run the platform. Each has a Data Processing Agreement covering GDPR-style obligations. We don't use any sub-processor that doesn't offer one.

Everything sits in EU regions. Postgres in Frankfurt. Object storage in Cloudflare R2 with the EU jurisdictional restriction flag set. Application functions pinned to Frankfurt. Rate-limit and queue infrastructure in the EU. Error monitoring with EU residency.

Any future region addition will appear here before it goes live.

• Seller accounts: kept for the life of your account. If you stop using us, your access page links continue serving the last published file for at least 12 months (see terms) so buyers don't lose what they paid for. After that, we contact you before any deletion.
• Buyer email opt-ins:kept until you unsubscribe (one click, link in every email). On unsubscribe we mark you opted-out immediately; we don't delete the row outright so re-opt-in works without state collisions, but you stop receiving anything from us.
• Anonymous buyer cookie rows:kept for the life of the product. They contain no identifier you didn't volunteer.
• Logs and error reports: 30 days at the sub-processor (Vercel, Sentry). Buyer emails are redacted from logs where possible.

Every update email contains a one-click unsubscribe link. Clicking it stops further emails immediately. No account, no login, no friction.

Under UK GDPR / EU GDPR you have the right to access, correct, delete, restrict, or port your personal data, and to object to processing. Email privacy@file-tool.example and we'll respond within 30 days. For buyer email deletion specifically, name the seller's shop and the product you opted in to so we can find your row.

The service is not directed at children under 16. If you believe we hold data about a child, please tell us at privacy@file-tool.example and we'll remove it.

If we materially change how we handle your data we'll update this page and the “Last updated” date. Material changes that affect existing opt-ins (e.g. adding a sub-processor that touches buyer emails) will be emailed to opted-in buyers before they take effect.