Privacy Policy
Effective date: 2026-02-14
Overview
FileChute ("we," "us," or "our") is a document collection platform for professionals. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have regarding your data.
This policy applies to all users of FileChute, including account holders who create file requests ("Requesters") and individuals who upload documents in response ("Recipients").
Information we collect
Account data
- Email address, full name, and business name
- Job title, department, and work phone (if provided)
- Organization membership and role
- Authentication credentials (hashed; we never store plaintext passwords)
Request and upload data
- File request metadata: titles, descriptions, checklist items, recipient email addresses, due dates, and client names
- Uploaded files and associated metadata: file name, file size, content type, and upload timestamps
- Recipient notes submitted during the upload process
Billing data
- Stripe customer and subscription identifiers
- We do not store credit card numbers, bank account details, or other payment instruments — these are handled entirely by Stripe
Automatically collected data
- IP addresses for rate limiting and abuse prevention
- Product analytics events (e.g., request created, file uploaded) to improve the service
- Browser type and device information transmitted with standard HTTP requests
How we use your information
- Service delivery: to create file requests, process uploads, send notifications, and provide the dashboard experience
- Transactional email: upload notifications, reminder emails, onboarding messages, and expiration warnings
- Billing: to manage subscriptions, process payments, and enforce plan limits
- Security and abuse prevention: to enforce rate limits, detect unauthorized access, and maintain service integrity
- Product improvement: to analyze usage patterns in aggregate and improve features
We do not sell your personal data. We do not use uploaded files for advertising, training, or any purpose other than delivering them to the intended Requester.
Service providers (sub-processors)
We share data with the following third-party providers solely for service operation. Each provider processes data under contractual obligations to protect it.
| Provider | Purpose | Data processed |
|---|---|---|
| Supabase | Database, authentication, file storage | Account data, request metadata, uploaded files |
| Stripe | Billing and subscription management | Email, customer ID, payment details |
| Resend | Transactional email delivery | Email addresses, email content |
| Vercel | Application hosting and edge delivery | HTTP request metadata, IP addresses |
Data retention
- Active requests: file requests and uploaded files are retained while the request is active. Requests auto-expire and close after 90 days of inactivity, with a 15-day warning email before closure.
- Closed requests: metadata for closed requests (titles, checklist labels, timestamps) is retained for account history. Uploaded files associated with closed requests may be purged after an additional 90 days.
- Account data: retained for the lifetime of your account. Upon account deletion, we remove your profile, request metadata, and uploaded files within 30 days.
- Billing records: retained as required by applicable tax and financial regulations (typically 7 years for transaction records).
- Security logs: IP-based rate-limiting data is stored in memory and not persisted. Product analytics events are retained for up to 24 months.
Your rights
All users
- Access: you may request a copy of the personal data we hold about you.
- Correction: you may update your account information at any time through Settings.
- Deletion: you may request deletion of your account and all associated data by emailing us. We will process deletion requests within 30 days.
- Data portability: you may request an export of your data in a machine-readable format.
European Economic Area (GDPR)
If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation:
- Legal basis: we process your data based on contractual necessity (to provide the service you signed up for), legitimate interest (security, abuse prevention, product improvement), and consent (where applicable, e.g., marketing communications).
- Right to object: you may object to processing based on legitimate interest.
- Right to restrict processing: you may request that we limit how we use your data while a dispute is resolved.
- Supervisory authority: you have the right to lodge a complaint with your local data protection authority.
California (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to know: you may request details about the categories and specific pieces of personal information we have collected.
- Right to delete: you may request deletion of personal information we have collected from you.
- Right to opt out of sale: we do not sell personal information. No opt-out is necessary.
- Non-discrimination: we will not discriminate against you for exercising your privacy rights.
Data security
We implement technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+) and at rest (AES-256), row-level database isolation, signed time-limited URLs for file access, and rate limiting on sensitive endpoints. For full details, see our Security documentation.
International data transfers
FileChute’s infrastructure providers may process data in the United States and other jurisdictions. Where data is transferred outside your jurisdiction, we rely on our providers’ contractual safeguards (including Standard Contractual Clauses where applicable) to ensure adequate protection.
Children’s privacy
FileChute is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the service before the changes take effect. Your continued use of FileChute after the effective date constitutes acceptance of the updated policy.
Contact
For privacy questions, data requests, or to exercise any of the rights described above, contact us at privacy@filechute.com. We aim to respond to all requests within 30 days.