Privacy Policy
Last updated: January 16, 2026
Summary: We collect only the data necessary to provide our file transfer service. We don't sell your data, and we delete files automatically after expiration.
1. Introduction
engiCAD Transfer ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our file transfer service at transfer.engicad.io.
We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
engiCAD
Malta
Email: privacy@engicad.io
3. Information We Collect
3.1 Information You Provide
- Email addresses: Sender and recipient email addresses for transfer notifications
- Account information: Name, email, and password (hashed) if you create an account
- Files: Files you upload for transfer (stored temporarily)
- Messages: Optional messages included with transfers
3.2 Information Collected Automatically
- IP addresses: For security, rate limiting, and abuse prevention
- Browser information: User agent and basic browser details for compatibility and security
- Usage data: Transfer sizes, download counts, and timestamps
- Device identifiers: Anonymous identifiers for quota tracking (unregistered users)
4. How We Use Your Information
We use the collected information for:
- Service delivery: To facilitate file transfers and send notifications
- Security: To detect and prevent malware, abuse, and unauthorized access
- Quota management: To enforce fair usage limits
- Account management: To provide registered user features
- Legal compliance: To comply with applicable laws and regulations
5. Legal Basis for Processing (GDPR)
We process your personal data based on:
- Contract performance: To provide the file transfer service you requested
- Legitimate interests: For security, fraud prevention, and service improvement
- Consent: For optional features like email notifications (you can opt out)
- Legal obligation: To comply with applicable laws
6. Data Retention
- Transferred files: Automatically deleted after the expiration period (1-30 days, as selected)
- Transfer metadata: Retained for 90 days for support and abuse prevention
- Account data: Retained until you delete your account
- Security logs: Retained for 12 months
- Quarantined files: Malicious files are quarantined for 30 days for analysis, then deleted
7. Data Storage and Security
Your data is stored securely:
- File storage: Files are stored in Linode Object Storage (EU region) with encryption at rest
- Database: Hosted on secured servers in the EU
- Transmission: All data is transmitted over HTTPS/TLS encryption
- Access controls: Strict access controls limit who can access your data
- Malware scanning: All uploads are scanned for malware before acceptance
8. Data Sharing
We do not sell your personal data. We may share data with:
- Service providers: Cloud hosting (Linode), email delivery services - under strict data processing agreements
- Legal requirements: When required by law, court order, or government request
- Safety: To protect against fraud, abuse, or threats to safety
9. Your Rights (GDPR)
Under GDPR, you have the following rights:
- Access: Request a copy of your personal data
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restriction: Request limitation of processing
- Portability: Receive your data in a portable format
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time (where applicable)
To exercise these rights, contact us at privacy@engicad.io.
10. Cookies
We use cookies for:
- Essential cookies: Session management, CSRF protection, authentication
- Functional cookies: Device identification for quota tracking
For more details, see our Cookie Policy.
11. International Transfers
Your data is primarily processed within the European Economic Area (EEA). If data is transferred outside the EEA, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).
12. Children's Privacy
Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date.