← Back to Zippit

Privacy Policy

Last updated: December 24, 2025

1. Introduction

Zippit ("we", "our", or "the Service") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our file transfer service.

2. Information We Collect

Account Information

When you sign in using OAuth providers (Google or GitHub), we receive and store:

  • Your email address
  • Your display name
  • Your profile picture URL
  • A unique identifier from the authentication provider

Device Information

To enable secure file transfers between your devices, we collect:

  • Device fingerprint (a hash derived from browser characteristics)
  • User agent string (browser and operating system information)
  • Device type (mobile, tablet, or desktop)
  • Last login timestamp

Session Information

For security and analytics purposes, we track:

  • Session timestamps (start, last activity, end)
  • Approximate location (country, city) derived from IP address
  • Platform and browser information
  • Authentication provider used

File Information

When you upload files, we process:

  • File name and size
  • File type (MIME type)
  • Upload and download timestamps
  • Transfer direction (phone to desktop or vice versa)

Important: We do not access, scan, or analyze the contents of your files. Files are encrypted in transit and automatically deleted after 24 hours.

3. How We Use Your Information

We use the collected information to:

  • Authenticate your identity and secure your account
  • Enable file transfers between your registered devices
  • Provide QR code pairing functionality
  • Improve service performance and reliability
  • Detect and prevent abuse, fraud, and security threats
  • Generate aggregated analytics (not personally identifiable)
  • Comply with legal obligations

4. Third-Party Services

We use the following third-party services to operate Zippit:

Auth0 (Authentication)

Auth0 handles user authentication. When you sign in, Auth0 processes your login credentials and returns your profile information to us. Auth0's privacy policy governs their handling of your data during the authentication process.

Cloudflare R2 (File Storage)

Your uploaded files are temporarily stored on Cloudflare R2. Files are automatically deleted after 24 hours. Cloudflare's privacy policy applies to their infrastructure services.

Neon (Database)

Account and session data is stored in a Neon PostgreSQL database. Neon's privacy policy governs their data handling practices.

5. Data Retention

  • Files: Automatically deleted 24 hours after upload
  • QR Tokens: Expire after 10 minutes
  • Session Data: Sessions expire after 30 days of inactivity
  • Analytics: Aggregated daily metrics retained for service improvement
  • Account Data: Retained until you request deletion

6. Cookies and Local Storage

We use cookies and local storage for:

  • Authentication: Secure, HTTP-only session cookies to keep you logged in
  • Preferences: Remembering your last used login provider and theme preference
  • Security: Device fingerprinting to verify your devices

We do not use third-party tracking cookies or advertising cookies.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • HTTPS encryption for all data in transit
  • Secure, HTTP-only cookies with SameSite protection
  • Bcrypt hashing for QR token secrets
  • Presigned URLs for secure file uploads/downloads
  • Regular security audits and monitoring

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and associated data
  • Portability: Request your data in a portable format
  • Objection: Object to certain processing of your data

To exercise these rights, please contact us using the information provided below.

9. Data Sharing

We do not sell, rent, or trade your personal information to third parties. We may share data only in the following circumstances:

  • With service providers necessary to operate the Service (as listed above)
  • To comply with legal obligations or valid legal process
  • To protect our rights, privacy, safety, or property
  • In connection with a merger, acquisition, or sale of assets (with notice)

10. Children's Privacy

Zippit is not intended for users under the age of 13. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 13, we will take steps to delete it promptly.

11. International Data Transfers

Your data may be processed and stored in countries other than your own. By using the Service, you consent to the transfer of your information to these countries, which may have different data protection laws than your jurisdiction.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Service or sending you an email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us through the appropriate channels provided on our website.

View Terms of Service →