Your privacy isn't just a policy—it's built into our architecture. RocketShare uses zero-knowledge encryption, which means we technically cannot access your files. This policy explains what data we collect, how we use it, and your rights.
Effective Date: February 11, 2026
Data Controller: Raidflux V.O.F., trading as RocketShare — Breda, Netherlands (KVK: 86873520)
The short version
Before diving into the details, here's what matters most:
- Your files are encrypted on YOUR device before upload using AES-256-GCM
- Encryption keys never reach our servers—they're embedded in the share link
- We cannot read, access, or decrypt your files—even if legally compelled
- We do not sell your data to advertisers or data brokers. Ever.
- Your files auto-delete after the expiration you set (up to 90 days depending on plan)
1. Our Zero-Knowledge Architecture
RocketShare is built on zero-knowledge encryption. This means:
What happens when you upload:
- Your browser generates a random encryption key
- Your files are encrypted locally using AES-256-GCM
- Only the encrypted data is uploaded to our servers
- The encryption key is embedded in the share link's URL fragment (the part after
#)
Why this matters:
- URL fragments are never sent to servers—this is how browsers work
- We only ever receive and store encrypted blobs
- There is no master key, no backdoor, no way for us to decrypt
- Even under court order, we cannot produce your unencrypted files
What we CAN see: File sizes, upload timestamps, expiration dates, download counts, IP addresses
What we CANNOT see: File contents, file names, encryption keys
2. Information We Collect
2.1 Information you provide
Account holders:
- Email address (for login and notifications)
- Name (optional, if you provide it)
- Payment information (processed by Paddle—we never store card numbers)
Anonymous users:
- No personal information required to upload files
Support communications:
- When you contact us, we collect the information you provide
2.2 Information collected automatically
When you use RocketShare, we automatically collect:
- IP address (for security and abuse prevention)
- Device information (browser type, operating system)
- Access timestamps (when you access the service)
- Referral URL (how you found us)
- Download counts (how many times your links are accessed)
- Browser fingerprint (anonymous, for abuse prevention—see Section 9.6)
2.3 Information we DO NOT collect
Due to our zero-knowledge architecture:
- ❌ File contents (encrypted before reaching us)
- ❌ File names (encrypted with the files)
- ❌ Encryption keys (never transmitted to our servers)
- ❌ File previews or thumbnails
- ❌ Any data that would allow us to decrypt your files
3. How We Use Your Information
We use collected information for:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the service | Contract performance |
| Processing payments | Contract performance |
| Sending service notifications | Contract performance |
| Security and fraud prevention | Legitimate interests |
| Abuse prevention | Legitimate interests |
| Service improvement | Legitimate interests |
| Legal compliance | Legal obligation |
| Marketing (only with consent) | Consent |
We do NOT use your information for:
- Advertising or ad targeting
- Selling to third parties
- Building profiles for marketing
- Training AI models on your data
4. Data Storage and Security
4.1 Where we store your data
| Data Type | Location | Provider |
|---|---|---|
| Encrypted files | EU (Amsterdam, Netherlands) | MEGA |
| Account data | EU (Frankfurt, Germany) | Neon (PostgreSQL) |
| CDN/Edge | Global | Cloudflare |
4.2 Security measures
- Encryption at rest: AES-256 for all stored data
- Encryption in transit: TLS 1.3 for all connections
- Zero-knowledge: Client-side encryption before upload
- Access controls: Strict employee access policies
- Regular audits: Ongoing security assessments
4.3 Important security note
While we implement industry-standard security measures, no system is 100% secure. However, our zero-knowledge architecture means that even if our servers were compromised, your files would remain encrypted and unreadable.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Uploaded files | Until expiration (you choose, up to 90 days depending on plan) |
| Account data | While your account is active |
| Server logs | 90 days |
| Payment records | 7 years (legal requirement) |
| Support tickets | 2 years after resolution |
After file expiration: Files are permanently deleted. We do not retain backups of expired files.
Account deletion: Upon request, we delete your account and associated data within 30 days, except where we're legally required to retain records.
6. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Cloudflare | CDN, DDoS protection | IP addresses, traffic data |
| Paddle | Payment processing | Payment details |
| Neon | Database hosting | Account data (encrypted) |
| MEGA | File storage | Encrypted files only |
| Brevo | Transactional email | Email addresses |
| PostHog | Analytics (with consent) | Usage data, session recordings (masked) |
We do NOT share your data with:
- Advertising networks
- Data brokers
- Marketing platforms
- Social media companies
7. International Data Transfers
Your data is primarily stored in the EU. When data is transferred outside the EU (e.g., for CDN purposes), we ensure protection through:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
- Additional technical measures (encryption)
8. Your Rights Under GDPR
If you're in the EU/EEA, you have the following rights:
Right of Access (Article 15)
Request a copy of the personal data we hold about you.
Right to Rectification (Article 16)
Request correction of inaccurate personal data.
Right to Erasure (Article 17)
Request deletion of your personal data ("right to be forgotten").
Right to Restrict Processing (Article 18)
Request that we limit how we use your data.
Right to Data Portability (Article 20)
Receive your data in a machine-readable format.
Right to Object (Article 21)
Object to processing based on legitimate interests.
Rights Related to Automated Decision-Making (Article 22)
We do not make automated decisions that significantly affect you.
To exercise your rights: Contact us. We will respond within 30 days.
Important limitation: Due to our zero-knowledge architecture, we cannot provide copies of your uploaded files—we don't have access to the unencrypted content.
9. Cookies & Tracking Technologies
9.1 Essential Cookies
These cookies are necessary for the service to function and do not require consent:
| Cookie | Purpose | Duration |
|---|---|---|
| Session | Authentication | Session |
| Locale | Language preference | 1 year |
| Color mode | Theme preference (light/dark) | Persistent |
9.2 Analytics Cookies (Consent Required)
When you consent, we use PostHog analytics cookies (prefixed ph_) to understand how the service is used and to improve it. These cookies are only set after you explicitly accept via the cookie consent banner.
What analytics collects:
- Page views and navigation patterns
- Feature usage (which tools are popular)
- Session recordings (all text and inputs are masked)
- Performance data and error reports
What analytics does NOT collect:
- Encryption keys (URL fragments are stripped before any data is sent)
- File contents or file names
- Passwords or payment information
Hosting: Analytics data is processed in the EU (PostHog EU instance).
9.3 What We Do NOT Use
- ❌ Advertising cookies or ad networks
- ❌ Third-party tracking pixels
- ❌ Social media tracking cookies
- ❌ Cross-site tracking
9.4 Managing Cookie Preferences
You can manage your cookie preferences at any time:
- Cookie banner: Shown on your first visit—choose to accept or reject analytics
- Footer link: Click "Cookie Settings" in the page footer to re-open the banner
- Profile settings: Logged-in users can toggle analytics in Profile → Preferences
Changes take effect immediately. Rejecting analytics stops all tracking and clears analytics cookies.
9.5 Analytics & Session Recording
Purpose: We use analytics to understand how RocketShare is used, identify bugs, and improve the user experience.
Safeguards:
- All text in session recordings is masked (replaced with placeholder characters)
- All form inputs are masked in recordings
- URL fragments (which contain encryption keys) are stripped before any data leaves your browser
- Download pages (
/d/**) are excluded from session recording - No file contents, names, or encryption keys are ever captured
Legal basis: Consent (Article 6(1)(a) GDPR). Analytics only activates after you accept via the cookie banner.
Retention: Event data is retained for 90 days. Aggregated, non-personal statistics may be retained for up to 1 year.
9.6 Browser Fingerprinting (Legitimate Interest)
Purpose: We generate an anonymous browser fingerprint for rate limiting and fraud prevention (e.g., detecting automated abuse of anonymous file uploads).
How it works:
- Stable browser characteristics (screen size, installed fonts, WebGL renderer, etc.) are combined into a single hash
- The hash is salted with a server-side secret, so the fingerprint is unique to RocketShare and cannot be correlated with other sites
- The fingerprint is not linked to your identity and is not stored in cookies
Legal basis: Legitimate interest (Article 6(1)(f) GDPR)—protecting the service from abuse.
Not used for: Marketing, advertising, cross-site tracking, or user profiling.
10. Data Breach Notification
In the event of a data breach:
- We will notify the relevant supervisory authority within 72 hours
- If the breach poses high risk to your rights, we will notify you directly
- We will provide details of the breach and steps we're taking
Note: Due to our zero-knowledge architecture, a breach of our servers would not expose your file contents—they remain encrypted with keys we don't possess.
11. Children's Privacy
RocketShare is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
12. Changes to This Policy
We may update this policy from time to time. When we make significant changes:
- We will update the "Effective Date" at the top
- We will notify account holders by email
- We will post a notice on our website
Continued use of RocketShare after changes constitutes acceptance of the updated policy.
13. Supervisory Authority
You have the right to lodge a complaint with a data protection authority. Our lead supervisory authority is:
Autoriteit Persoonsgegevens (Dutch DPA)
Website: autoriteitpersoonsgegevens.nl
You may also contact your local data protection authority.
14. Contact Us
For privacy-related questions or to exercise your rights, please visit our contact page. We aim to respond to all inquiries within 30 days.