Legal Privacy

Introduction

When using the website, you will be asked to provide certain personal information and personal data. With this statement we would like to inform you how your personal data is collected, used and protected and under which circumstances personal data is passed on to third parties.

ySendit protects the rights of site visitors to their personal data and complies with German data protection laws and the EU Data Protection Regulation (DSGVO) of 25 May 2018.


Type and use of the information collected

We collect your data in order to provide the core functionalities of our file sharing service and to be able to continuously improve our services for you. In doing so, we limit ourselves to the collection of data that is required to provide those services that you use on ySendit.

Data technically required

The following data is stored in order to provide the core functionality of ySendit:

- Information about your person (e.g. email and location (determined by your IP))
- General information (e.g. language you use, time of your visits to the website)
- Uploaded files (only if sent via link or mail)
- Email addresses of the recipients (only in the case of sending via email)
- Applications, forms and other communications sent to us
- cookie data

The security of personal data is of great importance to ySendit. We make every effort to ensure the security of your personal data with the measures usual on the Internet, but we cannot guarantee that data will not be lost, misused or altered.

You have the possibility to encrypt (AES 256 bit) a transmission during the creation with a self chosen password. The chosen password will be SSL-encrypted and transferred to our servers and immediately hashed over PBKDF2. We use two randomly generated salts (32 characters) to get two different hashes (256 bit each) of your password. One of the hashes (and the salt used) is stored in our database, so that we can check the password entered when downloading the Transfer. With the other hash we encrypt your transmission according to AES-256 Bit. In doing so, we store only the salt used for the encryption hash in the database. The password used and the hash used for the encryption is not stored at any time. Thus your files can only be decrypted with the password you enter on the download page. The entered passwords are not intercepted by us and are not stored on our servers. We have therefore no possibility to view your encrypted file transfers.

Most of the other Transfer data (including files, message to the receiver & recipient emails) is stored in encrypted form. Upload-Id, size, file name, sharing method and expiration date are not stored encrypted for technical reasons. 

Furthermore, we offer the possibility to automatically delete Transfers and the corresponding uploaded files. If this option is active, the entire Transfer will be completely deleted after the first download (*) (at the latest on the expiry date). For Transfers via email and activated Auto Delete, each recipient can only download the file once. If all recipients have downloaded the file, or if the expiry date has been reached, the Transfer will be completely deleted. (*)

(*) Please see section "Deletion of data" for detailed infomration.

If there are reasons for us to believe that data security cannot be guaranteed or is being misused, we may deactivate your password or currently active session and notify you accordingly.

Data used for service improvements

In order to continuously improve our site and adapt it to your needs, we need to collect and log data on the use of the site, the most frequently visited areas of the site, duration of use, average usage times and other information.

We use the following technical means for this purpose:

- IP address
An IP (Internet Protocol) address is a number that is automatically assigned to your computer when you surf the Internet. The servers that manage the homepages can recognize your computer by this number. In this way we can determine how the site is used by the various IP addresses. However, we store personal and usage-based data anonymously (without connection to the IP used). We also use the IP address to determine the location of access to our website. The location is stored together with the SessionID. This is done anonymously, the location is not linked to a user.

- Cookies
Cookies are data that are transferred from a web server to a visitor's hard drive. They help you to surf the Internet more efficiently by saving your decisions when visiting a site. It is important for you to know that passwords are NEVER stored by cookies. We only use cookies to store your email and session. Most browsers are configured to initially work with cookies. However, you can change the settings of your browser so that it does not accept cookies or informs you about cookies. If you switch off cookies, however, you may experience problems when visiting certain parts of our site. Third parties, such as tools from companies that we integrate into our site to analyse their usage behaviour, may transfer cookies to your hard disk. We have no control over these cookies ourselves.

- Device data
We also collect device-specific data such as browser type or operating system.

- Data acquisition when downloading a Transfer
We anonymously log every download of a Transfer. The respective log is deleted after the end of the Transfer but is kept a minimum of 14 days.

- Hotjar.com
For analysis purposes we use Hotjar only on our upload site. There we collect information about the browser you use, your location and your click behaviour. We don't track key stroke events or record your user input. Hotjar is also used when sending us a feeback via the widget on the left side of our site. Collected data will be made anonymous. Please inform yourself on their pages about data collection from end customers (https://www.hotjar.com/privacy/)

- Cloudflare.com
We use Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) to make our website faster and more secure. In doing so, Cloudflare uses cookies and processes user data. Cloudflare, Inc. is an American company that provides a content delivery network and various security services. These services are located between the user and our hosting provider and act as a reverse proxy for websites. More information about their data processing can be found on their website: https://cloudflare.com


Sharing of collected information

Except as described below, we do not share information with third parties unless we have notified you when collecting the information or registering and you have consented.

Personal data of our customers or former customers will only be passed on to third parties in the following cases:

- Uploaded files are first processed (encrypted) on our servers and then hosted on AWS S3 servers in Frankfurt (EU). More information about AWS’s data handling can be found on their website at https://aws.amazon.com/de/compliance/data-privacy-faq/
- We send emails via AWS SES. Here, we transmit non risky personal data (name, shipment ID) to Amazon, which is only used for the delivery of the mail (https://aws.amazon.com/de/compliance/data-privacy-faq/)
- Once shared files get downloaded, they get cached by our Content Delivery Network. Currently we use the offers from BunnyCDN to provide this network. Please refer to their website https://bunnycdn.com to learn more about their data handling.
- Selected Logos and Background Images are uploaded to the public image repository imgbb.com and are therefore public.


Deletion of data

In accordance with the DSGVO, we only store your data for as long as we need it to provide our service. For this reason, the following data is regularly deleted:

- Uploaded files are completely removed when their expiration date has been reached, when they have been manually deleted by us or the user or when the user's account has been deleted by the user himself or by us.
- Files chached by our Content Delivey Network get automatically deleted in the CDN once they are removed.
- Files of Transfers with activated "auto delete" get deleted 12 hours after the last recepient downloaded the transfer. This delay is required to ensure that the last recepient can successfully download your files.
- Transfer data (file size, shipment type, expiration date, shared since, recipient's email address, sender's email address, sender's ClientID, file names and download logs of files) are deleted once the Transfer expires and kept for a minimum of 14 days. When an account is deleted, Transfer data is deleted immediately.
- Text snippets are treated like transfer data and get deleted once the transfer expired or the "auto-deletion" was fired and are kept for a minimum of 14 days.
- Access data (SessionIDs, last login with the SessionID, access location of the SessionID, preference whether user should remain logged in) will be removed if the corresponding ySendit account has been deleted or if the corresponding session has expired (e.g. if the user logs out of the website).
- Selected Logos and Background images don't get deleted once the upload is expired.


Links to third party sites

When you visit our site, you may be directed to Internet sites of third parties over which we have no control. These links are provided to make it easier for you to use the service. The use of the sites of third parties is at your own risk.


Consent

When using our website ysendit.com or legacy.ysendit.com, we assume that you have read this disclaimer carefully, agree to it and abide by the rules contained therein. 

When using this website, every user will be informed about the applicable data protection regulations as well as the terms and conditions. If he agrees to these, the use is possible within the framework of the tos. In the event that a user cannot agree to these applicable provisions (or, if applicable, individual areas), the use of ySendit as a whole is not possible. 


Change interval

Please note that the content of the privacy policy and the terms and conditions can be changed at any time by ySendit. In such a case, each user must give his or her consent to the adapted terms and conditions the next time he or she visits ysendit.com or legacy.ysendit.com before using it again. 

If you cannot agree to the current content of this statement or future changes, we would ask you to stop using the ySendit service.


Place of jurisdiction

The place of jurisdiction for all disputes arising from legal relationships with ySendit shall be the company's registered office.