Every file you upload is encrypted using AES-256-GCM directly in your browser before it leaves your device. The encryption key is generated locally and embedded only in the URL fragment (the part after the # symbol), which browsers do not send to servers.
This means our servers store only an encrypted binary blob. Without the key in the URL fragment, it is mathematically indecipherable — by us, by regulators, by anyone.
We do not collect your name, email address, or any personal identifier unless you voluntarily provide one. Your username is stored only in your own browser's localStorage — we never receive it unless you include it in a support message.
We do not use tracking cookies, advertising pixels, or behavioural analytics. We do not build user profiles. We do not sell data to third parties. We do not use Google Analytics or any third-party tracking scripts.
When you upload a file, our AWS S3 infrastructure stores the encrypted binary only. We log the event timestamp and the file reference key for audit purposes. We do not log file names, file contents, or your IP address.
If you purchase credits via Stripe, Stripe processes and stores your payment information. We receive only a payment confirmation linked to your chosen username. We never see your card number or banking credentials.
Privacy is enforced through destruction. Every encrypted file is permanently and automatically deleted from our infrastructure after your chosen expiry window — 24 hours, 48 hours, or 7 days.
We do not maintain shadow copies, backups, or archives of transferred files. Once deleted, the data cannot be recovered by anyone — including us.
We use essential cookies only to operate the service (session management). If you consent, we use functional cookies to remember your preferences. We use no advertising cookies by default.
You are asked to confirm your cookie preferences on your first visit. You can change these at any time by clearing your browser's local storage for this site.
We comply with the General Data Protection Regulation (GDPR) and the UK ICO framework. Because we do not collect personal data, most GDPR rights (access, erasure, portability) are satisfied by design — there is no personal data to provide, erase, or export.
For any privacy inquiry, contact: office@convis.app
Convis Transfer integrates optionally with eXstnZ (permanent sovereign storage at exstnz.com) and displays advertising for Ethicoin (ethicoin.org). These are separate services with their own privacy policies. No data is shared between platforms without your explicit action.