Legal
Privacy Policy
Last updated 2026-05-16. Plain English. Questions to privacy@routefile.com.
The short version
We collect the minimum we need to run RouteFile: your email and a hashed password, the files you upload, and basic event logs so we can keep the service up. We don't sell anything to anyone. We don't train AI on your files. If you delete your account, your data goes too.
What we collect
- Account info — email address and a scrypt hash of your password. We never store your raw password.
- Your files — exactly what you upload, in the region you pick.
- Share metadata — slugs, expiry dates, password hashes you set on shares, download counts.
- Operational logs — request timing, error rates, aggregated download counts. We keep per-request access logs for up to 30 days for fraud/abuse investigation, then we delete them.
- Billing info — when paid plans are live, payment is processed by Stripe. We never store your card number.
Where your files live
You pick the region at upload. Files are stored in encrypted object storage across six regions worldwide (US East/West, EU West/East, Asia-Pacific, Oceania). The two EU regions are jurisdictional — your files don't leave the EU for any reason.
What we never do
- Sell your data to advertisers, brokers, or anyone else.
- Train AI models on the contents of your files.
- Read your files unless we're investigating an abuse report tied to a specific share.
- Share your account information with third parties, except sub-processors we need to run the service (our object storage provider, Stripe for billing, our email vendor for transactional mail).
Your rights (GDPR, CCPA, etc.)
You can ask us at any time to: show you what data we have on you, export it, correct it, or delete it. Email privacy@routefile.com and we'll respond within 30 days. You can also delete your account directly from Settings, which removes your files within 30 days.
Cookies
We use a single session cookie to keep you signed in. We don't use third-party analytics or ad tracking. The site works with all cookies blocked except the session one.
Sub-processors
A globally-distributed object storage and CDN provider, Hetzner (compute), Stripe (billing — once live), Postmark (transactional email — once live). Each is bound by a data-processing agreement matching our commitments here.
Security
Files are encrypted at rest by our storage provider and in transit by TLS 1.3. Passwords are scrypt-hashed with per-user salts. We rotate edge secrets quarterly. If a breach ever affects your account, we'll email you within 72 hours of discovering it.
Changes
If we change this policy in a way that meaningfully affects your account, we'll email you first. The current version always lives at routefile.com/privacy.