Privacy Policy
Effective date: 24 March 2026
This Privacy Policy explains how Techlyft Pty Ltd (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use the FileSafety content security API and related services (collectively, the “Service”) at filesafety.dev, api.filesafety.dev, and docs.filesafety.dev.
Data Controller
Section titled “Data Controller”Techlyft Pty Ltd is the data controller for personal data processed through the Service.
Contact: [email protected]
What Personal Data We Collect
Section titled “What Personal Data We Collect”Account Data
Section titled “Account Data”When you create an account, we collect:
- Email address — used for authentication, billing, and service communications
- Password — stored as a cryptographic hash via AWS Cognito; we never store plaintext passwords
Usage Data
Section titled “Usage Data”When you use the Service, we automatically collect:
- IP address — for security, rate limiting, and abuse prevention
- API request metadata — timestamps, endpoints called, response codes
- File metadata — file name, file size, file hash (SHA-256), MIME type
- Scan results — malware detection verdicts, content analysis scores
Billing Data
Section titled “Billing Data”When you subscribe to a paid plan, Stripe (our payment processor) collects:
- Payment method details — card number, expiration, CVC
- Billing address
We do not store your full card number or CVC. We receive from Stripe only a truncated card identifier (last 4 digits), card brand, and billing email for display in your dashboard.
What We Do NOT Collect
Section titled “What We Do NOT Collect”- File content is not retained. Files uploaded for scanning are processed and automatically deleted immediately after scanning completes. A 24-hour automated failsafe ensures no files persist beyond this window. We do not read, inspect, or retain file content beyond what is necessary to perform the scan.
- We do not collect demographic data, location data (beyond IP), or tracking cookies for advertising.
How We Use Your Data
Section titled “How We Use Your Data”| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the scanning service | File metadata, scan results | Contract performance |
| Authenticate your account | Email, password hash | Contract performance |
| Process payments | Billing data (via Stripe) | Contract performance |
| Prevent abuse and ensure security | IP address, API request metadata | Legitimate interest |
| Send service communications | Email address | Contract performance |
| Improve the Service | Aggregated, anonymised usage statistics | Legitimate interest |
Data Retention
Section titled “Data Retention”| Data Type | Retention Period |
|---|---|
| Uploaded files | Deleted immediately after scanning completes. A 24-hour automated failsafe ensures no files persist beyond this window. |
| Scan metadata (file hash, results, timestamps) | 30 days, then deleted |
| Account data (email, preferences) | Retained until you close your account. After account closure, data is permanently deleted after a 30-day grace period. |
| Billing records | As required by tax and accounting law (typically 7 years) |
| Server and access logs | 14 to 30 days |
After the retention period expires, data is permanently deleted or irreversibly anonymised.
Sub-processors
Section titled “Sub-processors”We use the following third-party sub-processors to deliver the Service:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, file scanning, authentication, storage, compute | All service data | Australia (ap-southeast-2) |
| Stripe | Payment processing, subscription management | Billing data, email | United States / European Union |
| Cloudflare | DNS, CDN, DDoS protection, documentation hosting | IP addresses, request metadata | Global edge network |
International Data Transfers
Section titled “International Data Transfers”Your data is primarily processed in Australia (AWS ap-southeast-2). Where data is transferred to sub-processors outside Australia (Stripe in the US/EU, Cloudflare’s global edge), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Sub-processor compliance with applicable data protection frameworks
Your Rights
Section titled “Your Rights”Under the GDPR and applicable data protection laws, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data (“right to be forgotten”)
- Restriction — request that we limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, withdraw it at any time
- Lodge a complaint — file a complaint with your local data protection authority
How to Exercise Your Rights
Section titled “How to Exercise Your Rights”Email us at [email protected] with your request. We will respond within 30 days. We may ask you to verify your identity before processing your request.
To delete your account and associated data, you can also do so directly from your account settings at filesafety.dev.
Security Measures
Section titled “Security Measures”We implement technical and organisational measures to protect your data:
- Encryption at rest — all stored data is encrypted using AES-256
- Encryption in transit — all connections use TLS 1.2 or higher
- Immediate file deletion — uploaded files are automatically deleted immediately after scanning, with a 24-hour failsafe
- Access controls — strict IAM policies limit access to production data to authorised personnel only
- Infrastructure isolation — scanning workloads run in isolated VPC environments
- API key authentication — all API access requires authentication via API keys
Children’s Privacy
Section titled “Children’s Privacy”The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at [email protected] and we will promptly delete it.
Changes to This Policy
Section titled “Changes to This Policy”We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (using the address associated with your account) at least 14 days before the changes take effect. We track consent versions to ensure you have accepted the current policy.
The “Effective date” at the top of this page indicates when this policy was last updated.
Contact Us
Section titled “Contact Us”If you have questions about this Privacy Policy or how we handle your data:
Techlyft Pty Ltd Email: [email protected] Website: filesafety.dev