Privacy Policy

Last updated: 2026-05-11

This Privacy Policy describes how Web Design AS (“we”, “us”) collects, uses, and protects personal data when you use the WeGotFiles service. We act as the data controller for the personal data of our own account holders, and as a data processor for files uploaded by our customers (see the DPA).

1. Data controller

Web Design AS
Org. nr 976 879 473
Postal address: Industriveien 14
1481 Hagan
Norway
Privacy enquiries: support@wegotfiles.com

2. What we collect

  • Account data: email, first/last name, an irreversibly-hashed copy of your password, and OAuth identifiers when you sign in with Google/GitHub/Microsoft.
  • Usage data: IP address, browser/user-agent, language preference, timestamps of file uploads, downloads, and sign-ins. Used for security audit logging and abuse prevention.
  • File metadata: filenames, sizes, recipient email addresses, expiry dates, and password-protection flags for transfers you create.
  • File contents: the files themselves, encrypted at rest, retained only until the expiry date or download limit you set.
  • Billing data: handled by Stripe (we receive only the subscription status, not your card details).

3. Why we process it (legal basis under GDPR)

  • Provide the service (Art. 6(1)(b) — contract): account creation, file transfers, billing.
  • Security & abuse prevention (Art. 6(1)(f) — legitimate interest): audit logs, rate limits, blocked-domain enforcement.
  • Legal obligations (Art. 6(1)(c)): retention of accounting records for 5 years (Norwegian Bookkeeping Act).

4. How long we keep it

  • Account data: until you delete your account, plus 30 days backup grace.
  • Uploaded files: until their expiry date or after delivery — typically 3–30 days depending on your tier.
  • Audit logs: up to 90 days.
  • Invoices and billing records: 5 years (legal requirement).

5. Who we share it with

We share personal data only with the sub-processors listed in the Data Processing Agreement. We do not sell personal data to anyone, ever. Each sub-processor is bound by GDPR-compliant terms.

6. International transfers

Some OAuth providers (Google, GitHub, Microsoft) and Stripe process data in the US under EU Standard Contractual Clauses. File storage, database, and email are hosted in the EU.

7. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion (“right to be forgotten”).
  • Export your data in a portable format.
  • Object to processing or restrict it.
  • Lodge a complaint with Datatilsynet (the Norwegian DPA, datatilsynet.no).

Signed-in users can exercise the access, portability, and erasure rights directly from the account page: there is a “Export my data” button (downloads everything we hold as JSON) and a “Delete my account” button that cancels any active subscription and removes your personal data. For all other requests (correction of a field you can't edit yourself, objections, complaints) email support@wegotfiles.com. We respond within 30 days.

Exception for re-registration prevention: when an account is deleted, we keep a one-way hash of the deleted account's email address — never the cleartext email itself — together with the deletion date. This lets us block re-registration with the same address for one year. Accounts that were previously flagged for violating the Acceptable Use Policy are blocked permanently. Legal basis: GDPR Art. 17(3)(e) (defence of legal claims) and Art. 6(1)(f) (legitimate interest in abuse prevention).

8. Cookies

See the Cookie Policy.

9. Security

We use industry-standard encryption in transit and at rest, irreversible password hashing, logical isolation between customer accounts, and audit logging of access to sensitive operations. We notify Datatilsynet and affected users within 72 hours of any confirmed personal-data breach.

10. Changes

We may update this policy. Material changes will be announced by email to account holders at least 14 days before they take effect.