security.

• In transit — all traffic to and from Filey is encrypted with TLS (HTTPS). Uploads go directly from your browser to encrypted EU storage.
• At rest — file bytes are stored encrypted with AES-256 in a private, EU-hosted object store. The underlying storage links are never exposed to the public.

Your files and account data are stored in the European Union. We split responsibilities across vetted providers — Supabase for the database and authentication, Cloudflare R2 for encrypted file storage — and run the application itself on dedicated servers located in the European Union. See the full list in our Privacy & Terms.

• Owner-gated downloads — files are served through our own proxy with authorization checks, never via a public bucket URL.
• Row-level security — the database enforces, at the row level, that you can only ever read your own transfers and files (and ones explicitly shared with you).
• Unguessable links — share links use ~95 bits of cryptographic randomness, are marked noindex, and send no referrer.
• Optional passwords & download limits — on Plus, lock a transfer with a password and cap how many times it can be downloaded.
• Auto-expiry — free transfers are permanently deleted 14 days after sending, freeing the stored bytes for good.

• Two-factor authentication — enable TOTP-based 2FA, enforced at login, from your account settings.
• Passwords — stored only as salted hashes (scrypt); we never see your plaintext password. A minimum length is enforced.
• Email verification — even account-free sends verify your email with a short-lived 6-digit code before anything is delivered.

• Per-IP and per-email rate limits on uploads, sends, and verification.
• Server-authoritative file-size and quota checks — we never trust client-reported sizes.
• Constant-time comparison for tokens and passwords to resist timing attacks.
• Email content is escaped to prevent injection in notification messages.
• Strict ownership checks on every file, avatar, and storage path.

We don't scan, read, sell, or train models on your files. We move them and then, on the free plan, we delete them. The minimum data, kept the minimum time. Details in our Privacy & Terms.

Found a security issue? We want to hear about it. Email [email protected] with steps to reproduce.

• Please give us reasonable time to fix the issue before disclosing it publicly.
• Don't access, modify, or delete data that isn't yours, and don't run attacks that degrade the service for others (e.g. DoS, spam).
• Acting in good faith under these guidelines, we won't pursue action against you for your research.

No service is perfectly secure, and we won't pretend otherwise. We harden continuously, patch quickly, and tell you promptly if something affecting your data goes wrong. Help us by using a strong, unique password and enabling 2FA.