Privacy

Privacy

receive.link is built so we cannot read your files, even if we wanted to.

Last updated: June 26, 2026

Your files

Every file is encrypted in the sender's browser, end to end, to a key that only you hold (derived from your passkey). We only ever receive and store the encrypted version. We cannot read your files, see their names, or know their type, and neither can anyone else without your passkey. Encrypted files are stored for at most 7 days, then deleted automatically.

Your email address

Your email address is sealed (encrypted) inside your link, to our server's key, so it is never exposed in the public link, to the people who send you files, or in our logs. Our server holds the matching key and can unseal it, but only does so in memory, and only to send you the emails the service runs on: a confirmation when you create a link, a copy of your link once it is confirmed, and a notice when a file arrives. We never store your address in readable form. While you are confirming a new link, the still-encrypted version is held for up to an hour, then deleted.

Your email is the one piece of personal data our server can read, and only to mail you. Your files are different: they are sealed to a key only your passkey can produce, which our server never holds, so we cannot open them. Long-term, the only thing we keep tied to you is a one-way hash of your address, never the address itself, used to count usage and apply abuse limits.

People who send you files

Senders do not have an account and do not sign in. Their browser creates a throwaway key for each file that links to no one, so we never learn a sender's identity. Like any website, the relay does briefly receive a sender's IP address to enforce abuse limits, but stores it only as a one-way hash, never the raw address.

What we log

  • No analytics, no cookies, no trackers, no advertising. We do not build a profile of you.
  • For security and to stop abuse, we keep short-lived counters keyed to a one-way hash of the sender's IP address and of email addresses, never the raw IP or email. These counters expire automatically.
  • We keep minimal operational logs to run and debug the service: object and link identifiers, transfer sizes, and error codes, never your email, file names, or contents.
  • Our hosting provider, Cloudflare, may keep standard, short-lived network logs (as nearly all hosts do) for security and abuse prevention.
  • The relay can see the size and timing of an encrypted transfer, an opaque link identifier, and the label you gave your link (we use it in your email subjects). It cannot see file names, contents, or who sent them.

Payments

Payments are handled by Stripe. When you add credit, you enter your billing details with Stripe, and Stripe holds them under its own privacy policy. We never see or store your card number. From Stripe we keep only a billing reference (the one-way fingerprint of your email, tied to your Stripe customer ID) and your remaining credit balance, so we can apply what you have paid for.

Where your data lives

receive.link runs on Cloudflare (Workers, R2 storage, and KV). Encrypted files live in R2 and auto-delete after 7 days. A link awaiting confirmation (held one hour, still encrypted) and rate-limit counters expire on their own. The one longer-lived piece is the small map that powers your disable-link button: a random token tied to a link identifier, with no email attached. We do not operate a database of users or files.

Your choices

You can turn off any link at any time, which stops new files from arriving. You can stop using receive.link whenever you like; there is no account to delete, because we do not keep one. Because we hold so little about you (one-way hashes, not your address or IP), there is very little to request, but for any privacy question or request you can reach us at [email protected].

Changes

If any of this changes, we will update this page and the date above. New features get their behavior described here before you use them.