Privacy Notice
Last updated: 13 July 2026
This notice explains how JAD Apps ("we", "us") processes personal data in connection with SecureSend, in accordance with UK GDPR and the Data Protection Act 2018. We are the controller for the data described below.
The file itself is never received, stored, or processed by us, under any circumstances. Encryption and decryption happen entirely in your browser. Everything below is metadata about the transfer, not the file's contents.
What we process, and why
- Account email and Stripe customer ID — to operate your subscription. Lawful basis: performance of a contract.
- File metadata only — filename, size, MIME type, content hash, and timestamps, plus a coarse (city/region-level) IP address in our security audit log. Lawful basis: legitimate interests (fraud prevention, abuse detection, service reliability) for the audit log; contract for the core metadata needed to run the handover.
- Wrapped one-time key — the escrowed key material itself, held only until it is released on first open or expires. Lawful basis: performance of a contract.
- Recipient contact details (optional) — if you use our delivery feature, the recipient's email and/or phone number is used transiently to send the link and/or PIN, and is not stored after sending. If PIN delivery is chosen, the PIN itself transits our server transiently for that single send and is not stored. Lawful basis: performance of a contract (at your instruction, as the sender).
- Sender receipt email (optional) — if you request an open receipt, your email address is stored with the file record and used once, to notify you when the file is opened and the key is destroyed. It is erased with the record (see Retention). Lawful basis: performance of a contract.
Processors we use
- Cloudflare — hosting and infrastructure (EU/UK/US, transfers safeguarded by Standard Contractual Clauses).
- Stripe — payment processing.
- Resend — email delivery, when you use the delivery feature.
- Twilio — SMS delivery, when enabled and when you use the delivery feature.
Retention
File records (metadata and the wrapped key) are destroyed at the moment a file is opened or expires unclaimed, and are fully purged from our systems within 90 days. Account data is retained while your subscription is active, plus any statutory period required for tax and accounting records thereafter.
Your rights
Under UK GDPR you have the right to access, rectify, or erase your personal data, restrict or object to our processing of it, and request portability of it. To exercise any of these rights, contact [SUPPORT EMAIL]. You also have the right to complain to the UK's supervisory authority, the Information Commissioner's Office, at ico.org.uk.
Cookies and tracking
We do not set cookies and do not run analytics or advertising trackers. We use your browser's sessionStorage only, to keep your access key available on your own device during your session — this data never leaves your device. See our Cookies notice for details.
Contact
Questions about this notice or your data: [SUPPORT EMAIL].