/ Legal
Privacy Policy
Effective date: March 9, 2026
Last updated: March 9, 2026
This Privacy Policy describes how RUDU Labs ("we," "us," or "our") collects, uses, stores, and discloses personal information when you use FilePouch (filepouch.io). It also describes your rights under applicable privacy laws, including the EU General Data Protection Regulation (GDPR), Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), and California's Online Privacy Protection Act (CalOPPA).
By using FilePouch, you acknowledge that you have read and understood this policy. If you do not agree, please do not use the service.
/ Contents
/ 01
Data Controller
The data controller for personal information collected through FilePouch is:
We do not have a formal EU representative or Data Protection Officer (DPO) at this time. All data-related inquiries should be directed to [email protected]. We will respond within 30 days of receiving your request.
/ 02
What Data We Collect
2.1 Account Holders
When you create a FilePouch account, we collect:
| Data | Source | Purpose |
|---|---|---|
| Email address | You, at signup | Account login, transactional notifications |
| Password (hashed) | You, at signup | Authentication — never stored in plain text |
| Billing information | Stripe (we never receive full card data) | Payment processing for paid plans |
| IP address & timestamps | Automatic | Security, abuse prevention, rate limiting |
| Session cookies | Automatic | Authentication state management |
2.2 File Senders (People Uploading to a Pouch)
People who upload files to a pouch link (who may not have an account) may provide:
| Data | Source | Purpose |
|---|---|---|
| Name (optional) | You, voluntarily | Identify who sent a file |
| Uploaded files & metadata | You | Core service — delivering files to the pouch owner |
| IP address & timestamps | Automatic | Security, abuse prevention |
2.3 What We Do NOT Collect
We do not collect government ID numbers, passport numbers, or similar identity documents
We do not collect payment card details directly — all payments are processed by Stripe
We do not use advertising trackers or behavioral analytics
We do not sell your personal data to any third party
/ 03
Legal Bases for Processing (GDPR)
If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases pursuant to Article 6 of the GDPR:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Art. 6(1)(b) — Performance of a contract |
| Processing payments | Art. 6(1)(b) — Performance of a contract |
| Sending transactional emails | Art. 6(1)(b) — Performance of a contract |
| File storage and delivery | Art. 6(1)(b) — Performance of a contract |
| Security logging, abuse prevention | Art. 6(1)(f) — Legitimate interests |
| Compliance with legal obligations | Art. 6(1)(c) — Legal obligation |
| Strictly necessary cookies | Art. 6(1)(f) — Legitimate interests (authentication) |
We do not engage in automated decision-making or profiling as defined under Article 22 of the GDPR.
/ 04
How We Use Your Data
We use personal data solely for the following purposes:
Providing the service: Storing, transferring, and managing files and pouches
Account management: Authentication, password reset, and account-related communications
Billing: Processing and managing subscription payments via Stripe
Security: Detecting and preventing fraud, abuse, unauthorized access, and violations of our Terms of Service
Legal compliance: Responding to lawful government requests, DMCA notices, and other legal obligations
Service communications: Upload notifications, storage limit alerts, and policy change notices
What we never do:
We do not sell your personal data. We do not use your data for advertising. We do not profile users for marketing purposes. We do not access the content of your files except when required by law or to investigate a credible report of policy violation.
/ 05
Sub-Processors and Third Parties
We share personal data with the following sub-processors to operate the service. Each is bound by a Data Processing Agreement (DPA) and applicable data protection law.
| Sub-Processor | Location | Data Processed | Purpose |
|---|---|---|---|
| Cloudflare, Inc. | USA | Files, metadata, IP addresses (in transit and at rest via R2) | File storage (Cloudflare R2), CDN, DDoS protection |
| Stripe, Inc. | USA | Billing data, email address | Payment processing and subscription management |
| Resend, Inc. | USA | Email addresses, email content | Transactional email delivery |
| DigitalOcean, LLC | USA | All data processed by the application server | Cloud infrastructure hosting (application server) |
We do not share your personal data with any other third parties except as required by law. If you receive a subpoena or equivalent legal request relating to content you uploaded, we may be required to disclose account information associated with that content.
/ 06
International Data Transfers
FilePouch is operated from Mexico, and our infrastructure sub-processors (Cloudflare, Stripe, Resend, DigitalOcean) are headquartered in the United States. When you use FilePouch, your personal data may be transferred to, stored in, and processed in the United States or other countries outside your country of residence.
For transfers of personal data from the EEA or United Kingdom to the United States, we rely on our sub-processors' Standard Contractual Clauses (SCCs) as approved by the European Commission under Article 46(2)(c) of the GDPR, or equivalent transfer mechanisms. You can review each sub-processor's transfer mechanisms via their respective privacy and DPA documentation.
By using FilePouch, you understand that your information will be transferred to and processed in countries other than your own, including the United States and Mexico, which may have different data protection laws than your jurisdiction.
/ 07
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law.
| Data Category | Retention Period |
|---|---|
| Account data (email, password hash) | Until account deletion + 30 days grace period |
| Uploaded files — Free tier | 30 days from upload date, then auto-deleted |
| Uploaded files — Pro tier | Duration of active subscription + 30 days after cancellation |
| Security and access logs | 90 days |
| Billing and payment records | 7 years (legal and tax compliance) |
| DMCA-related records | As required by applicable law (typically 3+ years) |
When you delete your account, we initiate deletion of your personal data within 30 days, except where we are required to retain data for legal, tax, or compliance purposes. Billing records may be retained longer as required by applicable tax law.
/ 08
Your Rights
Depending on where you are located, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
EU / EEA / UK — GDPR
Access (Art. 15): Request a copy of the personal data we hold about you
Rectification (Art. 16): Correct inaccurate or incomplete data
Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
Restriction (Art. 18): Request restriction of processing in certain circumstances
Portability (Art. 20): Receive your data in a structured, machine-readable format
Objection (Art. 21): Object to processing based on legitimate interests
Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority (e.g., your EU member state's DPA, or the ICO in the UK)
Mexico — LFPDPPP (ARCO Rights)
Acceso: Solicitar acceso a sus datos personales que tratamos
Rectificación: Solicitar la corrección de datos inexactos
Cancelación: Solicitar la eliminación de sus datos personales
Oposición: Oponerse al tratamiento de sus datos personales
Para ejercer sus derechos ARCO, envíe una solicitud a [email protected]. Responderemos en un plazo de 20 días hábiles conforme a la LFPDPPP.
California — CalOPPA
We do not sell personal information to third parties
We do not track users across third-party websites and do not respond to browser "Do Not Track" signals (as there is no industry standard for this)
California users may request deletion of personal data by contacting [email protected]
Everyone
You can delete your account at any time from your dashboard. Account deletion removes your profile data and initiates deletion of your stored files, subject to our retention schedule above. Some data (such as billing records and security logs) may be retained as described in Section 7.
/ 09
Cookies
FilePouch uses only strictly necessary cookies. We do not use advertising cookies, analytics cookies, or any tracking technologies that require consent under the ePrivacy Directive (EU Cookie Law).
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Maintains your login session | Session |
| CSRF token | Strictly necessary | Prevents cross-site request forgery attacks | Session |
| Stripe cookies | Strictly necessary | Fraud prevention during payment checkout (set by Stripe on their domain, not ours) | Session / Short-term |
Because we use only strictly necessary cookies, no consent banner is required under EU law. You can disable cookies in your browser settings, but doing so will prevent you from logging in to FilePouch.
/ 10
Children's Privacy
FilePouch is not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If you are under 18, do not use FilePouch or provide any personal information to us.
If we become aware that we have inadvertently collected personal data from a person under 18, we will take prompt steps to delete that data. If you believe we have collected data from a minor, please contact us at [email protected].
/ 11
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:
Notify affected users by email without undue delay
For EEA/UK users: report to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, as required by GDPR Article 33
Maintain an internal record of all data breaches, including those not required to be reported
Provide details of the breach, the data affected, likely consequences, and the measures taken to address it
If you discover or suspect a security issue, please report it to [email protected] immediately.
/ 12
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we do, we will:
Update the "Last updated" date at the top of this page
For material changes that affect how we process personal data, notify registered account holders by email at least 14 days before the changes take effect
Your continued use of FilePouch after a policy update constitutes acceptance of the revised policy. If you disagree with a material change, you may close your account before the effective date.
/ 13
Contact Us
For privacy-related questions, requests, or complaints, contact us at:
RUDU Labs — Privacy Team
Email: [email protected]
General: [email protected]
We will respond within 30 days (20 business days for ARCO requests under LFPDPPP).