Privacy Policy

Last updated: June 10, 2026

This Privacy Policy explains how BouncyLoop SRL, a limited liability company incorporated in Italy (“BouncyLoop”, “we”, “us”), processes personal data when you use Spize, the file-transfer service available at spize.ioand through the Spize desktop application (the “Service”). BouncyLoop SRL is the data controller for this processing. You can reach us at info@spize.io.

1. What we can never read: your files

Spize is designed so that we do not have access to the contents of the files you transfer:

• Cloud relay transfers are end-to-end encrypted. Files are encrypted with AES-GCM in your browser or on your device before upload. Our servers and our storage provider (Cloudflare R2) only ever receive and store ciphertext. The decryption key travels in the URL fragment of the share link (the part after #), which browsers never send to a server — so the key never reaches us.
• Direct device transfersare streamed from the sender’s machine to the recipient through an encrypted tunnel and are not stored on our infrastructure.

Filenames attached to cloud-relay shares are stored in encrypted (opaque) form; we cannot read them either.

2. Data we collect

We store the following data:

• Account data: your email address, used to create and sign in to your account via one-time passcodes.
• Share metadata: file sizes, timestamps, opaque encrypted filenames, and expiry information for each share.
• Usage and quota counters: aggregate measures (such as bytes transferred) used to enforce plan limits.
• Audit and diagnostic logs: technical logs generated when you use the Service, used for security, abuse prevention and troubleshooting.

We do not store your card or payment details — payments are handled directly by Stripe. We do not use third-party analytics or advertising trackers on the site.

3. Why we process this data (legal bases)

• Performance of a contract (Art. 6(1)(b) GDPR): operating your account, delivering transfers, enforcing plan quotas, and processing subscriptions.
• Legitimate interests (Art. 6(1)(f) GDPR): keeping the Service secure, preventing abuse, and diagnosing technical problems via audit and diagnostic logs.
• Legal obligations (Art. 6(1)(c) GDPR): retaining billing records where tax and accounting law requires it.

4. Data processors

We use a small number of service providers that process data on our behalf, under data processing agreements:

• Supabase — authentication (email OTP) and database.
• Cloudflare R2 — object storage for cloud-relay shares (ciphertext only).
• Stripe — payment processing for paid plans.
• Resend — transactional email (such as sign-in codes and service notifications).
• Fly.io — application hosting.

Some of these providers may process data outside the European Economic Area. Where that happens, transfers rely on appropriate safeguards under GDPR Chapter V, such as adequacy decisions or standard contractual clauses. We do not sell personal data, and we do not share it with third parties for advertising.

5. Retention

• Shares expire automatically; after expiry the ciphertext is no longer available for download and is removed from storage.
• Account data is kept for as long as your account exists. If you ask us to delete your account, we delete it along with associated personal data, except where we must retain records to comply with legal obligations.
• Audit and diagnostic logs are kept for a limited period appropriate to security and troubleshooting, then deleted or anonymized.

6. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you;
• rectify inaccurate or incomplete data;
• eraseyour data (“right to be forgotten”);
• receive your data in a portable, machine-readable format;
• restrict or object to processing based on legitimate interests;
• lodge a complaint with a supervisory authority — in Italy, the Garante per la protezione dei dati personali — or with the authority of your place of residence.

To exercise any of these rights, email info@spize.io. We will respond within the timeframes required by the GDPR.

7. Security

Beyond end-to-end encryption of cloud-relay content, we apply technical and organizational measures appropriate to the risk, including encryption in transit (TLS) for all connections to the Service, passwordless authentication via one-time codes, and access controls on our infrastructure. No system is perfectly secure; protect your share links, since anyone with a complete link (including its key fragment) can download and decrypt the corresponding share until it expires.

8. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will give notice through the Service or by email before the changes take effect. The “Last updated” date at the top reflects the latest revision.

9. Contact

For any privacy question or request: info@spize.io. For the rules that govern use of the Service, see our Terms of Service.