file.ax

0. Data Controller (Responsabile del Trattamento)

The data controller for file.ax is Kotekorbya Technologies di Jacopo Di Pumpo.

• Legal entity: Kotekorbya Technologies di Jacopo Di Pumpo
• VAT/P.IVA: IT14253050968
• DPO: dpo@file.ax
• Contact: jacopo@file.ax

1. Scope

This policy explains how file.ax handles personal data when you use the website, APIs, and related features. It applies to uploads, downloads, account access, and support interactions.

2. Data We Process

• Account data: username, authentication/session state, and password hash for account login.
• File data: uploaded file bytes, file metadata (name, size, type, path), and expiry settings.
• E2E metadata: for end-to-end encrypted uploads, we store ciphertext and non-secret metadata needed for decrypt UI.
• Operational logs: request/abuse/security logs (for example IP, user agent, route, and status) to keep the service running safely.
• Cookies/local storage: used for authentication and client-side settings. See /cookies.

3. Infrastructure and Data Location

file.ax stores and processes data in Europe.

Internet routing between clients and file.ax may traverse non-EU networks (including U.S. transit paths) depending on ISP peering and global backbone routing. Transport remains encrypted in transit via HTTPS (SSL/TLS).

• Hot server: hosted at lakenetworks.it in Italy, used for live traffic handling and active file operations.
• Cold storage server(s): located in Finland/Germany (FI/DE) and used by the main file.ax server as secondary cold-storage capacity.
• Interlink model: the main server writes/reads cold-tier objects through an encrypted storage layer (gocryptfs), including files that are not browser-E2E encrypted.
• Key isolation: cold disks store ciphertext only; decryption capability is held by the main server environment, not by the secondary cold-storage hosts themselves.
• Storage confidentiality model: data written to secondary cold-storage disks is stored as ciphertext and is designed to remain unreadable without decryption capability held in the main server environment.

4. End-to-End Encryption (E2E) Notes

When E2E upload is used, encryption happens in your browser before upload. The server receives ciphertext only. Your password and derived decryption key are not sent to the server.

Some metadata is still visible to the server and anyone with access to the file record, including file name, size, MIME type, and encrypted format parameters required by the client.

Technical design details: /e2e whitepaper.

5. Why We Use Data

• To provide upload/download functionality and account features.
• To enforce anti-abuse/security controls and investigate incidents.
• To maintain reliability, diagnose failures, and improve performance.
• To comply with legal obligations when required.

6. Sharing

We do not sell personal data. Data may be processed by infrastructure providers required to operate the service (hosting, storage, networking), and may be disclosed if required by law.

7. Retention

Files are retained until expiry or deletion. Operational logs and related technical data are retained for security, abuse prevention, and service reliability as needed.

8. Your Controls

• Delete files or let them expire automatically.
• Log out and clear browser cookies/local storage at any time.
• Use strong passwords for account access and for E2E-protected files.
• Contact support through /contact for account/privacy requests.

9. Security Disclaimer

No system can guarantee absolute security. You are responsible for endpoint/browser security and for handling shared links and passwords safely.