UploadexBack to site

Legal

Privacy Policy

Last updated 27 April 2026 · complies with GDPR and India DPDP Act 2023

The short version: we collect only what is needed to run the Service, we never look inside your files, we do not sell your personal data, and you can export or delete everything at any time.

1. Who we are

Uploadex is operated by Brixial Technologies Pvt Ltd ("Brixial", "we", "us"), a private limited company incorporated in India on 26 December 2023. Brixial is the "Data Controller" under the EU General Data Protection Regulation (GDPR) and the "Data Fiduciary" under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") for personal data processed through Uploadex.

This Privacy Policy explains what personal data we process, why we process it, how long we keep it, who we share it with, and how you can exercise your rights. It applies to the Uploadex website at uploadex.net and every service, API and subdomain operated from it (the "Service").

2. Personal data we process

We only collect data that is necessary to provide, secure, and improve the Service.

  • Account data — email address, display name, hashed password, preferred language, and account settings. Required to create and sign in to an account.
  • File metadata — file name, size, MIME type, SHA-256 hash, upload and expiry timestamps. Required to list, preview and deliver your files.
  • File contents — stored in encrypted form at rest (AES-256-GCM). We do not open, read, scan for advertising, or train any machine-learning model on your file contents. Automated safety scans (see §9) examine cryptographic hashes, not content.
  • Usage and device data — IP address, user-agent string, referring URL, request path, HTTP status codes, and timestamps. Generated whenever you interact with the Service.
  • Support communications — the content of emails, tickets or chat messages you send to our support team, and our replies.
  • Cookies and local storage — strictly-necessary cookies for authentication and security (e.g. CSRF tokens, session IDs) and a preference cookie that stores your theme choice. We do not use advertising, profiling or cross-site tracking cookies.

We do not knowingly collect sensitive personal data such as health, biometric, financial account numbers, caste, religion, political opinion, or sexual-orientation data.

3. Why we process it (purposes and legal bases)

Under GDPR, we must rely on one or more lawful bases for every purpose. The DPDP Act requires a specified purpose and, where applicable, your consent. The table below sets out what we do and why.

  • Provide the Service — store, preview and deliver the files you upload. Basis: performance of a contract (GDPR Art. 6(1)(b)); performance of a contract under DPDP §7(a).
  • Keep the Service secure — detect abuse, prevent malware distribution, investigate incidents, rate-limit automated clients. Basis: legitimate interests (GDPR Art. 6(1)(f)); legitimate use under DPDP §7(i).
  • Comply with law — respond to lawful requests, notify authorities of child-safety concerns, maintain statutory logs under the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Basis: legal obligation (GDPR Art. 6(1)(c)); compliance with law under DPDP §7(c).
  • Communicate with you — reply to support requests, send essential service notices (e.g. security alerts, policy changes). Basis: legitimate interests / performance of a contract.
  • Improve the Service — aggregate, anonymised analytics such as total uploads per region or median transfer speed. Basis: legitimate interests.

We do not process personal data for advertising, profiling, automated decision-making that produces legal effects, or sale to third parties.

4. How long we keep it (retention)

  • Files you upload — kept until you delete them or your account is closed. Deleted files are purged from all primary storage within 24 hours and from edge caches within 72 hours.
  • Account data — kept for the life of your account. Deleted within 30 days after you close your account, unless we are required to retain it longer by law.
  • Usage and security logs — 14 days, then automatically truncated. Aggregated, non-identifying metrics may be kept longer.
  • Support communications — 24 months from the last message, for training and quality-assurance.
  • Records required by law — statutory records (e.g. those mandated by Rule 3(1)(h) of the IT Rules, 2021) are kept for the minimum period required by the relevant law.

5. Who we share it with

We share personal data only with the following categories of recipients, and only to the minimum extent necessary.

  • Infrastructure processors — cloud hosting, content-delivery and email-delivery providers acting under written data-processing agreements (with standard-contractual-clauses where applicable).
  • Professional advisers — accountants, auditors and lawyers bound by confidentiality.
  • Law-enforcement or regulators — only where we have a good-faith belief that disclosure is legally required under a valid, binding order. We publish an annual transparency report summarising such requests.
  • Successors — if Brixial is acquired or undergoes a reorganisation, personal data may be transferred under the same protections as set out here.

We do not sell or rent personal data to anyone.

6. International transfers

Uploadex operates a global edge network. Your data may be processed in jurisdictions outside India and the European Economic Area, including the United States, the United Kingdom, Singapore, and Germany. Where we transfer personal data out of the EEA we rely on the European Commission's Standard Contractual Clauses (2021 version) together with supplementary technical measures (encryption in transit and at rest). Transfers from India are made in compliance with §16 of the DPDP Act.

7. Your rights

Subject to local law, you have the following rights over your personal data:

  • Access — ask for a copy of the data we hold about you.
  • Correction — ask us to correct inaccurate or incomplete data.
  • Erasure / deletion — ask us to delete your data where we have no overriding legal basis to retain it.
  • Portability — receive your data in a structured, commonly-used, machine-readable format.
  • Objection / withdrawal of consent — object to, or withdraw previously-given consent for, specific processing.
  • Grievance / complaint — raise a grievance with our Grievance Officer (India) or complain to a supervisory authority.

To exercise any of these rights, email [email protected] from the address associated with your account. We respond within 30 days for GDPR requests and 30 days for DPDP requests (extendable once by a further 30 days where the request is complex).

If you are in the EEA or UK you may also complain to your national data-protection authority. If you are in India you may complain to the Data Protection Board of India once it is operational.

8. Security

We take the security of your data seriously and use industry-standard controls, including:

  • TLS 1.3 for all data in transit.
  • AES-256-GCM for file contents at rest.
  • Argon2id for account-password hashing.
  • Role-based access control and audit logging for all administrative actions.
  • Least-privilege production access, multi-factor authentication for all staff, and hardware-key enforcement for privileged roles.
  • Annual third-party penetration testing and a public, rewarded vulnerability-disclosure programme.

No online service is 100% secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority within the timeframes required by law (72 hours under GDPR; the prescribed period under the DPDP Act).

File contents are encrypted in transit (TLS 1.3) and at rest (AES-256-GCM) by our storage infrastructure. Uploadex does not implement end-to-end encryption — meaning Uploadex can access file contents where required by law or for automated safety scanning as described in §9.

9. Automated content-safety scanning

When you upload a file, we compute a one-way cryptographic hash of the content and compare it to industry hash-lists of known illegal material (for example child-sexual-abuse material and malware). We do not open or read the file itself. If a match is found, we act as required by law, which may include preserving the file, informing a competent authority, and preventing further access.

10. Children's data

Uploadex is not directed to children under 16. Consistent with §9 of the DPDP Act, we do not knowingly process the personal data of a child without the verifiable consent of a parent or lawful guardian. If you believe a child has provided us personal data, please email [email protected] and we will promptly delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change, we will revise the "Last updated" date above and notify active accounts by email or in-product banner at least 14 days before it takes effect, unless a shorter notice is required by law.

12. Contact us

Data Fiduciary / Controller
Brixial Technologies Pvt Ltd
India
General privacy queries[email protected]
Grievance Officer (India)[email protected]
Company enquiries[email protected]

See also our Terms of Service, Acceptable Use Policy, and DMCA / Copyright pages.