MellySend

Privacy Policy

Last updated: April 2026

1. Who we are

MellySend is operated by Melly Labs, based in Rotterdam, the Netherlands. We are the data controller for your personal data under the General Data Protection Regulation (GDPR).

2. What data we collect

Account holders

  • Email address: used for authentication (magic link login), notifications, and account recovery
  • First and last name: optional, used for display purposes and invoicing
  • Company name: optional, used for business invoicing
  • Billing address, country, and VAT number: Pro subscribers only, required for VAT-compliant invoicing

File transfers

  • File metadata: file names, sizes, MIME types, and upload timestamps
  • File contents: encrypted at rest with AES-256 server-side encryption (SSE-C), automatically deleted after the applicable expiry period
  • Transfer metadata: optional title, message, and password (hashed with bcrypt)
  • Sender and recipient emails: stored when email notifications are used, added to your address book for convenience

Technical data

  • IP address: used for rate limiting and abuse prevention; hashed for download event analytics; not stored in raw form beyond the current request
  • Session tokens: stored in-memory cache, automatically expire after 30 days of inactivity
  • TOTP secrets: if you enable two-factor authentication, your TOTP secret is stored encrypted in our database

What we do NOT collect

  • No tracking cookies or analytics scripts
  • No third-party analytics (no Google Analytics, no Meta Pixel, no Hotjar)
  • No advertising identifiers or ad network pixels
  • No behavioral profiling or user tracking across sessions

3. Legal basis for processing

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)) - account management, file storage and delivery, subscription management, email notifications
  • Legal obligation (Art. 6(1)(c)) - invoice retention (7 years, Dutch tax law), responding to law enforcement requests, DSA compliance
  • Legitimate interest (Art. 6(1)(f)) - rate limiting, abuse prevention, security monitoring, service improvement
  • Consent (Art. 6(1)(a)) - optional features such as address book contacts and email notifications to third-party recipients

4. Data storage and encryption

All data is stored exclusively in EU data centers. Application servers are hosted in Germany, France and the Netherlands. Uploaded files are stored in France (Paris region). No data is transferred outside the European Economic Area (EEA).

Server-side encryption: All files are automatically encrypted at rest using AES-256 (SSE-OMK). Encryption is transparent and applied to every file without exception.

End-to-end encryption (optional): When enabled, files are encrypted in your browser using AES-256-GCM before upload. The decryption key is included only in the URL fragment (hash), which is never sent to our servers. We have zero knowledge of the file contents or the encryption key.

Passwords: Transfer and vault share passwords are hashed with bcrypt before storage. We never store passwords in plaintext.

5. Data processors (subprocessors)

We use the following third-party data processors. All are based in the European Union:

ProcessorPurposeData processedLocation
Hetzner Online GmbHCloud hosting (application servers)All data (encrypted)Germany
OVHcloudObject storage (file storage)Uploaded files (encrypted at rest)France
Brevo (Sendinblue)Transactional email deliveryEmail addresses, email contentFrance
Mollie B.V.Payment processingBilling details, payment infoNetherlands

We do not share your personal data with any other third parties, advertisers, or data brokers. No data leaves the European Union.

If we add new subprocessors in the future, we will update this list and notify registered users by email.

6. Data retention

  • Anonymous transfers: automatically deleted after 48 hours
  • Free transfers: automatically deleted after 7 days
  • Pro vault files: stored until deleted by the user or until 30 days after account downgrade
  • Account data: retained until you delete your account, plus a 30-day grace period for data removal
  • Invoices: retained for 7 years as required by Dutch tax law (Algemene wet inzake rijksbelastingen)
  • Notifications: automatically cleaned after 90 days
  • Session data: automatically expires after 30 days of inactivity
  • Magic links: automatically expire and are deleted after 15 minutes

7. Your rights under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15) - request a copy of the personal data we hold about you
  • Right to rectification (Art. 16) - correct inaccurate personal data
  • Right to erasure (Art. 17) - request deletion of your personal data (“right to be forgotten”)
  • Right to data portability (Art. 20) - receive your data in a structured, machine-readable format
  • Right to restrict processing (Art. 18) - limit how we use your data
  • Right to object (Art. 21) - object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)) - withdraw consent at any time where processing is based on consent

To exercise any of these rights, email us at privacy@mellysend.com. We will respond within 30 days as required by GDPR.

You can delete your account and all associated data at any time from Settings → Security. This action is permanent and removes all your files, folders, transfers, and personal data.

You have the right to lodge a complaint with a supervisory authority. For the Netherlands, this is the Autoriteit Persoonsgegevens (AP).

8. Cookies

MellySend uses only strictly necessary cookies for the Service to function. We do not use any tracking, analytics, marketing, or advertising cookies.

CookiePurposeDurationType
mellysend_sessionAuthentication session30 daysStrictly necessary

This cookie is HttpOnly and Secure, meaning it cannot be accessed by JavaScript and is only transmitted over HTTPS. We also store your vault view mode in localStorage, which are not cookies and contain no personal data.

9. Data Processing Agreement (DPA)

Our Data Processing Agreement governs how we process personal data on your behalf under GDPR Article 28. By using MellySend, you accept the terms of the DPA. For questions or if you require a countersigned copy, contact us at privacy@mellysend.com.

10. International data transfers

We do not transfer personal data outside the European Economic Area (EEA). All infrastructure (servers, databases, object storage) and subprocessors are located in the EU. This means your data is protected by GDPR at all times, without the need for Standard Contractual Clauses (SCCs) or other transfer mechanisms.

11. Security measures

We implement the following measures to protect your data:

  • AES-256 encryption at rest for all uploaded files
  • HTTPS/TLS encryption for all data in transit
  • Passwords are hashed before storage (never stored in plaintext)
  • Two-factor authentication (TOTP) available for all accounts
  • Rate limiting and brute-force protection on sensitive endpoints
  • Regular dependency audits for known vulnerabilities

12. Children

MellySend is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@mellysend.com.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The “last updated” date at the top of this page indicates when this policy was last revised. The latest version is always available at this page.

14. Contact

For privacy-related questions, data requests, or to exercise your GDPR rights:

Supervisory authority: Autoriteit Persoonsgegevens, The Hague, the Netherlands.

© Melly Labs 2026

TermsPrivacyDPA

Rotterdam, NL