← Back to Home
Privacy Policy
Last updated: March 31, 2026
FatCat Inc. ("FatCat", "we", "us") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and your rights.
1. Data Controller
FatCat Inc.
Contact: Send a privacy request →
2. What Data We Collect
We collect the minimum data necessary to provide the service:
- Account data: Email address, hashed password, display name
- Usage data: File names, file sizes, upload timestamps, transfer status
- Technical data: IP address (for rate limiting and security), browser/OS type
- Payment data: Processed by Stripe — we never store card numbers
We do NOT collect: File contents, tracking cookies, advertising identifiers, or location data.
3. Legal Basis (GDPR Art. 6)
- Contract performance: Account creation, file transfers, support
- Legitimate interest: Security monitoring, fraud prevention, service improvements
- Consent: Marketing emails (opt-in only)
4. How We Use Your Data
- Authenticate you and manage your account
- Process file uploads and generate download links
- Send transactional emails (upload confirmations, password resets)
- Monitor for abuse and security incidents
- Improve the service based on aggregated, anonymized usage data
5. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Uploaded files: Automatically deleted after the expiration period you set (7-30 days). BYOB files are managed by you.
- Server logs: Retained for 90 days for security purposes.
6. Sub-Processors
We use the following third-party services to operate FatCat:
| Provider |
Purpose |
Location |
| Cloudflare (R2) |
File storage, CDN, DNS |
Global (EU endpoints available) |
| Supabase |
Authentication, database |
EU (Frankfurt) |
| Vercel |
API hosting, web delivery |
Global |
| AWS SES |
Transactional email |
EU (Ireland) |
| Stripe |
Payment processing |
EU/US |
7. Your Rights (GDPR)
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your account and associated data ("right to be forgotten")
- Export your data in a machine-readable format (portability)
- Object to processing based on legitimate interest
- Restrict processing in certain circumstances
To exercise any of these rights, submit a privacy request. We will respond within 30 days.
8. Data Processing Agreement (DPA)
Enterprise customers can request a signed DPA covering EU Standard Contractual Clauses (SCCs). Contact our sales team.
9. International Transfers
Some of our sub-processors operate outside the EU. Where this occurs, transfers are protected by:
- EU Standard Contractual Clauses (SCCs)
- EU-US Data Privacy Framework (where applicable)
- Provider-specific compliance certifications (SOC 2, ISO 27001)
10. Cookies
FatCat uses only essential cookies required for authentication (session tokens). We do not use tracking cookies, analytics cookies, or advertising pixels. No cookie consent banner is required.
11. Children's Privacy
FatCat is not intended for use by children under 16. We do not knowingly collect data from minors.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email to active account holders. The "Last updated" date will always reflect the most recent revision.
13. Contact
For any privacy-related questions:
Submit a privacy request →