Sendly

Privacy policy

Last updated: 8 May 2026

This policy explains what data Sendly (“we”, “us”) collects when you use sendlycloud.com, why we collect it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Who we are

Sendly is operated as a sole-trader file-transfer service. The data controller is Sendly, contactable at hello@sendlycloud.com.

2. What we collect

  • Files you upload — file contents, names, sizes and MIME types.
  • Transfer metadata — sender email (if provided), recipient emails (if provided), an optional message, expiry date, transfer ID.
  • Account data (only if you sign up) — your email address, a hashed password, Stripe customer ID and subscription status.
  • Technical data — IP address, user agent, and basic request logs needed to operate the service and prevent abuse.

3. Why we process it (lawful basis)

  • To deliver the service you asked for — storing your files, sending the recipient an email link, and providing the download page (Art. 6(1)(b) GDPR — performance of contract).
  • To bill you — if you take a Pro subscription (Art. 6(1)(b)).
  • To keep the service running and secure — abuse prevention, rate-limiting, debugging (Art. 6(1)(f) — legitimate interests).
  • To comply with the law — for example tax records (Art. 6(1)(c)).

4. How long we keep it

  • Uploaded files — deleted at the transfer's expiry date (7 days on the free plan, up to 30 days on Pro). After expiry the storage objects are removed and the database row is purged by an automated daily job.
  • Email addresses on a transfer — kept until the transfer expires, then deleted with the rest of the transfer.
  • Account data — kept while your account is active and for up to 30 days after deletion, then erased.
  • Billing records — retained for the period required by tax law in the relevant jurisdiction (typically 6–10 years).
  • Suppression list — email addresses that have unsubscribed or hard-bounced are kept indefinitely so we don't email them again.

5. Sub-processors

We share the minimum necessary data with the following providers, each bound by a Data Processing Agreement:

  • Supabase (PostgreSQL database, authentication, object storage) — EU region.
  • Cloudflare (application hosting and edge delivery).
  • Resend (transactional email delivery).
  • Stripe (payment processing for Pro subscriptions).

6. International transfers

Where a sub-processor processes data outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum to ensure an equivalent level of protection.

7. Your rights

You have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • request erasure (“right to be forgotten”);
  • restrict or object to processing;
  • data portability;
  • lodge a complaint with your local supervisory authority (e.g. the Irish DPC, the UK ICO).

To exercise any of these rights, email hello@sendlycloud.com. We respond within one month.

8. Cookies

Sendly uses only strictly-necessary cookies for authentication and CSRF protection. We do not use third-party advertising or analytics cookies. If we add analytics in future, we will update this page and ask for consent first.

9. Changes

We may update this policy. Material changes will be announced on this page with a new “Last updated” date.