Riftrriftr
Dashboard

Riftr Privacy Policy

Effective: March 2026

riftr is a temporary encrypted file sharing service. You drop files, receive a secure share link, and send that link to the recipient. Files auto-expire after a period you choose (between 30 minutes and 7 days, depending on your account tier). This policy explains exactly what data we collect, how it is handled, and what third-party services are involved.

1. Data We Collect

All users

  • Uploaded files and metadata — file name, type, size, extension, and dimensions (where applicable).
  • Expiry preference — the duration you select for a room.
  • IP addresses — stored temporarily in two contexts:
    • In the database for OTP brute-force protection. Deleted automatically when the room expires.
    • In Redis for rate limiting. Entries have a maximum TTL of 1 hour and are not persisted beyond that.

Authenticated users (via Clerk)

  • Email address, display name, and profile image provided during sign-up or OAuth.
  • Session information managed by Clerk.

Email sharing (optional)

  • If you choose to share a room via email, the recipient's email address is collected and passed to our email delivery provider (Resend) to send the notification. It is not stored beyond what is necessary to deliver that message.

Anonymous users

If you use riftr without signing in, no account data is collected. Only the file metadata, expiry preference, and IP address (as described above) are stored.

2. Encryption — What We Actually Do

We want to be precise here because encryption claims are often overstated.

Password-protected rooms

Files are encrypted client-side in your browser using AES-256-GCM before they are uploaded. The room key needed to unwrap file keys lives in the share link fragment and is not sent to the server. Password protection is a separate access-control layer: recipients need both the full share link and the password to open the room.

Unprotected rooms

Files are still encrypted client-side before upload. Anyone with the full share link can access the room and decrypt the files.

In transit

All data is transmitted over HTTPS/TLS.

3. Third-Party Services

riftr relies on the following third-party services. Each receives data as described:

  • Clerk — authentication. Receives your email address, name, OAuth profile data, and session information when you sign in or create an account. Clerk Privacy Policy
  • Cloudflare R2 — file storage. All uploaded files are stored on Cloudflare's object storage infrastructure. Cloudflare Privacy Policy
  • Upstash Redis — rate limiting. IP addresses and user identifiers are stored temporarily (max 1-hour TTL) to enforce rate limits. Upstash Privacy Policy
  • Vercel — hosting and deployment. Vercel processes requests and serves the application. Vercel Privacy Policy
  • Vercel Analytics — page view analytics. Collects page URLs, browser type, and device information. No personally identifiable information is linked to these events by the application.
  • Vercel Speed Insights — performance monitoring. Collects Core Web Vitals and related performance metrics.
  • Resend — transactional email. Used only when you choose to share a room via email. The recipient's address is passed to Resend to deliver the notification. Resend Privacy Policy

4. Cookies

riftr sets the following cookies:

  • room_{hash}_verified — set after a successful OTP verification for a password-protected room. Flags that you have already verified access so you are not prompted again. Attributes: httpOnly, secure, sameSite=strict, 24-hour max age.
  • Clerk session cookies — set by Clerk to maintain your authenticated session when you are signed in.

The application itself does not set any tracking or advertising cookies.

5. Data Retention

  • Files are deleted from Cloudflare R2 when the room expires. Deletion is triggered by an automated cleanup process.
  • Database records associated with a room are cascade-deleted when the room is removed.
  • IP addresses stored for OTP brute-force protection are deleted with the room. IP-based rate-limit entries in Redis expire within 1 hour.
  • No application-level backups are created. Infrastructure providers (Cloudflare, Vercel, Upstash) may maintain their own redundancy and backup systems as part of their standard operations.

6. User Rights & Limitations

We want to be honest about what you can and cannot do with your data on riftr:

What you can do

  • Authenticated users can view their rooms on the dashboard for as long as those rooms exist.
  • You can contact us using the contact information on the website with any data concerns, and we will respond in good faith.

What you cannot currently do

  • Delete files before expiry — there is no UI or API to delete a room or its files before the expiry time elapses.
  • Export your data — there is no data export feature.
  • Revoke sharing permissions — once a room is created and a code is shared, access cannot be revoked before expiry.

7. Content Monitoring

riftr does not scan, inspect, or moderate uploaded files. There is no virus detection, content filtering, or automated review of file contents. You are responsible for ensuring that what you upload complies with applicable laws and does not infringe on third-party rights.

8. Content Ownership

You retain full ownership of the files you upload. riftr claims no rights to your content beyond what is necessary to operate the service (storing and serving files during the active room period). We reserve the right to remove content in response to valid legal requests.

9. Changes to This Policy

If this policy changes materially, the effective date at the top of this page will be updated. We encourage you to review this page periodically.

Questions about this policy? Use the contact information on the website.