Last updated: 26 May 2026
FileFish is operated by Squared Lemon, registered in the Netherlands. We are the data controller for the personal data described in this policy.
FileFish collects the minimum data needed to run the service:
Senders and recipients do not need an account. FileFish does not ask you for a password.
We use your data to:
We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not read your files, and we do not use your files for anything other than delivering them via the access code.
FileFish does not use cookies for analytics or advertising. We do not track you across other websites.
The only cookies set by FileFish are strictly functional session cookies (filefish_session and XSRF-TOKEN). These are required for the site to work and are not used for tracking.
We use Fathom Analytics for anonymous, aggregate website statistics. Fathom does not use cookies, does not collect personal data, and is fully GDPR-compliant. No cookie banner is required.
Disclosure: the Fathom link above is a referral link. If you sign up after clicking it, we receive a small discount on our own Fathom plan. It does not change the price you pay.
FileFish uses the following services to operate:
Each service operates under its own privacy policy. We select services that align with EU data protection standards.
Your files are stored on infrastructure in the European Union. FileFish itself runs on EU-based servers. Database records (sender details, message metadata, access codes) live on the same EU infrastructure.
Limited operational metadata may transit through non-EU infrastructure operated by our email provider. These transfers are covered by Standard Contractual Clauses and other appropriate safeguards under GDPR Article 46.
Files. Access codes expire one hour after we generate them. File binaries are deleted from storage within roughly one hour after code expiry. The post-expiry window is intentional: it lets senders postpone expiry from a one-time signed link we email shortly before the code expires. If a sender postpones, the file persists for the extended validity period plus the same post-expiry deletion window.
Sender records. Your email address and the name from your From: header are kept while you remain active. If twelve months pass without you sending a new message, we anonymize these fields. The email subject and body, and the raw inbound email payload, are cleared within roughly 48 hours after the access code expires. You can request earlier deletion at any time (see "Your rights" below).
Access code and download activity. Records of which codes were generated and when files were downloaded are kept for operational and abuse-detection purposes.
Under GDPR, you have the right to:
To exercise any of these rights, email us at squeeze@squaredlemon.com. We will respond within 30 days.
We may update this policy from time to time. The "last updated" date at the top reflects the most recent revision.
Privacy questions? Reach us at squeeze@squaredlemon.com.
2026 © FileFish
with
by sticky.software