Note: The terms, policies, etc. outlined below are only applicable to the YeetFile service hosted on yeetfile.com, as well as the code as it exists in the repository (available on GitHub or SourceHut).

If you are not using yeetfile.com or hosting the service, these terms cannot be guaranteed.

Privacy Policy

Introduction

YeetFile is intentionally designed to protect user privacy as much as possible, while also retaining enough information to achieve its core functionality.

Email

Providing an email address is optional with YeetFile. If you do not wish to provide an email address, you can sign up and log in using an automatically generated account ID.

If you do provide an email address, it will be stored in the YeetFile database. This is never shared outside of YeetFile and is obscured in the account details view.

If you share files within your vault with other YeetFile users, they will see your account email beneath the file name as an indicator that you are the owner. Likewise, if another user shares content within their vault with you, they will see your email address in the list of users who have access to that content.

Stripe requires a billing email during checkout, but this is not used by YeetFile and does not need to be the same as your YeetFile email address. You can enter whatever email address you want during checkout.

Cookies

Cookies are used only to store essential session data, such as user idenfitifiers and session keys, to maintain secure user authentication and prevent unauthorized access. They are never used for tracking or advertising purposes in any way.

Cookies are:

  • Authenticated and encrypted with 32-byte keys
  • Marked as HttpOnly to prevent access by client-side scripts
  • Set with SameSite restrictions to prevent cross-site request forgery
  • Set with Secure to prevent interception during transmission

Each session is uniquely identified and validated against server-side data to ensure integrity.

Billing

YeetFile allows account upgrades to be purchased, with the option of checking out via Stripe or BTCPay.

Both payment platforms will record:

  • The type of upgrade being purchased
  • The payment ID of the YeetFile user (note: not the account ID).

Stripe additionally collects:

  • An email address
  • Can be any email address, does not need to be the YeetFile account email
  • The user's billing information (address, payment details, etc).

YeetFile only transmits the user's payment ID to the user's preferred payment platform. Successful payments are stored in the YeetFile database using the user's payment ID. This payment ID can be recycled at any time after payment from the user's account view to a new ID.

Note: Recycling your payment ID removes the ability to debug any payment issues with YeetFile, and should only be done after a payment has been confirmed and the upgrade has been added to your account.

YeetFile Features

Send

YeetFile Send does not create an association between a file uploaded to YeetFile Send and your account ID. This means that there is no true "ownership" of files uploaded to Send. Likewise, the link generated after succesfully uploading to Send is ephemeral and is irrecoverable once you have navigated away from the link.

File size is removed from the user's available YeetFile Send bandwidth upon uploading.

Records of sent files are removed from the database and the storage backend once the file's max downloads or time limit are reached.

Vault

All items stored in a user's password or file vault are encrypted before upload. The key used for encryption depends on where in the vault the files are uploaded:

  • If the file or folder is in the root level of the vault (not under a subfolder), it is encrypted using a randomly generated key that is encrypted with the user's public key, and can only be decrypted with the user's private key
  • If the file or folder is in a subfolder, it is encrypted using the folder's key, which requires a "key sequence" to decrypt (the keys required to decrypt all parent folder keys before the current one).

Files uploaded to the vault are associated with user IDs, since that is the only way to retrieve files for a specific user.

YeetFile never has access to unencrypted content, including the keys used for encrypting content.

Logging

YeetFile does not log any interactions that do not produce an error. Errors related to database queries, backend file retrieval, and other similar critical features that are required for general operation, are logged. These error logs typically contain information related to the specific action. For example, if a file lookup by ID to B2 fails, a log entry such as the following would appear:

Error: Failed to locate file in B2 with ID: 'abcdefg1234567'

Error logs such as these are needed for debugging any issues that users may encounter while using YeetFile.

IP Addresses

A BLAKE2b-256 checksum of the user's IP address and full endpoint path are temporarily stored for 30 seconds when accessing the following features:

  • Send (plaintext only)
  • Login
  • Signup
  • Account Verification
  • Password Hint Request

This is designed to prevent features that can be abused by anonymous users (sending plaintext) or are commonly subjected to brute force attempts (login, signup, etc). Your IP address is never stored in plaintext, and the checksum is only stored in memory. If within 30 seconds a number of requests is exceeded, the server will block these protected endpoints from being accessed by the blocked address until a cooldown period has expired.