Skip to main content
byosportal
← Home

Privacy Policy

How byosportal processes data on your behalf.

Version 1.0, effective 1 June 2026.

What we store

  • Account. Your email address and your subscription state. Sign-in credentials are managed entirely by Hanko — we never store them.
  • Storage credentials. The credentials you provide for your own AWS S3 / Google Cloud Storage / Azure Blob buckets are encrypted with AES-256-GCM before they hit our database, and decrypted only in memory while a request is in flight. We never log them.
  • Share links and downloads. We store the file path, the cached file name and size, the link's expiry and the bcrypt hash of its password (when the link is password-protected), and a count of downloads. For each download we keep an audit row with a one-way SHA-256 hash of the downloader's IP, their User-Agent header, and a success / failure flag. On Pro and Business plans the audit row also stores the approximate region — the country — derived from that IP; on Free it is left empty. There is no plaintext IP, no email address, and no name.

How we process data

  • Bytes never travel through our servers. When a client downloads one of your share links, we mint a short-lived pre-signed URL pointing at your own bucket and redirect the browser straight there. The file itself moves from your storage provider to your client — we don't see it.
  • Country derivation and email notifications. On each public download and upload on a paid plan we process the accessor's IP address in memory to derive an approximate region — the country only — and store that country on the access record; upload receipts persist the same field. The IP itself is never written to durable storage or logs. That country is displayed only on Business-tier delivery receipts and activity, and Business customers can additionally enable an email when one of their share links is downloaded. Geolocation data provided by DB-IP under the CC-BY 4.0 license.
  • Email reachability. Notification emails are sent through a transactional provider; the address used is the one on your account. There's a one-click unsubscribe link on every email and a toggle at /settings/notifications. Either route silences the emails; your share links keep working unchanged.

Retention

Audit rows are retained per your plan: 7 days on Free, 30 days on Pro, 365 days on Business. Terminated share links (revoked, expired, or download-cap exhausted) are purged 30 days after termination. Account deletion permanently removes every row associated with your user, including audit history.

Contact

Questions about this policy or about a specific data flow? Reply to any byosportal email or write to us at privacy@byosportal.dev. The terms that govern how we process this data are set out in our Data Processing Agreement, and your use of byosportal is governed by our Terms of Service.