Privacy Policy

Beyond the navigation data described above, we do not passively collect personal data from website visitors — for example, through tracking cookies, analytics services, advertising pixels, or device fingerprinting. Where you actively provide personal data (for example, by making a purchase, subscribing to our SaaS Services, activating an SFTPGo Enterprise license, or contacting us by email), the processing is described in the sections below.

Our Services are intended for business use and are not directed to children. We do not knowingly collect personal data from children under the age of sixteen (16). If you believe that a child has provided us with personal data, please contact us at support@sftpgo.com and we will take steps to delete it.

User Content — the files and other content you upload, transfer, or store through your SaaS instance(s) — is hosted in the geographic location that you select when you subscribe to the SaaS Services. We currently offer datacenters in Europe, North America, Asia, Oceania, and South America. You remain responsible (as data controller in respect of any personal data contained in your User Content) for choosing a location that meets your own legal and operational requirements, including any cross-border transfer obligations that apply to you.

Other personal data (for example, billing and tax records, business correspondence, and license activation data for SFTPGo Enterprise) is processed by service providers acting on our instructions under written processing agreements (Article 28 GDPR). The list of subprocessors used in connection with the SaaS Services is provided in our Data Processing Agreement, made available to subscribers on request. Some of these service providers are established in the United States; transfers to those providers take place under the EU-US Data Privacy Framework where the recipient is certified, or under the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914).

Our employees may become aware of your personal data in the performance of their duties, under appropriate confidentiality obligations.

All purchases made through the Website are processed by a third-party payment processor, Paddle (paddle.com), acting as the Merchant of Record. Paddle may ask you for personal and/or non-personal information necessary to complete the transaction, such as your name, email address, billing address, tax identification number, and credit card or payment information. Paddle's collection and use of this data are governed by their own Privacy Policy.

Paddle provides us with transaction-related information to facilitate the performance of our contract with you, provide support, and ensure tax compliance. This information may include your name, contact details, billing address, and purchase details (such as date, amount, and product purchased). We may also have access to partial payment information (such as the last four digits of your card), but we never have access to your full credit card details or sensitive payment credentials.

Any questions or concerns about Paddle's data practices should be directed to Paddle. To manage your subscriptions, you will be redirected to a portal managed by Paddle.

We do not access or use your content for any purpose without your consent. We never use your content or derive information from it for marketing or advertising.

We do not disclose customer information unless we're required to do so to comply with a legally valid and binding order. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of our products or services, we notify customers before disclosing content information.

For our SaaS Services, we log connection events — the connecting IP address and the SFTPGo username used to authenticate (the username is set by the account administrator and is not necessarily an email address) — and file-system activity (file upload, download, rename, and deletion). These logs, together with our application logs, are retained for six (6) months for security, audit, and support purposes.

Upon voluntary termination of your Subscription, your User Content is permanently deleted at the end of the then-current Billing Cycle, unless we are required by law to retain it for a longer period. Where your Services are suspended for unresolved overage or for non-payment, your data is preserved during the applicable suspension period (up to ten (10) days for overage, up to twenty-one (21) days for non-payment) to allow you to resolve the issue or export your data, after which it is permanently deleted. Further detail is set out in our Terms of Service.

Security incidents. If we become aware of a personal data breach that affects User Content or other personal data we process on behalf of a subscriber, we will notify the affected subscriber without undue delay and in any event within seventy-two (72) hours of becoming aware, and provide the information reasonably required to meet the subscriber's own notification obligations under applicable data protection laws. The detailed procedure is set out in our Data Processing Agreement.

As part of the license activation process, you are required to provide a license key to use SFTPGo Enterprise. In connection with both the activation and license verification processes, certain technical information about your use of the software may be collected, used, stored, and transmitted.

The information collected may include:

• your license key;
• the IP address of the connection;
• technical information about your installation (such as software version and operating system) and the number of configured users and plugins.

This "Collected Data" is used to:

• Ensure the proper functioning and security of the software.
• Facilitate license compliance verification.
• Provide software updates, support, and improvements.
• Verify compliance with the limits of your license (for example, that the license is used within the number of installations covered by your purchase).

The processing of this data is necessary for the performance of the licensing agreement and the provision of the software services, forming a lawful basis for data collection under applicable data protection laws.

Collected Data is handled with strict confidentiality and protected using appropriate technical and organizational measures against unauthorized access, disclosure, alteration, or destruction.

Options to limit or disable this data collection may be available as part of your commercial agreement. Contact support@sftpgo.com for details.

Your license key is linked in our systems to the email address you provided when the license was issued. The information received during license validation is therefore personal data under applicable data protection laws, processed only for the purposes set out above. We do not receive usernames of your end-users, file contents, hardware identifiers, hostnames, or local network details from your installation.

A cookie is a small file made of numbers and letters that it is saved on your computer. You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer.

This Website does not use first-party cookies for tracking or advertising. We do not track your browsing behavior nor do we use proprietary cookies for site functionality, except for a strictly technical local storage key used solely to remember your cookie preference (so you don't see the banner again). This preference is stored locally in your browser and persists until you clear your browser's site data; no expiration date is set.

The other cookies and local storage data used on this Website are third-party elements managed directly by our payment provider, Paddle (including its ProfitWell features). These are used to secure the checkout process, manage subscription updates, and facilitate payment recovery.

Specifically: This website integrates Paddle's scripts to facilitate payments and subscription billing. Functionality and data retention are governed by Paddle's policies.

For detailed information regarding Paddle's cookies and data processing, please refer to their Privacy Policy and their specific Cookie Policy.

Our Website contains links to other websites that are not owned or controlled by us. Please be aware that we are not responsible for the privacy practices of such other websites or third parties. We encourage you to be aware when you leave our Website and to read the privacy statements of each and every website that may collect Personal Information.

In particular, as noted above, purchases made through the Website are handled by Paddle and all such transactions, including any Personal Information or non-personal information collected by Paddle, are under the control of Paddle. We encourage purchasers to read Paddle's Checkout Buyer Terms available at paddle.com/legal/checkout-buyer-terms.

In accordance with Articles 7, 13, 15, 16, 17, 18, 19, 20, 21, 22 of Regulation (EU) 2016/679 you can, at any time, exercise the following rights, by contacting the Data Controller at support@sftpgo.com

• the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed;
• the right to obtain the access to your personal data;
• the right to request from the Controller rectification or erasure of your personal data;
• the right to request from the Controller restriction of processing of your personal data;
• the right to object to the processing of your personal data;
• the right to receive the personal data concerning you, which you have provided to Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (data portability).
• Furthermore, if you believe that your rights have not been respected, you can file a complaint with the competent Supervisory Authority.

Protecting personal and corporate information is a top priority for us. To ensure the highest standards in the management, processing, and safeguarding of data, our company is certified according to the international standard ISO/IEC 27001:2022.

This certification demonstrates that we implement an Information Security Management System (ISMS) aligned with globally recognized best practices, ensuring the confidentiality, integrity, and availability of all processed data.

If you'd like to receive a copy of our ISO/IEC 27001:2022 certificate, feel free to contact us.