Privacy

Last updated: 26 May 2026 · reviewed 27 May 2026

Shotdrive is end-to-end encrypted file delivery for photographers and videographers. This page describes what we actually store, what we cannot see, and which third parties touch your data. For data subject requests (access, export, deletion) email support@shotdrive.io; for security disclosures, security@shotdrive.io.

What Shotdrive cannot see

For galleries created in end-to-end encrypted (E2EE) mode — the default — the following never leave your browser unencrypted:

• The contents of every file (encrypted with AES-256-GCM in chunks before upload).
• The decryption key — it lives in the share-link fragment after #key= and browsers never send fragments to servers.
• Filenames, gallery titles, descriptions, branding names, watermark configuration, viewer comments, and client interactions (hearts, star ratings, flag colours, approval state) — each is encrypted with a per-field subkey derived from your gallery key.
• Encrypted thumbnails are stored as ciphertext in object storage and decrypted in the recipient's or owner's browser. EXIF metadata (GPS coordinates, camera serial numbers) is stripped client-side before the thumbnail is generated, so it never reaches our servers even in ciphertext.

Concretely: a database breach that reads our D1 tables would expose ciphertext for the items above, not plaintext. Recovering the contents would require the per-gallery key, which we never receive.

What Shotdrive does see

Some fields stay plaintext server-side because they're needed to deliver, bill, and protect the service:

• The fact that a gallery exists (its public token, expiry, view and download counts).
• File sizes, ciphertext sizes, and MIME types — used for storage accounting and to set Content-Type on download.
• Account email and your Supabase user identifier — used to authenticate you and list your galleries.
• Polar customer ID, plan tier, and billing email — used to honour your subscription.
• For anonymous (logged-out) uploads, the uploader's IP address is recorded short-term for abuse and rate-limit enforcement, then cleared automatically after 30 days. Authenticated uploads do not store the uploader's IP.
• For each individual file download we record the visitor's IP address and user-agent in a download_log table, retained for up to 90 days. This is used for download counts, abuse investigation, and chargeback evidence. Rows older than 90 days are deleted by a scheduled job.
• Standard request logs (route, status code, latency, country) without payloads or filenames. Any accidental leakage of personal data into logs is treated as an incident.

Boundaries — what we deliberately keep server-readable

We use Pragmatic E2EE: file content and content-bearing metadata are end-to-end encrypted; workflow metadata is server-readable under three named carve-outs. Adding a fourth requires explicit sign-off and a public update to this page.

• Carve-out 1 — Workspace branding. Your studio name, logo, primary and accent colours, font choice, and any custom domain are stored plaintext server-side. They have to be — the recipient needs to see your brand chrome before they have the URL fragment key to decrypt anything. Branding is your public identity, not your work.
• Carve-out 2 — Bundle shape metadata. The gallery's kind (delivery, press, music, production stills, visual), its file count, total ciphertext size, creation and expiry timestamps, and the list of recipients you shared with. We need these to power your inbox, the dashboard sort/filter, expiry sweeps, plan-limit enforcement, and aggregate analytics. None of them reveal what's in the gallery.
• Carve-out 3 — Optional "Press mode" per gallery. Off by default. When you turn it on for an individual gallery, the gallery title and the cover image become plaintext server-side so Twitter, LinkedIn, iMessage, and other link-preview services can render a branded share card. The editor shows a "🔓 Public" badge on press-mode galleries so you always see the trade. The full content of files remains end-to-end encrypted regardless. We make this a per-gallery opt-in (never a tier upgrade, never a silent downgrade) because the only reason to disable title-encryption is when you want the title to be publicly visible.
• Studio mode. A separate explicit opt-in for features that fundamentally require server-side plaintext access — server-streamed video, adaptive-bitrate playback, server-side ZIP packaging, server-side video thumbnails, content virus scanning. None of these features are currently shipped. When they ship, each will be a clearly labelled per-gallery opt-in.

Where your data lives

Shotdrive runs on Cloudflare — Workers (compute), R2 (object storage), D1 (database), KV (rate-limit counters), Queues (download log batching). Data is processed across Cloudflare's global edge network. Sub-processors:

• Cloudflare — infrastructure (Workers, R2, D1, Pages).
• Supabase (Supabase Inc., AWS eu-central-1 Frankfurt) — authentication and account database. Sees your email and an opaque user identifier.
• Polar (Polar Software Inc., merchant of record) — billing. Sees your email and the plan you bought; Polar's downstream payment processor sees the payment instrument. Neither sees gallery contents.
• Brevo (Sendinblue SA, France) — transactional email (share links, expiry notices). Sees recipient email and the gallery share link, including its E2EE key fragment. EU data centres.
• Sentry — error monitoring. Configured to drop PII before send; if any leaks through, report it as a security issue.
• Betterstack — uptime monitoring for our public status page at status.shotdrive.io. Sees only HTTP response codes from our public endpoints; never your data.

Retention

Galleries expire on the schedule the owner sets (default 14 days). At expiry, ciphertext is removed from object storage and database rows are deactivated. Account-level data persists until you request deletion. Backups follow the same expiry boundary.

When you delete your account

The "Delete my account" button on your profile performs the following cascade. We've written it down so you know exactly what to expect.

• Immediately — your user record is anonymized in our database (your e-mail is replaced, your name is cleared, a deletion timestamp is set). Subsequent sign-ins with the same identity provider cannot un-delete the row.
• Immediately — every gallery and transfer you own is marked as deleted. Recipients can no longer access your share links.
• Immediately — your vault keys are hard-deleted. We lose the ability to decrypt your gallery titles even if a court order asks us to.
• Within 30 days — encrypted file ciphertext is hard-deleted from object storage by a scheduled retention job, well within the GDPR Article 12(3) one-month response window.
• You cancel separately — Polar subscriptions; we deliberately do not give our servers the keys needed to cancel on your behalf. The deletion flow links you to your Polar customer portal in one click.
• You request separately — Supabase sign-in identity deletion. Email support@shotdrive.io after cancelling in Polar; we process within 30 days as required.

Polar transaction records are retained as long as required by tax/financial law (typically 7-10 years under GDPR Article 17(3)(b) — compliance with a legal obligation). Personal references in those records are minimised at deletion time.

Your rights

Under GDPR you have rights of access, rectification, erasure, restriction, portability, and objection. Email support@shotdrive.io with your request and we'll respond within 30 days. A formal Data Processing Agreement is available at /legal/dpa.

Verifying these claims

"Trust us" is not a security argument. The cryptographic implementation lives in the public source tree under apps/shotdrive/src/lib/crypto/. If you find a way to read content we say is encrypted, or a metadata field we list as ciphertext leaking in plaintext, please write to security@shotdrive.io — there is a coordinated-disclosure programme and an active bug-bounty pool.

Contact

Privacy: support@shotdrive.io
Security: security@shotdrive.io