Privacy Policy

Last updated: April 17, 2026 · Effective immediately

1. Introduction

Tri-Pro Administrators Ltd ("the Company", "we", "us") operates SecureSharings (https://securesharings.com), a secure file sharing platform. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR) and the Mauritius Data Protection Act 2017 (DPA).

We act as a Data Processor on behalf of your organization (the Data Controller) for files and documents uploaded to the Platform. For platform account data, we act as a Data Controller.

2. Data We Collect

2.1 Account Data (Data Controller)

Data Type	Purpose	Legal Basis
Full name	User identification, audit trail	Legitimate interest
Email address	Authentication, notifications	Contract performance
Password (bcrypt hash)	Account security	Contract performance
Role & organization	Access control	Contract performance
IP address	Security, audit logging	Legitimate interest
Login timestamps	Security monitoring	Legitimate interest

2.2 File Data (Data Processor)

Data Type	Purpose	Storage
Uploaded files	Secure file sharing	GCS Belgium, AES-256-GCM encrypted
File names	File identification	Supabase PostgreSQL
File size & type	UI display	Supabase PostgreSQL
Recipient emails	Download link delivery	Supabase PostgreSQL

2.3 Audit Data

We maintain comprehensive audit logs of all significant actions on the Platform, including logins, file uploads, downloads, approvals, and administrative changes. These logs include the actor's identity, IP address, timestamp, and a description of the action.

2.4 Data We Do NOT Collect

We do not use cookies for tracking or analytics
We do not use any third-party analytics services
We do not sell, rent, or share personal data with third parties for marketing
We do not access the content of your encrypted files

3. How We Protect Your Data

3.1 Encryption

Layer	Method	Standard
Files at rest	AES-256-GCM with unique IV per file	NIST SP 800-38D
Data in transit	TLS 1.3	IETF RFC 8446
Passwords	bcrypt (12 rounds, salted)	OWASP standard
Sessions	JWT with HS256, httpOnly cookies	RFC 7519

3.2 Access Controls

Multi-tenant data isolation — each organization's data is logically separated
Role-based access control with 4 permission levels
Account lockout after 5 failed login attempts (15-minute cooldown)
Strong password policy enforcement (10+ characters, complexity requirements)
Blocked file type uploads (.exe, .bat, .cmd, .sh, .ps1, etc.)

3.3 Infrastructure

File storage: Google Cloud Storage, europe-west1 (Belgium, EU)
Database: Supabase PostgreSQL (encrypted at rest)
Hosting: Firebase App Hosting / Google Cloud Run
Email: Resend SMTP (TLS encrypted)

4. Data Storage Location

All uploaded files are stored exclusively in Google Cloud Storage, europe-west1 (Belgium), within the European Union. This ensures compliance with GDPR data residency requirements.

Database records (metadata, user accounts) are stored in Supabase's managed PostgreSQL infrastructure.

5. Data Retention

Data Type	Retention Period	Deletion Method
Uploaded files	Until deleted by organization admin	Removed from GCS + DB metadata
Shared folder links	1–90 days (configurable)	Link expires automatically
User accounts	Until deactivated by admin	Account deactivation
Audit logs	Indefinite (compliance requirement)	Available upon request
Password reset tokens	1 hour	Automatically consumed or expired

Upon account or organization termination, all associated files will be permanently deleted from Google Cloud Storage within 30 days.

6. Your Rights

Under the GDPR and Mauritius DPA, you have the following rights:

Right of Access: Request a copy of personal data we hold about you
Right to Rectification: Request correction of inaccurate personal data
Right to Erasure: Request deletion of your personal data ("right to be forgotten")
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Restrict Processing: Request limitation of how we process your data
Right to Object: Object to processing based on legitimate interest
Right to Withdraw Consent: Where processing is based on consent

To exercise any of these rights, contact your organization administrator or email us at privacy@securesharings.com. We will respond within 30 days.

7. Third-Party Services

Provider	Service	Data Shared	GDPR Status
Google Cloud	File storage, hosting	Encrypted files	GDPR compliant
Supabase	Database	Account & file metadata	GDPR compliant
Resend	Email delivery	Recipient emails	GDPR compliant

We do not share your personal data with any other third parties. Encrypted file content is inaccessible to our infrastructure providers as encryption keys are managed separately.

8. Data Breach Notification

In the event of a personal data breach, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
Document the breach, its effects, and remedial actions taken
Cooperate with your organization (Data Controller) in breach investigations

9. Children's Privacy

SecureSharings is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to organization administrators via email. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

11. Contact & Data Protection Officer

Data Protection Contact

Tri-Pro Administrators Ltd

Email: privacy@securesharings.com

Website: https://securesharings.com

12. Supervisory Authority

If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with:

Mauritius: Data Protection Office — https://dataprotection.govmu.org
EU: Your local Data Protection Authority (for EU-based users)