Privacy Policy
Effective July 11, 2026
This page explains what data uploads.sh collects when you use the website, the API, the open-source CLI, or the MCP server, and who we share it with. The service is operated by Build Internet.
What we collect
Website
The site does not run analytics scripts, does not use advertising trackers, and does not set cookies. The invitation page reads its one-time code from the URL fragment, which your browser never sends to a server.
Invitations
If an administrator invites you by email, your email address is used to deliver the invitation and to rate-limit invitation sending. It appears in short-lived operational logs but is not stored in the service's database, and we never use it for marketing. Invitation emails are sent through Cloudflare's email-sending service.
Workspaces and tokens
For each workspace we store its storage configuration and, for each access token:
- A hash of the token — we cannot recover the token itself.
- An optional label, the scopes granted, and creation, expiry, and revocation times.
Invitation codes are single-use, short-lived, and redeemed atomically; the service stores what it needs to validate and expire them, never the plaintext secrets.
Uploaded files
Files you upload are the product, not telemetry: they are stored with our storage provider (Cloudflare R2, or a bucket you bring yourself) and served from public URLs. We store each file's content, key, size, and content type. Anyone with a file's link can fetch it.
Request logs
API requests are logged with basic metadata — IP address, user agent, request path, response status, and timing — for operational and abuse-prevention purposes: diagnosing errors, detecting abuse, and enforcing rate limits. Logs are short-lived and are processed only by the infrastructure providers that host and route the service (chiefly Cloudflare).
CLI and MCP server
The CLI runs on your machine and stores its configuration (API URL, workspace, token) in a local config file. It sends no telemetry. When you use features that talk to third parties — for example attaching images to a GitHub pull request — the CLI uses your own credentials and talks to that service directly, under that service's privacy policy.
How we use data
- To store and serve the files you upload.
- To deliver invitations and authenticate workspace tokens.
- To enforce rate limits and prevent abuse.
- To diagnose errors and operate the service.
- To respond to your questions and takedown requests.
We do not sell data. We do not use any of it for advertising, and we do not build advertising or marketing profiles.
Service providers
- Cloudflare — hosts the API, MCP server, and website; stores the database and uploaded files (R2); and sends invitation email. Request metadata passes through Cloudflare as part of normal routing and logging.
- Your own storage — workspaces can bring their own bucket (for example an S3-compatible provider). Files in those workspaces are stored with the provider you chose, under its privacy policy.
Security practices
Traffic is served over HTTPS. Tokens are stored only as hashes and compared in constant time; invitation codes are single-use and expire automatically. Uploads are validated by content (size caps and a content-type allowlist checked against the actual bytes), and sensitive endpoints are rate-limited. Access to production systems is limited to maintainers.
Retention
- Uploaded files: kept until you delete them or a retention policy configured for your workspace removes them.
- Workspace and token records: kept while the workspace is active; tokens expire and can be revoked.
- Invitation codes: expire automatically (hours, not days) and are unusable after redemption.
- Request and delivery logs: short-lived, retained for operational purposes only.
Your rights
To delete your files, use the CLI or API. To delete a workspace and the records tied to it, or to ask what data we hold about you, email privacy@uploads.sh.
Changes
We may update this policy as the service changes. Material changes will be announced in the project's GitHub repository and reflected in the effective date above.
Contact
- Privacy questions — privacy@uploads.sh
- Takedowns and abuse — abuse@uploads.sh
- Security reports — security@uploads.sh
Revision history
- July 11, 2026 — Initial version published.