Privacy Policy

Last updated: April 17, 2026

This privacy policy describes how personal data is processed for users of the AvaTransfer service (the "Service"), in compliance with EU Regulation 2016/679 ("GDPR").

1. Data controller

The Data Controller is:

  • Name: Available Srl
  • Registered office: Via Cosmo Cosmi 4
  • VAT ID: 02813650351
  • Privacy contact email: privacy@avatransfer.com

2. Data collected

2.1 Data provided voluntarily by the user

  • Account registration: first name, last name, email, password (stored encrypted)
  • Google OAuth login (optional): email, name, profile picture
  • Transfer creation: sender name/email (if provided), recipient emails, attached message, uploaded files

2.2 Data collected automatically

  • Technical data: IP address, User-Agent, access logs, upload/download logs
  • File metadata: filename, size, MIME type, SHA-256 hash for integrity verification
  • Navigation data (with consent only): page views, session duration, via Google Analytics

3. Purposes and legal basis

PurposeLegal basis (GDPR Art. 6)
Service delivery (file upload, storage, download)Contract performance (art. 6.1.b)
Authentication and account managementContract performance (art. 6.1.b)
Service notifications (email to recipients)Contract performance (art. 6.1.b)
Security (antivirus scan, CSRF protection, rate limiting, IP filters)Legitimate interest (art. 6.1.f)
Anonymized analytics (Google Analytics)Consent (art. 6.1.a)
Legal obligationsLegal obligation (art. 6.1.c)

4. Data retention

  • Uploaded files: kept until transfer expiration, then automatically deleted
  • User accounts: kept while active, permanently deleted within 30 days of deletion request
  • Access and download logs: 90 days, then automatically purged
  • Backups: maximum 30 days

5. Data recipients

Personal data may be processed by:

  • Controller's authorized staff (system administrators)
  • Technical service providers (hosting, email, cloud) as Data Processors
  • Competent authorities when required by law

Data is not sold or transferred to third parties for marketing purposes.

6. Extra-EU data transfer

When using cloud services with servers outside the European Union (e.g. Google Analytics), transfer occurs in compliance with GDPR safeguards (standard contractual clauses).

7. Security

Files can be encrypted at-rest with AES-256-CBC algorithm (if enabled in settings). All communications use HTTPS. User passwords are stored with BCrypt hashing. ClamAV antivirus scanning can be enabled.

8. Your rights

Under GDPR articles 15-22, you have the right to:

  • Access (art. 15): obtain confirmation of processing and a copy of your data
  • Rectification (art. 16): correct inaccurate data
  • Erasure (art. 17): request data deletion ("right to be forgotten")
  • Restriction (art. 18): ask to restrict processing
  • Portability (art. 20): receive your data in a structured format
  • Objection (art. 21): object to processing for legitimate reasons
  • Withdraw consent (art. 7): at any time, without affecting prior processing
  • Complaint to Data Protection Authority (art. 77)

To exercise these rights, contact the Data Controller at privacy@avatransfer.com.

9. Cookies

The Service uses technical cookies (necessary for operation) and, with consent, analytical cookies. See the Cookie Policy for details.

10. Changes to this policy

This policy may be updated at any time. Users will be informed of material changes.