Privacy Policy

Mediumworx LLC, doing business as Filestor (“we”, “us”, or “our”), operates the Filestor platform, which provides a multi-tenant file explorer that spans Cloudflare R2, Amazon S3, and customer-side agent storage. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at filestor.com and associated services.

By accessing or using Filestor, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the platform.

Account Information: When you sign up, we collect your full name, email address, and password (hashed). If you sign in with Google, we receive your name, email, and Google account identifier. We do not store your Google password.

Organization Data: We store organization names, membership records, role assignments (viewer / editor / admin), groups, and folder-level ACL grants that you create through the platform.

Storage Root Metadata: We store metadata about the storage providers you connect, including bucket names, prefixes, region, and endpoint URLs for Cloudflare R2 and Amazon S3 roots, plus agent identifiers and configured root paths for customer-side agents. R2/S3 access keys are stored in our control-plane database to authenticate calls on your behalf; agent enrollment secrets are stored as SHA-256 hashes.

File Contents: We do not copy your file contents to our servers for long-term storage. Files remain in your storage providers (R2/S3) or on your agent host. Bytes traverse our backend transiently for read/write operations, with bandwidth-optimized handoffs (presigned URLs for R2/S3; Cloudflare Tunnel for agents) that move data directly between your storage and your browser whenever possible.

Search Index: When you trigger reindexing, we extract file names and the first 100 KB of text-extension files into a per-organization SQLite full-text-search database on our server. This index is segregated by organization and is used only to power your in-app search.

Usage Data: We collect information about how you interact with the platform, including pages visited, features used, API calls made, and file operation activity.

Technical Data: We automatically collect IP addresses, browser type, operating system, device information, and referral URLs when you access the platform.

We use collected information to: provide and maintain the Filestor platform; authenticate your identity and manage your sessions; process your file operations against the storage roots you have connected; send transactional emails (verification, password reset, invite notifications); enforce plan limits and entitlements; monitor platform health, security, and performance; and respond to support requests.

We do not sell your personal information to third parties.

Account data, organization records, ACL configurations, and storage-root metadata are stored in a Postgres database managed by our server infrastructure. Sessions are managed through Better Auth with HTTP-only secure cookies.

Customer file contents live in your connected storage — Cloudflare R2 / Amazon S3 buckets you control, or on agent hosts you operate. We do not maintain long-term copies of your files outside of your storage providers.

We use HTTPS/TLS for all data in transit. Passwords are hashed before storage. Agent enrollment secrets are stored as SHA-256 hashes. Session tokens are scoped per user and expire after inactivity. Path-traversal protections gate every storage operation.

Google OAuth: If you choose to sign in with Google, your authentication is processed by Google. We receive only your name and email address.

Cloudflare: We use Cloudflare for DNS, CDN, and the optional Cloudflare Tunnel handoff that routes agent downloads directly from your agent host to your browser. Cloudflare may process request metadata in accordance with their privacy policy.

Cloudflare R2 / Amazon S3: When you connect a bucket root, your file contents reside in your own account at the storage provider. Filestor accesses these buckets only with the credentials you supply. We do not share your bucket contents with any other third party.

We retain your account data for as long as your account is active. Audit logs for file operations are retained for 90 days. Per-organization search indexes are kept until you delete the corresponding root or trigger a fresh reindex.

When you delete your account, we remove your personal information from our active systems within 30 days. Some data may persist in encrypted backups for up to 90 additional days before being purged. Files in your connected R2/S3 buckets and on your agent hosts are your responsibility — we do not touch them on account deletion.

You may access and update your account information from your Account page. To request a copy of your personal data, or to delete your account, contact us at [email protected].

If you are located in the European Economic Area, you have additional rights under GDPR including the right to data portability, the right to restrict processing, and the right to object to processing.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Continued use of Filestor after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy, contact us at [email protected].