uploads.sh

Privacy Policy

Effective July 11, 2026

This page explains what data uploads.sh collects when you use the website, the API, the open-source CLI, or the MCP server, and who we share it with. The service is operated by Build Internet.

What we collect

Website

The site does not run analytics scripts, does not use advertising trackers, and does not set cookies. The invitation page reads its one-time code from the URL fragment, which your browser never sends to a server.

Invitations

If an administrator invites you by email, your email address is used to deliver the invitation and to rate-limit invitation sending. It appears in short-lived operational logs but is not stored in the service's database, and we never use it for marketing. Invitation emails are sent through Cloudflare's email-sending service.

Workspaces and tokens

For each workspace we store its storage configuration and, for each access token:

Invitation codes are single-use, short-lived, and redeemed atomically; the service stores what it needs to validate and expire them, never the plaintext secrets.

Uploaded files

Files you upload are the product, not telemetry: they are stored with our storage provider (Cloudflare R2, or a bucket you bring yourself) and served from public URLs. We store each file's content, key, size, and content type. Anyone with a file's link can fetch it.

Request logs

API requests are logged with basic metadata — IP address, user agent, request path, response status, and timing — for operational and abuse-prevention purposes: diagnosing errors, detecting abuse, and enforcing rate limits. Logs are short-lived and are processed only by the infrastructure providers that host and route the service (chiefly Cloudflare).

CLI and MCP server

The CLI runs on your machine and stores its configuration (API URL, workspace, token) in a local config file. It sends no telemetry. When you use features that talk to third parties — for example attaching images to a GitHub pull request — the CLI uses your own credentials and talks to that service directly, under that service's privacy policy.

How we use data

We do not sell data. We do not use any of it for advertising, and we do not build advertising or marketing profiles.

Service providers

Security practices

Traffic is served over HTTPS. Tokens are stored only as hashes and compared in constant time; invitation codes are single-use and expire automatically. Uploads are validated by content (size caps and a content-type allowlist checked against the actual bytes), and sensitive endpoints are rate-limited. Access to production systems is limited to maintainers.

Retention

Your rights

To delete your files, use the CLI or API. To delete a workspace and the records tied to it, or to ask what data we hold about you, email privacy@uploads.sh.

Changes

We may update this policy as the service changes. Material changes will be announced in the project's GitHub repository and reflected in the effective date above.

Contact

Revision history