Privacy Policy

Last updated: 2026-06-01. Operator contact: [INSERT CONTACT EMAIL]. Operating entity / jurisdiction: [INSERT ENTITY + COUNTRY].

What this covers

This policy explains what the bottleneck / bneck services (apis.bneck.com and bneck.com) collect, why, how long it is kept, and the choices you have. We collect the minimum needed to run the service; we do not sell personal data, and we do not use your uploaded files or links to train AI.

What we collect

Account data: your email address and a bcrypt hash of your password. If you enable two-factor authentication, a TOTP secret and hashed recovery codes.
Usage data you create: API keys (stored as hashes), short links and their destinations, file sends and their metadata, and a credit ledger of charges and grants.
Uploaded files: files you upload for delivery, stored on our server until they expire, are used up, are deleted by you, or are removed by us. We strip embedded metadata (EXIF/GPS, PDF info) before delivery.
Operational logs: request metadata (such as IP address and timestamps) used for rate limiting, abuse handling, and debugging. We do not log passwords, tokens, file contents, or webhook signatures.

Email normalization

To prevent one person creating unlimited accounts, we store a canonical form of your email (lowercased, with provider-specific aliasing such as Gmail dots and +tags removed). It is used only to detect duplicate signups.

What we do not do

We do not sell or rent your personal data.
We do not use your files, links, or content to train AI models.
We do not run third-party advertising or tracking pixels. The site is served behind Cloudflare, which may add its own network-level analytics; see Cloudflare's privacy documentation.

Payments

If you buy credits, payment is handled by a third-party processor (Stripe or Paddle). We receive a confirmation that a payment completed and the number of credits to grant; we do not receive or store your card details.

Cookies

We do not use tracking cookies. Authentication uses a bearer token stored in your browser's local storage, not a cookie, and only for keeping you signed in.

Retention

Account data is kept until you delete your account.
Uploaded files are removed when the send expires, reaches its use limit, is revoked, or your account is deleted.
Files submitted to the free metadata tools (/remove-exif and similar) are processed in memory and deleted within minutes; they are never added to your account.

Your rights

You can exercise these from your account or by contacting the operator:

Access / portability: download everything tied to your account as JSON via GET /auth/export (signed in), or from the dashboard.
Erasure: delete your account and all associated data from the dashboard (Security tab) or via POST /auth/delete. This removes your account, API keys, links, sends, the file blobs behind your sends, and your credit ledger. It cannot be undone, and unspent credits are forfeited.
Correction: update your password and 2FA settings from the dashboard; contact the operator for other corrections.

Abuse and legal

We retain enough information to respond to abuse reports and lawful requests. Reported links and files may be disabled. See the Abuse & Takedown policy.

Changes

We may update this policy; material changes will be reflected by the "last updated" date above.

home · Terms · Acceptable Use · Abuse & Takedown · Privacy