Privacy Policy

Last Updated: October 20, 2025

This privacy policy explains exactly how L0ss handles your data, what privacy mechanisms are in place, and what information is collected and stored.

      TL;DR: We don't want your data. Files are temporarily stored for compression,
      automatically deleted within 24 hours (or immediately after download), and never shared with anyone.
      No tracking, no analytics for individual users, no third-party sharing.
    

1. Data Collection & Storage

What We Collect

Your uploaded files - Temporarily stored in Cloudflare R2 for processing
Compression statistics - File size, compression ratio, processing time (anonymized)
IP address - Used only for rate limiting, not stored permanently
API keys - If you use authenticated tiers (Free/Premium)

What We DON'T Collect

Personal information (name, email, etc.) - unless you explicitly provide an API key
File contents for analysis beyond compression
Browsing history or tracking cookies
Third-party analytics or advertising data

2. How Your Data is Stored

File Storage (R2)

// Storage configuration Storage Location: Cloudflare R2 (distributed edge storage) Encryption: AES-256 at rest Transport: TLS 1.3 in transit Access: Unique, non-guessable IDs only Retention: 24 hours maximum (Public tier) Configurable 1h-30d (Authenticated tiers)

Technical Details:

Unique IDs: Each file gets a unique ID (e.g., file_mgyxpxoj58uovr4) generated using timestamp + random string
No filename storage: Original filenames are only kept in metadata for download headers
Auto-deletion: Files are automatically deleted after expiration or first download (Public tier)
No file indexing: Files cannot be browsed or listed - you need the exact ID

Caching (KV Storage)

// KV namespace usage KV_RESULTS: Stores compression results (1 hour TTL) KV_PROFILES: Stores optimization profiles (7 day TTL) KV_PATTERNS: Stores common patterns (1 day TTL) KV_RATE_LIMIT: Tracks rate limits (1 hour TTL) Data Stored: File hash + compression settings → result Privacy: No file contents, only compression metadata

3. Privacy Mechanisms

Encryption

At Rest: AES-256 encryption on all stored files (Cloudflare R2)
In Transit: TLS 1.3 for all API communications
Optional Client-Side: Web Crypto API support for client-side encryption (Premium tier)

Auto-Deletion

// Retention policies Public Tier: - Default: 24 hours - After download: Immediate deletion - Maximum: 7 days Authenticated Tiers: - Configurable: 1 hour to 30 days - Download limit: Optional - User-controlled deletion

Zero-Knowledge Option (Premium)

Premium tier supports client-side encryption where files are encrypted in your browser before upload. We never have access to the decryption key.

4. What We Track (Anonymized)

Analytics Engine Data

We collect anonymized metrics for service improvement:

// Analytics data points (no personal info) { "fileType": "JSON", // Type of file compressed "lossLevel": "moderate", // Compression level used "originalSize": 1024, // File size in bytes "compressedSize": 512, // Compressed size "reductionPercent": 50, // Compression ratio "processingTime": 15, // Time in milliseconds "tier": "PUBLIC" // Service tier used } NOT Tracked: - Filenames - File contents - IP addresses (beyond rate limiting) - User identity - Access patterns

5. Third-Party Services

Cloudflare

Purpose: Infrastructure (Workers, R2, KV, Analytics)
Data Shared: Only what's necessary for service operation
Privacy Policy: Cloudflare Privacy Policy

hCaptcha (Public Tier Only)

Purpose: Prevent abuse on public tier
Data Shared: CAPTCHA token only
Bypass: Use API key (Free tier) to skip CAPTCHA
Privacy Policy: hCaptcha Privacy

No Other Third Parties

We DO NOT use:

Google Analytics or any tracking scripts
Advertising networks
Social media pixels
Third-party CDNs for tracking
Email marketing services

6. Your Rights (GDPR/CCPA)

Right to Delete

You can delete your files at any time using the file ID. For public tier, files auto-delete after 24 hours or first download.

Right to Access

You can access your files using the download URL provided after compression. Recovery manifests are available for all compressions.

Right to Export

All compressed files and manifests are downloadable in standard formats. No proprietary formats are used.

Right to Object

You can object to processing by not using the service. No data is collected unless you upload files.

7. Security Measures

Rate Limiting: Prevents abuse (10/50/1000 requests per hour based on tier)
File Size Limits: 10MB/50MB/500MB to prevent resource abuse
Malware Scanning: Planned integration with Cloudflare Scanner API
No Public Listing: Files are only accessible via unique, non-guessable IDs
HTTPS Only: All connections encrypted with TLS 1.3

8. Data Breach Notification

In the unlikely event of a data breach:

We will notify affected users within 72 hours
Notification will be posted on the homepage
For authenticated users, notification via email (if provided)
Details of the breach and mitigation steps will be provided

9. Children's Privacy

L0ss is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided information to us, please contact us to have it removed.

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the service after changes constitutes acceptance of the new policy.

11. Compliance

L0ss is designed to comply with:

GDPR (General Data Protection Regulation - EU)
CCPA (California Consumer Privacy Act - USA)
Best Practices for data minimization and user privacy

Our Privacy Promise

We built L0ss with privacy as a core principle, not an afterthought. We don't want your data, we don't sell your data, and we automatically delete your data. The service exists to compress files, not to track users.

← Back to Home