1) Summary (plain English)

Sharoo is designed so that:

• Your files are uploaded directly from your Mac to your own server using SFTP.
• The Provider does not host your files.
• The App does not send your file contents to the Provider.

However, Sharoo does process some data locally on your Mac and, by design, stores Transfer metadata and download counters on your server.

2) Roles: who is the “data controller”?

Because Sharoo is installed and operated on your infrastructure:

• You (the User) are typically the data controller for personal data contained in your Transfers and for personal data of Recipients who download your Transfers.
• The Provider typically acts as a software provider and does not receive the Transfer data on its own servers.

If you are using Sharoo in a business context, you are responsible for your own compliance obligations (e.g., GDPR notices, cookie banners, retention policies, legal bases, records of processing activities).

3) Data processed by the App (on your Mac)

The App stores data locally for functionality.

3.1 Server configuration

• Server connection parameters (e.g., host, port, username, remote path, base URL) are stored in local app storage.
• Your SFTP password is stored in macOS Keychain.

3.2 Local history

The App stores a local Transfer history, which may include:

• Transfer identifier (shareId).
• Transfer title/name.
• Generated download link.
• File count and total size.
• Expiration and purge timestamps.
• File names (and relative paths) included in the Transfer.
• Whether the Transfer is password-protected.
• Download counters and timestamps (if the App synchronizes them from your server).

You can delete local history using the App.

3.3 Terms acceptance and security gate state

The App stores locally whether you accepted the current Terms version and whether you passed certain setup/security checks.

3.4 Logs

The App may display troubleshooting log lines inside the UI during setup/upload/sync operations. These logs are stored locally (for example, in memory or in local app storage depending on your system state) and are not transmitted to the Provider.

4) Data processed by the Server Kit (on your server)

When you use Sharoo, the Server Kit creates files on your server under a sharoo/ directory.

4.1 Transfer metadata (meta.json)

Each Transfer stores metadata on your server, which may include:

• Creation timestamp.
• Expiration timestamp.
• Purge timestamp.
• Maximum downloads.
• Current download count.
• Whether the Transfer was revoked.
• Original file name(s), relative path(s), content type, and size.
• If password protection is enabled, a derived password hash and related parameters (algorithm, salt, iterations). The password itself is not stored in plaintext.

4.2 Download tracking (downloads.json and downloads-index.json)

The Server Kit stores download tracking information such as:

• Total download count.
• First/last download timestamps.
• A small list of “recent events” (up to a limited number).
• Whether a ZIP download occurred.

This tracking is designed to avoid collecting IP addresses explicitly within Sharoo’s own JSON files.

4.3 Server logs (outside Sharoo)

Your Hosting Provider and web server software may generate access logs for HTTP requests (e.g., IP address, user agent, timestamps). These logs are controlled by you and/or your Hosting Provider, not by the Provider.

5) Cookies on Transfer Pages

The Transfer Pages may set functional cookies.

Because the Transfer Pages are served from your server and may be subject to the laws of the country where your server and recipients are located, you are responsible for implementing any cookie notice and/or consent mechanism (including a cookie banner) that may be required under applicable law.

5.1 Terms acceptance cookie

• Name: sharoo_terms_accepted
• Purpose: remembers that a Recipient accepted the Terms/Privacy notice shown by the Transfer Page.
• Duration: up to 365 days (may vary by browser).
• Attributes: SameSite=Lax; Secure when served over HTTPS.

5.2 Password access cookie (password-protected Transfers)

• Name pattern: sharoo_pw_<shareId>
• Purpose: remembers that the Recipient has successfully entered the password for a specific Transfer.
• Duration: approximately 7 days.
• Attributes: HttpOnly, SameSite=Lax, Secure when served over HTTPS.

Note: Depending on configuration, Transfer download links may also include a short-lived URL parameter (an “auth” token) to enable the download flow.

6) How Sharoo communicates over the network

Sharoo typically communicates only with:

• Your SFTP server (to install/update the Server Kit, upload files, and manage Transfers).
• Your website/hosting (to verify that PHP and HTTPS work correctly using the Server Kit status.php, and to access Transfers).

The App may also open external web pages (e.g., the Provider website or troubleshooting guides) when you click links in the UI. When you visit those websites, standard website logging and any website privacy policy may apply.

7) Data retention and deletion

7.1 On your Mac

• Server configuration and history are stored locally until you delete them (e.g., resetting settings/history).
• Keychain items can be removed by resetting the server configuration within the App.

7.2 On your server

• Transfers remain stored on your server until deleted.
• Depending on your settings, Transfers may become unavailable after expiration and may be deleted later based on the purge time.
• You can delete Transfers manually using the App (“Delete from server”) or by deleting the corresponding directories from your server.

Important: Your server backups may preserve deleted data according to your backup configuration.

8) Security

Sharoo includes several security-oriented design choices, such as:

• SFTP for uploads.
• Requiring HTTPS for the public base URL.
• macOS Keychain for storing your SFTP password.
• Server Kit hardening files such as .htaccess (when supported by your server) to restrict direct access to sensitive files.
• Transfer password hashing (PBKDF2-based derivation), so passwords are not stored in plaintext.

Despite these measures, the overall security of your Transfers depends on:

• Your Hosting Provider configuration and patching.
• Your server permissions and isolation.
• Keeping Sharoo and the Server Kit updated.
• Sharing links/passwords securely.

9) International data transfers

The Provider does not receive your Transfer data on Provider-owned servers in normal operation.

Your own Hosting Provider may store or process data in different countries depending on where your server is located.

10) Your rights

Depending on where you live, privacy laws may grant you rights (e.g., access, deletion, correction, portability, restriction, objection).

Because Transfer data is stored on your infrastructure, you (as the controller) are typically the party responsible for fulfilling requests from your Recipients. The Provider can assist only for data the Provider actually controls (e.g., support communications, website accounts, if any).

11) Children’s privacy

Sharoo is not intended for children under the age of 13 (or the minimum age required in your jurisdiction). Do not use Sharoo to knowingly collect or share personal data of children without appropriate legal basis and consent.

12) Provider and legal notice

Sharoo is provided under the name KOBY Studio.

For legal purposes, “KOBY Studio” is the name used in this document to refer to:

Marco Dignani
9 Quai de la Poissonnerie
68000 Colmar
France

13) Changes to this Privacy Policy

The Provider may update this Privacy Policy from time to time.

If changes are significant, the App may require you to accept updated Terms before continuing to use it.

14) Contact

For privacy questions:

• Contact form: https://www.sharoo.link/#contacts

Websites:

• https://www.sharoo.link/
• https://koby.studio/