Every file transferred through inlink travels directly from the sender's browser to the recipient's browser over an encrypted WebSocket connection — never through our servers. We are architecturally incapable of reading, copying, or storing your file contents. Zero storage is not a setting. It is how the product is built.
This isn't a promise we can break accidentally. The server code has no logic to store, cache, or buffer file chunks — only to relay socket events and metadata. Our architecture makes file interception physically impossible during a transfer session.
To support features like reusable QR codes, analytics history, team collaboration, and billing — inlink stores a small amount of metadata in Firebase Firestore. No file contents. No file chunks. Ever.
| Collection Path | What's stored | Why |
|---|---|---|
users/{uid} |
Email, account plan, plan date, Stripe customer ID (reference only), daily transfer counter, created timestamp | ✓ Billing & plan enforcement |
users/{uid}/transfers/{id} |
QR label, room ID (6-char code), file name, file size (bytes), QR colour preferences, password-protection boolean (password itself is never stored), scan count, download count, created timestamp, expiry | ✓ Reusable QR codes & analytics history |
users/{uid}/settings/prefs |
Save QR metadata (on/off), save analytics (on/off), anonymous usage (on/off), default QR colours | ✓ Honour your privacy choices |
teams/{teamId}/members |
Member emails, roles (member/admin/owner), invite emails, invited-by, timestamps. Team plan only. | ✓ Team collaboration features |
In-memory only |
During active transfer: socket IDs, file chunks in transit, real-time scan events, country headers. Discarded on session end. | ● Ephemeral — never persisted |
The following are not collected, logged, stored, or transmitted anywhere in our system — by design.
You are in full control of what metadata is saved. In your Profile → Settings you can:
To delete your entire account, email us at info@antqr.xyz. We process deletion requests within 30 days per GDPR Article 17.
All connections to inlink use TLS 1.3. WebSocket file transfers inherit this encryption end-to-end. Firebase Firestore data is encrypted at rest by Google. Stripe handles all payment data — we never see or store raw card details. Optional password-protected transfers use in-memory comparison only; the password is never persisted.
We use a minimal set of third-party services, each chosen for privacy-first characteristics:
inlink is funded entirely by subscriptions. We do not run ads, use tracking pixels, sell data to third parties, or monetise your usage in any way other than your direct subscription payment. There is no hidden business model.
If you are in the EU (GDPR) or California (CCPA), you have the right to access, rectify, port, restrict, or erase your personal data. You may exercise any of these rights by emailing us. We will respond within 72 hours and fulfill requests within 30 days.
Our lawful basis for processing data is: contractual necessity (account, billing) and legitimate interests (analytics, abuse prevention). We process only the minimum data required for each purpose.
Privacy questions, data requests, and GDPR/CCPA inquiries — contact us directly. We read every message.