Skip to main content

Privacy policy

How olrite.lol processes data based on the current implementation.

Last updated: April 2, 2026

This page describes how olrite.lol currently processes personal data. It is written to match the repository's current implementation as closely as possible. Where a feature has privacy limits or operational caveats, we state that directly.

1. Operator and Scope

olrite.lol is operated under the name Revulate. The service is built on Cloudflare and runs on Cloudflare Pages, Workers, R2, KV, Durable Objects, and related edge infrastructure. This means requests are not handled by a single server in California; processing may occur across Cloudflare's network and the infrastructure of other providers used by the site.

Files hosted on olrite.lol are public to anyone who has the link. We do not promise that files are private simply because their URLs are hard to guess.

2. Data We Process

2a. Files and file metadata

  • Uploaded files: When you upload a file, we store the file in Cloudflare R2 so the service can deliver it back to you and to anyone with the file link.
  • Stored file metadata: We store metadata such as file ID, original filename, MIME type, size, upload time, expiration time, deletion token, extension count, view count, R2 object key, processing flags, and whether a file is preserved.
  • Preserved uploads: Standard uploads expire after 24 hours. Preserved uploads do not receive the normal 24-hour auto-deletion and may remain available until they are deleted with a valid deletion token or removed by us for another reason.
  • Authenticated ownership: If you upload while authenticated or with an API key, the file metadata may be linked to your account using your user ID and upload source.

2b. Account and API key data

  • Account details: If you create an account, we store your username, authentication type, hashed PIN or password, creation time, last login time, and login count.
  • Recovery email address: You may add an email address to your account. We use verification links to confirm that address before using it for account recovery. We store the current email address, any pending replacement address, and email verification timestamps.
  • API keys: If you generate API keys, we store a SHA-256 hash of each key, the key ID, the name you assign to it, preserve settings, upload counts, and created/last-used timestamps. The plaintext key is only shown at creation time.
  • Usage history and statistics: We maintain user upload indexes, lifetime upload/storage counters, per-file view counts, top-viewed file data, and daily account statistics snapshots.

2c. Security, session, and technical data

  • Session data: When you log in, we store a server-side session record containing your user ID, username, creation time, expiration time, IP address, and browser User-Agent string.
  • Login-abuse protection: Failed login tracking stores the username, attempt counts, lockout state, CAPTCHA requirement state, and the IP address of the last failed attempt.
  • Rate limiting: Some rate-limiting paths hash IP addresses before storing rate-limit state. Other security and fallback paths can still process or temporarily store raw IP addresses where needed for service protection, sessions, deletion handling, or incident response.
  • Security logs: When security-relevant events occur, we may store structured security logs containing event data and technical request metadata such as a masked IP address, path, User-Agent, country, and referrer.
  • Deletion audit logs: File deletion events may create audit records containing file ID, deletion token, timestamps, file details, and the initiating IP address.
  • Recovery and verification tokens: When you request email verification or a password reset, we store a short-lived hashed token record and related metadata until it is used or expires.

2d. Browser-side storage and similar technologies

  • Cookies we set: We use an essential session cookie for authentication and an essential __olrite_csrf cookie for CSRF protection.
  • localStorage: The frontend stores theme preference, recent upload history, album history, authentication state, failed-login state, and storage schema/version data in your browser. Recent upload history can include file IDs, viewer URLs, deletion tokens, file sizes, timestamps, expiration data, and view counts.
  • sessionStorage: Some per-tab state is stored locally, including view-tracking deduplication data used by the frontend.

2e. Third-party requests triggered by the frontend

  • Cloudflare Turnstile: After repeated failed login attempts, the login flow loads Cloudflare Turnstile and sends the CAPTCHA token and related technical signals to Cloudflare for verification.
  • Email relay and SMTP provider: If recovery or verification emails are enabled, account-related emails are sent through our configured email relay hosted on infrastructure we control, and delivered using the configured SMTP provider.

3. How We Use Data and Our Legal Bases

  • To provide the hosting service: We process files, links, and related metadata to upload, store, display, stream, cache, extend, and delete hosted content. For account features, this is generally necessary to provide the service you request.
  • To operate account features: We use account, session, API key, upload history, and statistics data to let you sign in, manage uploads, manage API keys, and view account usage. This is generally necessary to perform the service you ask us to provide.
  • To secure the service: We use IP addresses, User-Agent strings, login attempt data, rate-limit state, security logs, and deletion audit data for abuse prevention, incident detection, debugging, and accountability. Our legal basis is generally our legitimate interests in securing and operating the service, and in some cases compliance with legal obligations.
  • For account recovery and verification: If you add an email address, we use it to send verification and password reset messages. You can remove it later.
  • For preferences stored in your browser: Theme and similar local preference data are stored locally at your request so the UI behaves consistently between visits.

4. Sharing, Service Providers, and International Transfers

We do not sell personal information and we do not use your data for cross-context behavioral advertising. We do, however, use third-party infrastructure and service providers that process data for us or receive data directly from your browser.

  • Cloudflare: Cloudflare provides Pages, Workers, R2, KV, Durable Objects, edge caching, and Turnstile. See Cloudflare's Privacy Policy and Data Processing Addendum.
  • Email relay and SMTP provider: If configured, account verification and password reset emails are delivered through our email relay and the configured SMTP provider, rather than directly by your browser.

Because these providers operate globally, data may be processed outside your state, country, or the EEA/UK. If you are in the EEA or UK, this means international transfers may occur. Where required by applicable law, those transfers should rely on an appropriate transfer mechanism offered by the provider.

5. Retention

  • Temporary files and their metadata: normally 24 hours
  • Preserved files and preserved-file metadata: no automatic 24-hour expiry; retained until deletion or other removal
  • Authentication sessions: up to 7 days, refreshed on activity
  • Failed login tracking: about 25 hours
  • Email verification and password reset tokens: typically 24 hours for verification links and 1 hour for password reset links
  • User statistics snapshots: about 31 days
  • Security event logs: up to 90 days when such logs are created
  • Deletion audit records: up to 90 days
  • Account records, API key records, upload indexes, and lifetime counters: until you delete the account or revoke the API key, unless we need to keep limited records longer for security, fraud prevention, or legal reasons
  • Browser-side storage: until you remove it, clear browser data, or the application overwrites or prunes it locally

6. Your Rights

If GDPR or similar privacy laws apply to you, you may have rights including access, correction, deletion, restriction, objection, portability, and the right to complain to a supervisory authority.

  • Access and correction: Account holders can view much of their stored account data from the dashboard. Profile updates are available in-app for some fields.
  • File deletion: Files can be deleted with a valid deletion token. Standard non-preserved files also expire automatically.
  • Account deletion: You can delete your account from the account dashboard. The current implementation is intended to delete the account record, related account data, and files that are currently associated with that account, including preserved files.
  • Portability: We do not currently offer a dedicated one-click export package for all account data. Some data can be viewed or copied from the dashboard, and hosted files can be downloaded while they remain available.

7. Current Implementation Notes

  • Metadata stripping: JPEG, PNG, and WEBP uploads go through metadata stripping. MP4 and QuickTime video files are intended to go through metadata stripping in current upload processing. PDF metadata stripping is not implemented in the current production code.
  • Application-level encryption: Upload encryption is available in some code paths, but production uploads are generally stored without additional application-level encryption and rely on infrastructure protections such as Cloudflare R2 encryption at rest.
  • Public-link model: Anyone with a valid file URL can access the hosted file until it is deleted or expires.

8. Contact

For privacy inquiries and data-rights requests, contact [email protected]. Account deletion is available from your account dashboard.