Do I need to disclose UploadThing in my privacy policy?

Yes. UploadThing processes personal data on your behalf as a third-party processor. Under GDPR and CCPA, you must disclose that you use UploadThing, explain what data it collects, and identify Ping Labs Inc. as the data processor. This applies even if UploadThing itself is not your primary business focus.

What specific data does UploadThing collect and retain?

UploadThing collects the file content itself, file names, MIME types (file format identifiers), upload timestamps, and file sizes. If users upload documents or images containing personally identifiable information—such as photos with faces, ID scans, or personal documents—that PII becomes part of the data UploadThing processes. You should specify in your policy which file types your application accepts.

Does UploadThing require a cookie consent banner?

UploadThing does not use cookies for tracking or analytics. However, you must still obtain valid user consent before collecting uploaded files if they contain personal data, under GDPR Article 6 or CCPA. Consent requirements depend on your legal basis, not on whether cookies are involved.

Who processes data uploaded through UploadThing and where?

Ping Labs Inc., based in the United States, operates UploadThing and processes uploaded files. Data is transferred to and stored in the US. If you have users in the EU, ensure an adequate transfer mechanism (Standard Contractual Clauses or adequacy decision) is in place. Review UploadThing's privacy policy at https://uploadthing.com/privacy for their specific data handling practices.

File Uploads & Media

Privacy policy clauses for UploadThing

UploadThing is a file upload infrastructure service that handles the technical processing and storage of files users submit through web applications. Websites use it to reliably manage file uploads, validate file types, and store media without building upload systems from scratch.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data UploadThing collects

Your privacy policy must disclose each of the following data types when you use UploadThing.

Uploaded file content and metadata

File names and MIME types

Upload timestamps and sizes

When does UploadThing trigger privacy obligations?

Adding UploadThing to your application triggers immediate privacy obligations the moment file upload functionality becomes available to users, because UploadThing collects and processes uploaded file content, metadata (file names, MIME types), timestamps, and file sizes on Ping Labs Inc.'s servers in the United States.

GDPR applicability: If your users include EU residents, GDPR Articles 13–14 require you to provide a privacy notice at or before collection disclosing that UploadThing (Ping Labs Inc., US-based) is a processor. You must also execute a Data Processing Agreement (DPA) under GDPR Article 28 before any personal data enters UploadThing's systems. This obligation applies regardless of your company's location if you offer services to EU residents. The threshold is any volume of EU user data; no exemption exists for small operators.

CCPA applicability: If you have California users and collect file uploads, CCPA Section 1798.100 requires you to disclose UploadThing as a service provider and the categories of personal information you share with it. A CCPA-compliant service provider agreement (not identical to a GDPR DPA) must be in place.

Common compliance pitfalls

Assuming uploaded files contain no personal data

UploadThing's file upload mechanism is agnostic to content. Founders often treat file uploads as 'user-generated content' outside the scope of privacy law, but files frequently contain PII: profile photos with faces (biometric data under GDPR Article 4(14)), identity documents, medical records, or screenshots with email addresses. If your app doesn't strictly validate file types and you accept image or document uploads, you are collecting personal data. Consequence: you fail to disclose the actual data types in your privacy notice, and regulators view this as material omission. GDPR enforcement cases (e.g., Schrems II follow-ups) have penalized vague or missing disclosures about data types flowing to US processors.

Missing or incomplete Data Processing Agreement

UploadThing documentation states it is a processor. Many indie SaaS operators skip executing the DPA, believing a privacy policy alone suffices, or they assume UploadThing's standard terms are sufficient. Under GDPR Article 28, a DPA must detail processing instructions, sub-processor rules, and liability allocation. Without it, you lack a required legal foundation and expose both yourself and UploadThing to GDPR Article 82 damages claims (joint and several liability). EDPB guidance (Guidelines 07/2020) makes clear that a DPA is not optional.

Failing to update retention and deletion policies

UploadThing stores file data; many founders do not document or communicate how long files are retained or how deletion requests are handled. GDPR Article 17 (right to erasure) and CCPA Section 1798.105 (deletion) require you to ensure UploadThing deletes files upon user request. If your app does not provide a deletion mechanism or does not enforce it with UploadThing, you cannot satisfy deletion rights. Consequence: user deletion requests go unmet, creating regulatory violations and potential statutory damages under CCPA (up to $750 per consumer per incident).

Privacy policy clauses for UploadThing

What data UploadThing collects

When does UploadThing trigger privacy obligations?

Where data goes

Common compliance pitfalls

Assuming uploaded files contain no personal data

Missing or incomplete Data Processing Agreement

Failing to update retention and deletion policies

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose UploadThing in my privacy policy?

What specific data does UploadThing collect and retain?

Does UploadThing require a cookie consent banner?

Who processes data uploaded through UploadThing and where?

Don't ship without Bandit.