Privacy Policy

1. Introduction

ddownload.com ("we", "us", "our") operates the file hosting and cloud storage platform DDownload, accessible at www.ddownload.com (the "Service"). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our website, create an account, use our services, or otherwise interact with us.

We are committed to protecting your privacy and processing your personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP/nDSG), and other relevant legislation in the jurisdictions in which we operate.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our Service.

2. Data Controller

The data controller responsible for the processing of your personal data is:

If you have any questions or concerns about how we handle your personal data, or if you wish to exercise any of your rights under applicable data protection law, please contact us at the address above or via email at [email protected].

3. Personal Data We Collect

We collect and process the following categories of personal data depending on how you interact with our Service:

3.1 Account Data

When you register for an account, we collect:

• Email address
• Username (chosen by you)
• Password (stored in hashed form only)
• Date and time of registration
• IP address at the time of registration

3.2 Payment and Transaction Data

When you purchase a premium subscription, we collect:

• Payment method selected (e.g., credit card, bank transfer, cryptocurrency)
• Transaction amount, currency, and date
• Transaction reference and payment processor transaction ID
• Billing country (determined via IP geolocation)

We do not store full credit card numbers, CVV codes, or other sensitive payment card data on our servers. All payment card transactions are processed by PCI DSS-compliant third-party payment processors. We only receive and store a transaction confirmation, a truncated card reference, and the payment status.

3.3 Usage Data

When you use our Service, we automatically collect:

• Files uploaded: file name, file size, file type, upload date, and a cryptographic hash (MD5/SHA1) of the file content for integrity and duplicate detection purposes
• Download activity: date, time, file accessed, and download status
• Storage usage and account activity patterns

3.4 Technical and Log Data

Our web servers automatically collect the following data for each request:

• IP address of the requesting device
• Date and time of the request
• URL and resource requested
• HTTP status code and data volume transferred
• Browser type and version (User-Agent string)
• Referring URL (if applicable)
• Operating system information

3.5 Affiliate Program Data

If you apply to or participate in our affiliate program, we additionally collect:

• Website URL and description of your content distribution activities
• Expected traffic volume and content type
• KYC (Know Your Customer) documentation for payout processing: government-issued photo ID, proof of residential address, and tax identification number where applicable
• Payout method details (e.g., PayPal address, bank account information, cryptocurrency wallet address)

3.6 Communication Data

When you contact our support team, submit an abuse report, or otherwise correspond with us, we collect the content of your communication, your email address, and any attachments you provide.

4. Legal Basis for Processing

We process your personal data on the following legal grounds under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary for the performance of the service agreement between you and us, including account creation, file storage, premium subscriptions, and affiliate payouts.
• Legitimate interests (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, including fraud prevention, platform security, abuse detection, enforcement of our Terms of Service, network and information security, and improvement of our Service. Our legitimate interests do not override your fundamental rights and freedoms.
• Legal obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with applicable laws, regulations, court orders, or other legal processes, including tax reporting obligations, anti-money laundering (AML) requirements, and responses to lawful requests from law enforcement authorities.
• Consent (Art. 6(1)(a) GDPR): Where we rely on your consent to process personal data (e.g., for marketing communications), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that took place prior to the withdrawal.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

• Service provision: To create and manage your account, store and deliver your files, process premium subscriptions, and provide customer support.
• Payment processing: To process your subscription payments, issue invoices, handle refunds, and manage affiliate payouts.
• Security and fraud prevention: To detect and prevent fraud, unauthorized access, and other malicious activity. This includes velocity checks on transactions, IP-based risk assessment using MaxMind GeoIP, screening against the OpenSanctions API, and multi-account detection.
• Content moderation: To enforce our Terms of Service and Acceptable Use Policy, process DMCA takedown requests, and maintain hash-based blocklists to prevent re-upload of previously removed content.
• Legal compliance: To comply with applicable legal obligations, including tax reporting, AML regulations, and responding to lawful requests from authorities.
• Service improvement: To analyze usage patterns (in aggregate and anonymized form) to improve the performance, reliability, and user experience of our Service.
• Communication: To send you service-related notifications (e.g., account verification, password resets, subscription confirmations, policy updates). We do not send unsolicited marketing emails.

6. Cookies and Tracking Technologies

6.1 Types of Cookies We Use

We use the following types of cookies:

• Strictly necessary cookies: Required for the operation of our Service. These include session cookies that maintain your login state and security tokens (CSRF protection) that safeguard form submissions. Without these cookies, the Service cannot function properly.
• Functional cookies: Used to remember your preferences, such as language selection and display settings. These cookies enhance your experience but are not strictly necessary.
• Analytics cookies: We use Yandex Metrica to collect anonymized, aggregate information about how visitors interact with our website, such as pages visited, session duration, and general geographic region. Yandex Metrica may set its own cookies on your device. For more information, see the Yandex Privacy Policy. This data helps us improve our Service.

6.2 Cookie Duration

• Session cookies: Deleted automatically when you close your browser.
• Persistent cookies: Remain on your device for a defined period (typically up to 30 days for login cookies) or until you manually delete them.

6.3 Managing Cookies

7. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to third parties. We share your personal data only in the following limited circumstances:

7.1 Payment Processors

When you make a payment, your transaction data is shared with the relevant payment processor to complete the transaction. Each payment processor operates as an independent data controller and processes your data in accordance with its own privacy policy. We work with PCI DSS-compliant payment processors to ensure the security of your payment information.

7.2 Infrastructure and Security Services

We use the following third-party infrastructure services that may process your data:

• Cloudflare: We use Cloudflare as a content delivery network (CDN) and web application firewall (WAF) to protect our Service against DDoS attacks, malicious bots, and other security threats. Cloudflare processes your IP address, HTTP request headers, and other connection metadata as part of its security and performance services. Cloudflare may set its own cookies (e.g., __cf_bm) for bot detection. For more information, see the Cloudflare Privacy Policy.

7.3 Analytics

We use analytics services to understand how users interact with our platform and to improve our Service:

• Yandex Metrica: We use Yandex Metrica for website analytics, including page views, session duration, bounce rate, and user flow analysis. Yandex Metrica collects anonymized and aggregated data and may use cookies to distinguish unique visitors. Your IP address is anonymized before storage. For more information, see the Yandex Privacy Policy.

7.4 Fraud Prevention and Risk Assessment

We operate a proprietary anti-fraud system that processes transaction data in real time. This system performs velocity checks (limiting the number of transactions per email, IP address, and time period), multi-account detection, daily spending limits, and automated alert classification by severity level. When fraud is detected, we may block individual IP addresses, BIN ranges (Bank Identification Numbers), or entire geographic regions.

In addition, we use the following third-party services for fraud prevention and risk assessment:

• MaxMind GeoIP: We use MaxMind's geolocation database to determine the geographic location associated with your IP address for fraud scoring and country-level risk assessment. IP addresses are processed locally against the MaxMind database; your data is not transmitted to MaxMind.
• OpenSanctions: We use the OpenSanctions API to screen transactions against international sanctions lists. Limited data (name, country) may be transmitted to OpenSanctions for verification purposes.
• Sectigo (ASV): We undergo quarterly PCI DSS vulnerability scans performed by Sectigo as an Approved Scanning Vendor to ensure the ongoing security of our payment processing environment.

7.5 Law Enforcement and Legal Requirements

We may disclose your personal data to law enforcement authorities, regulatory bodies, or other third parties where we are legally required to do so, or where disclosure is necessary to:

• Comply with a legal obligation, court order, or lawful government request
• Protect the rights, property, or safety of ddownload.com, our users, or the public
• Detect, prevent, or address fraud, security issues, or technical problems
• Enforce our Terms of Service

7.6 DMCA and Copyright Enforcement

When we receive a valid DMCA takedown notice or copyright infringement complaint, we may share limited information about the uploader of the reported content (such as the username and email address) with the rights holder or their authorized agent, where legally required.

8. International Data Transfers

Our servers and infrastructure are located in multiple geographic regions. Your personal data may be transferred to, stored, and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.

Where we transfer personal data outside the European Economic Area (EEA) or Switzerland, we ensure that appropriate safeguards are in place in accordance with applicable data protection law, including:

• Transfers to countries recognized by the European Commission as providing an adequate level of data protection
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Other appropriate safeguards as permitted by applicable law

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods are as follows:

• Account data: Retained for the duration of your account. Upon account deletion, your personal data is removed within 30 days, except where retention is required by law.
• Transaction and payment data: Retained for a minimum of 7 years after the transaction date to comply with tax, accounting, and anti-money laundering regulations.
• Server logs and IP addresses: Retained for up to 90 days for security, fraud prevention, and abuse detection purposes, then automatically deleted or anonymized.
• Uploaded files: Retained for as long as your account is active. Files belonging to inactive free accounts may be deleted after a period of inactivity as defined in our Terms of Service.
• Abuse reports and DMCA records: Retained indefinitely to maintain our blocklist and enforce our repeated-infringer policy.
• KYC documentation: Retained for 5 years after the end of the business relationship, in accordance with AML regulations.
• Communication records: Support correspondence is retained for up to 3 years after the last interaction.

When personal data is no longer required, it is securely deleted or irreversibly anonymized.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security) with modern cipher suites.
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. Administrative access requires multi-factor authentication.
• Infrastructure security: We operate entirely on our own hardware in professional colocation facilities. All servers are company-owned, physically secured, and monitored 24/7.
• Payment security: We are PCI DSS Level 4 compliant with quarterly vulnerability scans performed by Sectigo (Approved Scanning Vendor). We do not store sensitive payment card data on our systems.
• Fraud detection: Our anti-fraud system performs real-time velocity checks, IP risk assessment, and sanctions screening on all transactions.
• Incident response: We maintain an incident response procedure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected individuals in accordance with applicable law.

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we continuously review and improve our security measures.

11. Your Rights

Under applicable data protection laws (including the GDPR and the Swiss FADP), you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You have the right to request a copy of the personal data we hold about you and information about how it is processed.
• Right to rectification (Art. 16 GDPR): You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17 GDPR): You have the right to request deletion of your personal data, subject to certain exceptions (e.g., where retention is required by law).
• Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your data in certain circumstances.
• Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object (Art. 21 GDPR): You have the right to object to processing of your personal data based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe that our processing of your personal data infringes applicable data protection law.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

12. Children's Privacy

Our Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly. If you believe that a child has provided us with personal data, please contact us at [email protected].

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users via email.

We encourage you to review this Privacy Policy periodically. Your continued use of our Service after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Information