SecureSend vs WeTransfer: What Really Happens to Your Files

← Back to Blog

WeTransfer is one of the most popular file-sharing services in the world, with over 80 million monthly users. Its appeal is obvious: drag a file, get a link, send it. No friction. But convenience often comes at the cost of privacy. What actually happens to your files once you upload them?

This article compares WeTransfer's architecture with SecureSend's zero-knowledge approach, based on publicly available documentation and privacy policies.

What WeTransfer Does with Your Files

WeTransfer encrypts files in transit (TLS) and at rest on their servers. This is standard practice and protects against external attackers. However, WeTransfer holds the encryption keys. This means:

WeTransfer can decrypt and access your files. Their privacy policy states they may access content "to provide, maintain and improve our services."
Files are stored for 7 days (free) or longer (paid). During this period, your unencrypted data exists on WeTransfer's infrastructure.
Content is scanned. WeTransfer scans uploads for malware and prohibited content. Scanning requires reading the file.
Third-party processors. WeTransfer uses AWS for hosting. Your data passes through (and is stored on) Amazon's infrastructure.
Legal requests. If a government agency issues a valid legal request, WeTransfer can provide your files in readable form because they possess the decryption keys.

From WeTransfer's privacy policy: "We may access, preserve and share your information in response to a legal request if we have a good faith belief that the law requires us to do so." Because they hold the keys, they can comply fully.

What SecureSend Does Differently

SecureSend uses a fundamentally different architecture. Files are encrypted in the browser using AES-256-GCM before they are uploaded. The encryption key is placed in the URL fragment (the # portion), which is never sent to the server per the HTTP specification.

The server receives and stores only encrypted data. It does not have the key and cannot decrypt the file. Even if an attacker compromises the server or a government issues a subpoena, only meaningless encrypted bytes can be produced.

Side-by-Side Comparison

Feature	WeTransfer (Free)	WeTransfer (Pro)	SecureSend
Encryption type	Server-side (TLS + at rest)	Server-side (TLS + at rest)	Client-side AES-256-GCM
Who holds the key?	WeTransfer	WeTransfer	Only sender and recipient
Server can read files?	Yes	Yes	No
File retention	7 days	Up to 4 weeks	15 min to 7 days (configurable)
Single-use download	No	No	Yes (optional)
Download counter	Yes (Pro)	Yes	Yes
Password protection	No	Yes	Built-in (key in URL)
Max file size (free)	2 GB	—	1 MB
Recipient needs account?	No	No	No
Content scanning	Yes	Yes	Impossible
Multi-file support	Yes	Yes	Yes (auto-ZIP)
Custom message	Yes	Yes	Yes (encrypted)
GDPR data processor?	Yes (sees data)	Yes (sees data)	No (cannot see data)

The File Size Trade-Off

The most obvious advantage WeTransfer has is file size. You can send up to 2 GB for free and 200 GB with a paid plan. SecureSend supports 1 MB on the free plan and 10 MB on Pro. These are different tools for different purposes.

WeTransfer is designed for large media files — video projects, design assets and photo collections. SecureSend is designed for sensitive documents — contracts, tax forms, identity documents, medical records and financial statements. Most sensitive documents are well under 1 MB.

Think about what you are sending. A scanned passport is typically 200-500 KB. A signed PDF contract is 100-300 KB. A tax return is 50-200 KB. For these use cases, file size limits are irrelevant. What matters is whether the server can read them.

Password Protection Is Not End-to-End Encryption

WeTransfer Pro offers password-protected transfers. This sounds similar to encryption but is fundamentally different. The password protects access to the download page — it does not encrypt the file itself. WeTransfer's servers still store and can access the unencrypted file. The password is simply an access gate, not an encryption key.

With SecureSend, the "password" is the AES-256 encryption key embedded in the URL. Without it, the file is a block of random bytes. There is no access gate because there is nothing readable to gate access to.

What Happens During a Data Breach

Data breaches at file-sharing services are not hypothetical. WeTransfer itself suffered a security incident in 2019 where files were sent to the wrong recipients. In a server-side encryption model, a breach exposes readable files because the keys are on the same infrastructure.

In a zero-knowledge model, a server breach exposes only encrypted data. Without the decryption keys (which only exist in the shared URLs), the stolen data is useless. This is the core advantage of client-side encryption.

Metadata Considerations

Even with zero-knowledge encryption, some metadata is visible to the server: the sender's IP address, the file size, timestamps and the number of downloads. SecureSend does not know the file name (it is encrypted along with the content) or the file type.

WeTransfer, by contrast, knows everything: file names, file types, sender email, recipient email, the message you attached and the full file contents.

When to Use Which

Use WeTransfer when:

You are sharing large media files (videos, design assets) that are not sensitive
You need to transfer gigabytes of data quickly
Privacy is not a concern for the specific content

Use SecureSend when:

The file contains personal, financial, medical or legal information
You need to comply with GDPR, HIPAA or similar regulations
You want the file to disappear after download (single-use)
You need to control exactly how long the file is accessible
You do not want any third party — including the server operator — to read your files

The Verdict

WeTransfer and SecureSend serve different purposes. WeTransfer is a convenience tool for large, non-sensitive files. SecureSend is a security tool for sensitive documents where privacy is non-negotiable. The key difference is architectural: WeTransfer's servers can read your files; SecureSend's server cannot. That distinction matters every time you share something confidential.

Try SecureSend — Free Encrypted File Sharing

Send files with end-to-end encryption. The server never sees your data. No account required to receive.

Get Started Free