WeTransfer EU Alternative 2026: Why Dutch HQ Doesn't Mean GDPR-Safe

Post #917 in the sota.io EU Cyber Compliance Series

WeTransfer is the kind of tool that EU procurement teams often wave through compliance review without scrutiny. It is Dutch. It is headquartered in Amsterdam. Its founders are European. On the surface, WeTransfer looks like exactly the kind of EU-native service that should not raise GDPR flags. This instinct is understandable — and it is wrong.

The legal basis for a company's GDPR obligations is not where it is headquartered. What matters under GDPR is what data the service processes, on whose behalf, using which infrastructure, and subject to which legal obligations in which jurisdictions. WeTransfer B.V. may be a Dutch company, but it operates a global platform that processes personal data — email addresses, file metadata, device identifiers, and behavioural signals — using infrastructure and subprocessors that extend well beyond the Netherlands and well into jurisdictions where EU data protection law does not apply.

This guide explains the specific GDPR risks that WeTransfer's Dutch identity masks, examines what the service actually processes about senders and recipients, and covers the EU-native file-transfer alternatives that close these compliance gaps for teams that need auditable, GDPR-clean large-file sharing.

WeTransfer B.V.: Amsterdam-Incorporated, Globally Operated

WeTransfer B.V. was founded in 2009 in Amsterdam by a team of Dutch entrepreneurs. It grew rapidly as a consumer file-transfer product, expanding to a paid tier, creative portfolio tools, and eventually enterprise features. At its peak valuation in 2022, WeTransfer was valued at over €700 million.

In 2023, the company was acquired by Bending Spoons S.p.A., an Italian mobile software company headquartered in Milan. The acquisition price was reported at approximately $132 million — a significant discount from the peak valuation, reflecting the broader contraction in software valuations and WeTransfer's profitability challenges on its largely free-tier model.

The Bending Spoons acquisition changed WeTransfer's ownership structure but did not change its fundamental architecture as a globally distributed file-transfer platform. WeTransfer continues to operate as WeTransfer B.V. under Dutch law, with Bending Spoons as the parent entity. For GDPR purposes, WeTransfer B.V. remains the data controller for EU user data — it is the entity that DPAs would name in an enforcement action.

However, two structural facts about WeTransfer's operation create GDPR exposure that its Dutch incorporation does not resolve.

The US Subprocessor Problem

WeTransfer's global infrastructure relies on third-party cloud providers for file storage, content delivery, email delivery, and analytics. A review of WeTransfer's published subprocessor and privacy documentation reveals reliance on US-incorporated technology companies whose services process WeTransfer user data.

File storage and content delivery. WeTransfer uses cloud infrastructure that routes content through US-controlled networks for content delivery to global users, including EU recipients. While WeTransfer processes EU user files in data centres with EU-region presence, the CDN and distribution layers involve US-controlled systems. US cloud providers that hold distribution agreements with WeTransfer are subject to the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) — meaning US federal law enforcement can compel them to produce data they control, regardless of where it is physically stored.

The critical distinction from US-headquartered providers is this: WeTransfer B.V. itself is not a CLOUD Act subject (the CLOUD Act applies to electronic communication service providers and remote computing service providers incorporated or headquartered in the US). However, the US-incorporated subprocessors WeTransfer uses for infrastructure, CDN delivery, and analytics are CLOUD Act subjects. If US authorities want data that one of those subprocessors holds or controls, a CLOUD Act demand can compel production without involving Dutch courts or the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Email delivery infrastructure. Every WeTransfer transfer — free or paid — triggers email notifications to both sender and recipient. These emails are processed by third-party email delivery services. The major transactional email providers (Twilio SendGrid, Mailgun, AWS SES, Postmark) are US-incorporated and CLOUD Act-subject. When WeTransfer passes your sender email address and recipient email address to its email delivery subprocessor for notification delivery, that subprocessor's handling of those addresses falls under US legal jurisdiction.

Analytics and performance monitoring. WeTransfer uses analytics infrastructure to monitor platform performance, detect abuse, and (on the free tier) serve targeted advertising. Analytics vendors in WeTransfer's subprocessor chain may include US-incorporated services whose processing of behavioural data from EU users creates additional SCC-governed transfer relationships.

The practical GDPR implication. Under GDPR Article 44, transfers of personal data to third countries require an appropriate safeguard. For WeTransfer's US subprocessor chain, this means Standard Contractual Clauses (SCCs). Post-Schrems II, SCCs alone are insufficient: the data exporter (WeTransfer B.V.) must conduct Transfer Impact Assessments (TIAs) for each US subprocessor relationship. Any EU customer relying on WeTransfer for business file transfer should request WeTransfer's TIA documentation. If WeTransfer cannot produce TIAs covering its US subprocessor chain, EU organisations face a compliance gap they cannot close on WeTransfer's behalf.

What WeTransfer's Free Plan Actually Processes About You

The free WeTransfer plan — which accounts for the majority of WeTransfer's user base — processes substantially more personal data than most users realise, and does so under a commercial processing model that creates GDPR lawful basis questions.

Sender and recipient email addresses. Every free WeTransfer transfer requires a sender email address and recipient email address. These are personal data under GDPR Article 4(1). WeTransfer processes them to deliver the transfer notification, but also retains them in its systems for abuse prevention, spam filtering, and (historically, for the free tier) advertising targeting purposes. The legitimate interests basis WeTransfer relies on for this processing must be balanced against data subject interests — and advertising use of email addresses provided for the purpose of file transfer may not survive that balancing test under a strict interpretation.

Device identifiers and IP addresses. WeTransfer logs sender and recipient device information, including IP addresses, browser fingerprints, and device type, at every transfer event. IP addresses are personal data under GDPR (they can identify a natural person at the network level). The retention periods and purposes for which WeTransfer retains device identifiers are detailed in its privacy notice but are not bounded to the minimum necessary for the stated transfer purpose.

Transfer metadata. WeTransfer retains metadata about every transfer: the size of the transfer, the number of files, the timestamp of upload, the timestamp of download, the number of times the link was accessed, and the geographic locations of downloaders. For business file transfers — contracts sent for signature, proposals shared with clients, source code shared with external collaborators — this metadata constitutes a business intelligence record of organisational activity.

Free-tier advertising. The WeTransfer free tier displays advertising to both senders and recipients. Advertising delivery involves real-time bidding infrastructure — adtech supply chains that pass identifiers about the individual viewing the page to dozens of advertising technology companies. These adtech companies are typically US-incorporated, creating additional SCC-governed transfer chains that WeTransfer's DPA does not typically cover in detail.

GDPR Lawful Basis Analysis for Business Use of WeTransfer

EU organisations considering WeTransfer for business file transfer — sharing client deliverables, sending HR documents, distributing financial reports — need to assess the lawful basis for each category of processing WeTransfer performs on their behalf.

Lawful basis for file delivery. The delivery of the file to the named recipient is necessary for the performance of a service, and WeTransfer can rely on contract (Article 6(1)(b)) or legitimate interests (Article 6(1)(f)) as the basis for the core transfer function. This is the uncontroversial part.

Lawful basis for advertising processing. The free tier's advertising processing requires a basis. WeTransfer's cookie consent mechanisms (presented to users in the EU) are the gateway to this processing. GDPR Article 6(1)(a) (consent) requires that consent be freely given, specific, informed, and unambiguous. A consent mechanism that conditions free service on advertising data processing may not satisfy the "freely given" standard under EDPB guidance if the alternative requires paying for the service and the distinction is not clearly presented.

Lawful basis for metadata retention beyond delivery. The retention of transfer metadata — who sent what to whom, when, from where — beyond the period necessary to complete the transfer requires a distinct lawful basis. WeTransfer's legitimate interests argument must be weighed against data subject expectations: someone sending files via WeTransfer expects the service to deliver the files, not to retain indefinitely a log of their file-sharing behaviour.

Article 30 Records of Processing Activities. EU organisations that use WeTransfer for business transfers where WeTransfer acts as a data processor (handling files containing personal data about third parties) must include WeTransfer in their Article 30 records. The WeTransfer DPA (available on paid plans) must be assessed to confirm WeTransfer's obligations as a data processor and whether its subprocessor chain is adequately documented.

Recipient Rights and WeTransfer's Data Subject Response Process

GDPR Articles 15-22 give data subjects rights including access, rectification, erasure, restriction, and portability. When EU individuals receive files via WeTransfer, their email address is processed by WeTransfer and their download behaviour is logged. They did not initiate a relationship with WeTransfer — they received a link. This creates a data subject rights question: how does WeTransfer respond to access or erasure requests from individuals who appear in its systems only as file recipients?

WeTransfer's privacy process for recipient-side data subjects is not prominently documented. Recipients who discover their email address appears in WeTransfer's systems — for example, through discovering a tracking pixel in a notification email — face a response process that is not standardised or well-tested against supervisory authority expectations.

For EU organisations acting as data controllers when they send files via WeTransfer (for example, HR teams sending offer letters, legal teams sending contracts, marketing teams sharing creative assets to client contacts), the obligation to maintain accountability for how a subprocessor responds to data subject rights requests about those individuals falls on the data controller. If WeTransfer cannot document its recipient data subject rights response process, the EU organisation using WeTransfer inherits that accountability gap.

The Bending Spoons Acquisition: Implications for EU Data Protection

The 2023 acquisition of WeTransfer by Bending Spoons S.p.A. (Italy) has implications for WeTransfer's data protection governance that EU compliance teams should track.

Bending Spoons has a track record of acquiring consumer software products and aggressively restructuring their teams and commercial models. Following the WeTransfer acquisition, Bending Spoons announced significant headcount reductions — approximately 75% of WeTransfer's staff, according to reporting at the time. This included personnel working on privacy, legal, and compliance functions.

Compliance capability reductions matter for GDPR because the operational infrastructure that supports data subject rights responses, subprocessor audits, TIA maintenance, and DPA communications requires sustained investment. When a company's compliance team is significantly downsized, the documentation quality and response cadence that EU data protection authorities expect tends to deteriorate.

EU organisations that rely on WeTransfer as a long-term file-transfer solution should monitor WeTransfer's DPA documentation, subprocessor list, and privacy notice update cadence post-acquisition to assess whether the compliance infrastructure remains adequate for their purposes.

Transfer Impact Assessments for WeTransfer

EU organisations using WeTransfer for data subject-relevant file transfers should conduct a Transfer Impact Assessment covering:

Scope of data transfer to US subprocessors. Identify which WeTransfer subprocessors are US-incorporated or US-controlled, and what categories of personal data each subprocessor processes. Focus particularly on email delivery infrastructure, CDN providers, analytics vendors, and authentication services.

Legal exposure of US subprocessors. For each US-incorporated subprocessor, assess the applicable US surveillance law obligations: CLOUD Act (compelled data production), FISA Section 702 (intelligence community collection from US internet companies), and Executive Order 12333 (upstream collection). The EDPB's Recommendations 01/2020 on supplementary measures identify these as potential conflicts with GDPR Chapter V that SCCs alone cannot resolve for content-accessible hosting use cases.

Supplementary measures. Assess whether WeTransfer's encryption model provides effective supplementary measures. WeTransfer encrypts files in transit (TLS) and at rest (AES-256). However, WeTransfer holds the decryption keys for files in transit and during processing — meaning WeTransfer (and its US subprocessors) can access plaintext file content in response to legal demands. This is analogous to the Box KeySafe situation: without end-to-end encryption where only the sender and recipient hold keys, encryption does not eliminate US legal access risk.

Conclusion for content-sensitive transfers. For EU organisations transferring files containing personal data (HR records, client data, patient information, legal files), a TIA for WeTransfer is likely to conclude that supplementary measures are inadequate for content-accessible file hosting. The recommended action is migration to an EU-native solution with zero-knowledge encryption or on-premises hosting.

EU-Native File Transfer Alternatives

The following alternatives provide file transfer functionality without WeTransfer's US subprocessor dependencies or commercial data processing model.

Nextcloud Share Links (Self-Hosted or EU-Hosted)

Nextcloud is an open-source content collaboration platform incorporated in Germany (Nextcloud GmbH, Stuttgart). For WeTransfer-style large-file sharing, Nextcloud's share link functionality replicates the WeTransfer workflow: upload files, generate a share link, send the link to recipients. Recipients download without requiring a Nextcloud account.

For EU organisations requiring a managed hosting option without operating their own infrastructure, EU-based Nextcloud hosting providers — including Hetzner-hosted instances, sys.academy (Switzerland), and Wölkli (Switzerland) — provide GDPR-compliant managed Nextcloud deployments under EU law. The data controller relationship stays entirely within the EU.

The GDPR advantage: Nextcloud GmbH is a German company, subject to EU law and specifically the BDSG (Bundesdatenschutzgesetz). No SCCs are required for the core data controller relationship. US surveillance law exposure depends on infrastructure choice — a self-hosted instance on Hetzner (German AGs) involves no US-incorporated infrastructure in the data path.

Proton Drive Share Links (Switzerland)

Proton AG, the Swiss company behind ProtonMail and Proton Drive, offers zero-knowledge encrypted cloud storage with share link functionality. Files uploaded to Proton Drive are encrypted on the client side before upload — Proton cannot access plaintext file content. Share links can be protected with passwords and set to expire.

Switzerland is not an EU member state, but the Swiss Federal Act on Data Protection (nFADP) is substantially aligned with GDPR, and the European Commission has recognised Switzerland as providing an adequate level of data protection under the EU's adequacy decision mechanism. Transfers to Switzerland therefore do not require SCCs — they proceed under the adequacy decision.

Proton AG's zero-knowledge architecture means that even under a Swiss court order, Proton cannot produce plaintext file content. This provides a substantively stronger privacy guarantee than WeTransfer's server-side encryption model.

Filen.io (Germany)

Filen GmbH is a German company (Registered in Münster, NRW) offering zero-knowledge encrypted cloud storage. Filen's file-sharing feature allows users to share files with password protection and expiry dates, similar to WeTransfer. End-to-end encryption is applied to all stored content.

Filen operates under German law and the BDSG. Infrastructure is hosted within Germany. The zero-knowledge model means Filen cannot access file content. For EU organisations with strict GDPR obligations around file content confidentiality, Filen provides a structurally cleaner data protection model than WeTransfer.

Tresorit Send (Hungary / Switzerland)

Tresorit is operated by Tresorit AG, a Swiss company with primary development in Budapest, Hungary. Tresorit Send is a standalone file transfer service — similar to the WeTransfer use case — that provides end-to-end encrypted one-time file transfers with no account required for recipients. Files are encrypted before upload and only decryptable by the recipient using the link provided.

Tresorit is a GDPR-focused product aimed explicitly at regulated industries (legal, healthcare, financial services). Its marketing and compliance documentation are specifically oriented toward EU DPA requirements. Tresorit's compliance with Swiss nFADP (adequate for EU transfers) and its zero-knowledge architecture provide a stronger GDPR baseline than WeTransfer for sensitive file transfers.

OnionShare / Self-Hosted Options (Maximum Privacy)

For organisations with very high data sensitivity requirements — law firms handling privilege communications, healthcare organisations sharing patient records, security researchers sharing incident data — OnionShare (Tor-based, self-hosted, ephemeral) or Nextcloud self-hosted with end-to-end encryption provide maximum control. These options require technical infrastructure investment but eliminate third-party data controller relationships entirely.

Practical Migration from WeTransfer to EU-Native Alternatives

For individual contributors switching tools. The simplest migration is switching from WeTransfer free to Proton Drive or Filen's free tier. Both services offer share link functionality with comparable UX and zero-knowledge encryption. No procurement process is required for individual adoption.

For teams with managed file sharing needs. Nextcloud deployed on EU-hosted infrastructure provides the most functionally complete replacement for WeTransfer's team-oriented features. EU Nextcloud hosting providers can be procured under a standard DPA framework with no SCCs required.

For organisations requiring contractual compliance documentation. Tresorit offers the most complete GDPR documentation suite of the alternatives listed here, including a detailed DPA, subprocessor list, TIA support documentation, and regulatory compliance certifications targeting EU-regulated industries.

Account for recipient experience. WeTransfer's simplicity for recipients is part of its adoption. The best EU alternatives (Proton Drive share links, Filen share links, Tresorit Send) require no recipient account and deliver comparable UX. Nextcloud share links require no recipient account for basic download functionality. The recipient experience objection to migrating from WeTransfer is not a substantive barrier.

Conclusion

WeTransfer B.V. is a Dutch company — and that fact creates a false sense of GDPR compliance among EU organisations that use it. Dutch incorporation places WeTransfer within the EU legal framework as a data controller. It does not eliminate the GDPR exposure that comes from WeTransfer's US subprocessor chain, its commercial data processing model on the free tier, or the questions around Transfer Impact Assessments for US-controlled infrastructure that WeTransfer relies on.

For EU teams sharing files that contain personal data — which, in a business context, includes almost everything — WeTransfer's compliance posture is weaker than its Amsterdam headquarters implies. Nextcloud, Proton Drive, Filen, and Tresorit Send each provide a stronger GDPR baseline, with EU or Swiss legal frameworks, no commercial advertising processing, and (for most options) zero-knowledge encryption that eliminates the residual US legal access risk.

The takeaway for EU compliance teams: when evaluating file-sharing tools, do not stop at headquarters location. Examine the subprocessor chain, the encryption model, and the commercial basis for data processing. WeTransfer passes the first test and fails the second two. EU-native alternatives pass all three.

Part of the sota.io EU Cloud Storage Series: Dropbox · Google Drive · Microsoft OneDrive · Apple iCloud · Box · Sync.com · WeTransfer