For millions of people, WeTransfer is synonymous with sending files. Create a link, email it, done. But if you send business documents through it, you would do well to take a close look at the terms. They changed, and not in a way that inspires confidence.
What happened in July 2025
In July 2025, WeTransfer introduced a new clause in its terms of service. It stated that uploaded files could be used to improve the service, including the training of AI models. The change was not announced; users discovered it themselves in the fine print.
The reaction was fierce. Photographers, designers and lawyers pointed out that client material, contracts and creative work could end up in training data without clear consent. WeTransfer then amended the clause and promised that users remain the owners of their files and that no AI training takes place without explicit consent.
That calmed the storm, but the lesson stands: the rules of a free service can change quietly, and you only find out when someone else raises the alarm.
The issues that keep pinching for businesses
Leaving the AI controversy aside, WeTransfer has structural characteristics that deserve attention when used for business.
1. Your data can pass through American servers. WeTransfer uses infrastructure where traffic can route through the United States. For your customers' personal data, that means American legislation such as the CLOUD Act may apply. Under the GDPR, your business must be able to explain where customer data is stored and under which legal regime.
2. Trackers on the transfer page. Analyses by Ghostery and NordVPN, among others, found tracking services such as Quantcast, Mixpanel and Google Analytics on WeTransfer, some of them already active before explicit consent. For a consumer that is annoying; for a business with GDPR obligations towards its own customers, it is a risk you cannot control yourself.
3. No end-to-end encryption. WeTransfer encrypts properly in transit (TLS) and on the server (AES-256). But the service itself can technically access the contents. That is true of most cloud services, including ours, but it means your trust rests entirely with the provider and its jurisdiction.
4. No control after sending. The free version has no passwords, no revocable links and no insight into who downloaded a file. Once sent, a link is public property: anyone it gets forwarded to can access the file.
When is WeTransfer perfectly fine?
To be fair: for a holiday photo album to family or a presentation without sensitive content, WeTransfer is a perfectly good service. The problem arises with documents you are responsible for as a business: annual figures, contracts, personnel files, copies of identity documents, customer data. For those, the GDPR imposes accountability obligations that a free consumer service simply does not meet.
The checklist for a business alternative
Anyone who went looking for an alternative after the summer of 2025 came across names like SwissTransfer, Smash and Tresorit. Whichever service you consider, hold it up to this yardstick:
- EU hosting and EU jurisdiction. Is the data physically located in Europe, and does the provider fall under European law?
- Control per link. Can you set a password, add an expiry date and revoke a link afterwards?
- Visibility. Can you see who downloaded a file, and when? In the event of a data breach, you must be able to reconstruct this.
- Data processing agreement. If you share your clients' documents, a data processing agreement with your provider is a GDPR requirement, not a luxury.
- Clear terms. Is it stated in black and white what does and does not happen with your files, even if the policy changes?
Ticking off these five points quickly narrows the field down to a handful of serious options. We put codocs and WeTransfer side by side, point by point, on our page about the business WeTransfer alternative.
How codocs solves this
We built codocs precisely around that yardstick. Files are stored encrypted on servers in the EU and never leave Europe. Each recipient gets their own link that you can protect with a password and an expiry date, and that you can revoke at any time. You see per recipient when a file is downloaded for the first time, and the full audit log keeps track of what happens to your files. A data processing agreement is available for business customers.
No AI training on your documents, no advertising trackers on the sharing page, no surprises in the fine print. File sharing the way it should be: you stay in control, from upload to final download.
Want to know more about secure sharing with specific professions? Read our article on sharing files securely with your accountant.