The thing that bothers me most about the current landscape: services claim zero-knowledge encryption, then require you to hand over your full name and email address just to password-protect a link. If the server genuinely never sees the key — why does it need to know who you are before you can use a basic feature? It doesn't. That's a conversion funnel, not a privacy decision.
How FileShot actually works: - AES-256-GCM runs entirely in the browser before any bytes leave your machine - Keys are generated client-side and exist only in the URL fragment (#key=...) - URL fragments are never sent in HTTP requests — the server is architecturally incapable of seeing your key - Password protection, expiry dates, download limits: all free, no account required - Accounts exist only for things that genuinely need server-side state: File Manager, history, persistent settings
What I've shipped as one person: - Web app (pure static HTML — no build pipeline, no framework bloat) - Native desktop app (Windows + Mac) - Chrome extension (screenshot capture, clipboard upload, page selection capture) - Android app
Free tier: 50GB per file. I have the infrastructure to support it, so I do. No file count limits, no bandwidth throttle, no artificial feature gates.
I built this because I genuinely believe a single developer with the right infrastructure can build something that competes with well-funded startups on the actual merits. Not to harvest data. Not to build funnels. Because doing it right felt more satisfying than doing it profitably.
Would love honest feedback — especially: what would it take for you to actually trust a service like this with sensitive files? What trust signals matter most to you?