ProtonBlog(new window)
Looking into the Dropbox privacy policy

We took a dive into the Dropbox privacy policy — it’s not good

Share this page

Dropbox was the first mainstream cloud storage(new window) provider, and still the biggest player on the market, with 700 million users(new window) in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions of people.

Turns out, there are some serious issues. Not only does Dropbox collect a lot of information about you, it can also share it with whomever it wants, including commercial partners and law enforcement. Being a Dropbox customer means giving the company a large measure of control over your data. 

This article breaks down the Dropbox privacy policy and explains how our private Dropbox alternative, Proton Drive, differs in fundamental ways.

Taking a look at Dropbox privacy

Dropbox’s privacy policy(new window) is effectively split into two sections: the first part describing the data  the service collects and a subsequent section listing all the entities Dropbox might share your data with. To its credit, Dropbox lays out all these terms clearly in a way anyone can understand. There’s also an FAQ(new window) page that goes into a bit more depth on certain topics.

What data Dropbox collects

The first thing you notice in the privacy policy is how much information Dropbox collects. Besides your email address — a core part of your online identity(new window) — Dropbox also collects your name, phone number, physical address, and your payment information.

Dropbox privacy policy personal information

Dropbox also collects and stores data associated with the files you upload, referred to as “Your Stuff.” This includes the size of the file, when and from where it was uploaded, with whom it was shared — Dropbox also collects data about your contact list — and any activity in the files.

Dropbox privacy policy your stuff

In fact, file activity gets its own subsection in the privacy policy, and it’s clear why. Dropbox seems to keep a record of practically anything you could do with a file. Creating, editing, sharing, etc. — it all gets logged somewhere for Dropbox’s use.

Dropbox privacy policy usage information

Finally, Dropbox also gathers a lot of information about the devices you use to access the service, as well as your IP address(new window), a unique identifier that can help determine your physical location. While this can have a legitimate purpose, like troubleshooting, it seems odd that Dropbox preemptively collects this.

Dropbox privacy policy device information

There’s more, but these seem to be the main data points that Dropbox seems to gather on its  customers. What does the company do with this treasure trove, though?

What does Dropbox do with all that data?

Dropbox states it does not sell your data to advertisers or third parties.

Dropbox privacy policy do not sell

However, that doesn’t mean that it doesn’t share it.

Dropbox privacy policy sharing guidelines

What’s most surprising is the number and kinds of third parties on the receiving end of your data. They include companies with extremely poor track records when it comes to privacy, including Google, Amazon, and OpenAI.

Dropbox privacy policy partners

Some of these make sense in the context that Dropbox provides, like support portal ZenDesk, or payment provider Stripe, or even Amazon Web Services, which likely hosts Dropbox’s servers. However, there are also some that should make anybody think twice, like Google, a company that sells data as a business model.

Other less well-known companies include Kissmetrics, which analyzes data for advertisers, and OpenAI, the company that developed ChatGPT, known for cutting corners(new window) when it comes to users’ privacy.

That’s not all of it, either. As a business headquartered in the United States, Dropbox has to comply with US search warrants and other orders, which may be secretive(new window) and are often easy to get(new window). This means your data could be seized on even flimsy pretexts. As a result, Dropbox gets a lot of requests from law enforcement(new window).

Dropbox privacy policy law and order

However, it gets worse: Dropbox also makes explicit that it’s more than happy to share data with the authorities on its own judgment. Where all cloud services are forced to cooperate with law enforcement when a warrant is served, Dropbox makes it very clear that it will volunteer information. No wonder Edward Snowden called it a “wannabe PRISM partner(new window).”

What it means for consumers

Dropbox doesn’t advertise as a privacy service, but even with that in mind it’s shocking how much data it collects and with whom it shares it. It pretty much knows everything it’s possible for them to know about you, and is more than happy to share it with marketers — its own, as well as third parties.

Worse yet, it also makes clear it will share data with police in the “public interest,” a term so vague it can be used to justify any kind of situation. All we know for sure is that privacy isn’t a matter of public interest according to Dropbox.

What makes it worse is that to harvest all this data it has made its users less secure. To see what users are doing on your platform, you must be able to decrypt their files. In other words, Dropbox does not use end-to-end encryption(new window), the most secure form of data protection. This weak focus on security has led to a long string of Dropbox security incidents(new window).

Even if you’re fine with Dropbox knowing about your private data (and why would you be?), the fact that this practice also makes it unsafe(new window) should give you pause.

A private Dropbox alternative

We developed Proton Drive to give our community a secure cloud storage service that takes your privacy seriously. Unlike with Dropbox, your privacy isn’t something we can take away on a whim — it’s included by default.

For example, we don’t collect much data about our customers. We have your email, your payment information if you upgrade your plan, and that’s about it. (You can see how we minimize data collection in our privacy policy.) We just have no interest in having that data because our business model is based on offering private and secure services to our customers. We’re funded entirely by our community and thus don’t need to sell data to advertisers. 

We’re also less exposed to law enforcement orders since we’re based in Switzerland and thus are subject to Swiss privacy laws(new window), some of the strictest in the world.

Even if we wanted to access your data or share it, we can’t. Proton uses end-to-end encryption on all our apps. This means your files are encrypted on your device before they’re uploaded to our servers. This protects your privacy, but also makes it so there’s not much for hackers to steal in case of a breach.

All this is part of our mission to create a better internet. If that, as well as a more secure, private cloud storage alternative, sounds like something you’d want to be part of, create a free Proton Drive account and join us.

Protect your privacy with Proton
Create a free account

Share this page

Fergus O'Sullivan(new window)

Fergus has been a writer, journalist, and privacy advocate for close to a decade. In that time he has run investigations of the privacy industry, written on policy, and reviewed more programs and apps than you can shake a stick at. Before starting work at Proton, he worked for publications such as How-to Geek and Cloudwards, as well as helping host events at conferences like RightsCon.

Related articles

What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be
Looking into the Dropbox privacy policy
Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions