ProtonBlog
Looking into the Dropbox privacy policy

We took a dive into the Dropbox privacy policy — it’s not good

Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users(new window) in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions of people.

Turns out, there are some serious issues. Not only does Dropbox collect a lot of information about you, it can also share it with whomever it wants, including commercial partners and law enforcement. Being a Dropbox customer means giving the company a large measure of control over your data. 

This article breaks down the Dropbox privacy policy and explains how our private Dropbox alternative, Proton Drive, differs in fundamental ways.

Taking a look at Dropbox privacy

Dropbox’s privacy policy(new window) is effectively split into two sections: the first part describing the data  the service collects and a subsequent section listing all the entities Dropbox might share your data with. To its credit, Dropbox lays out all these terms clearly in a way anyone can understand. There’s also an FAQ(new window) page that goes into a bit more depth on certain topics.

What data Dropbox collects

The first thing you notice in the privacy policy is how much information Dropbox collects. Besides your email address — a core part of your online identity — Dropbox also collects your name, phone number, physical address, and your payment information.

Dropbox privacy policy personal information

Dropbox also collects and stores data associated with the files you upload, referred to as “Your Stuff.” This includes the size of the file, when and from where it was uploaded, with whom it was shared — Dropbox also collects data about your contact list — and any activity in the files.

Dropbox privacy policy your stuff

In fact, file activity gets its own subsection in the privacy policy, and it’s clear why. Dropbox seems to keep a record of practically anything you could do with a file. Creating, editing, sharing, etc. — it all gets logged somewhere for Dropbox’s use.

Dropbox privacy policy usage information

Finally, Dropbox also gathers a lot of information about the devices you use to access the service, as well as your IP address(new window), a unique identifier that can help determine your physical location. While this can have a legitimate purpose, like troubleshooting, it seems odd that Dropbox preemptively collects this.

Dropbox privacy policy device information

There’s more, but these seem to be the main data points that Dropbox seems to gather on its  customers. What does the company do with this treasure trove, though?

What does Dropbox do with all that data?

Dropbox states it does not sell your data to advertisers or third parties.

Dropbox privacy policy do not sell

However, that doesn’t mean that it doesn’t share it.

Dropbox privacy policy sharing guidelines

What’s most surprising is the number and kinds of third parties on the receiving end of your data. They include companies with extremely poor track records when it comes to privacy, including Google, Amazon, and OpenAI.

Dropbox privacy policy partners

Some of these make sense in the context that Dropbox provides, like support portal ZenDesk, or payment provider Stripe, or even Amazon Web Services, which likely hosts Dropbox’s servers. However, there are also some that should make anybody think twice, like Google, a company that sells data as a business model.

Other less well-known companies include Kissmetrics, which analyzes data for advertisers, and OpenAI, the company that developed ChatGPT, known for cutting corners when it comes to users’ privacy.

That’s not all of it, either. As a business headquartered in the United States, Dropbox has to comply with US search warrants and other orders, which may be secretive(new window) and are often easy to get(new window). This means your data could be seized on even flimsy pretexts. As a result, Dropbox gets a lot of requests from law enforcement(new window).

Dropbox privacy policy law and order

However, it gets worse: Dropbox also makes explicit that it’s more than happy to share data with the authorities on its own judgment. Where all cloud services are forced to cooperate with law enforcement when a warrant is served, Dropbox makes it very clear that it will volunteer information. No wonder Edward Snowden called it a “wannabe PRISM partner(new window).”

What it means for consumers

Dropbox doesn’t advertise as a privacy service, but even with that in mind it’s shocking how much data it collects and with whom it shares it. It pretty much knows everything it’s possible for them to know about you, and is more than happy to share it with marketers — its own, as well as third parties.

Worse yet, it also makes clear it will share data with police in the “public interest,” a term so vague it can be used to justify any kind of situation. All we know for sure is that privacy isn’t a matter of public interest according to Dropbox.

What makes it worse is that to harvest all this data it has made its users less secure. To see what users are doing on your platform, you must be able to decrypt their files. In other words, Dropbox does not use end-to-end encryption, the most secure form of data protection. This weak focus on security has led to a long string of Dropbox security incidents.

Even if you’re fine with Dropbox knowing about your private data (and why would you be?), the fact that this practice also makes it unsafe should give you pause.

A private Dropbox alternative

We developed Proton Drive to give our community a secure cloud storage service that takes your privacy seriously. Unlike with Dropbox, your privacy isn’t something we can take away on a whim — it’s included by default.

For example, we don’t collect much data about our customers. We have your email, your payment information if you upgrade your plan, and that’s about it. (You can see how we minimize data collection in our privacy policy.) We just have no interest in having that data because our business model is based on offering private and secure services to our customers. We’re funded entirely by our community and thus don’t need to sell data to advertisers. 

We’re also less exposed to law enforcement orders since we’re based in Switzerland and thus are subject to Swiss privacy laws, some of the strictest in the world.

Even if we wanted to access your data or share it, we can’t. Proton uses end-to-end encryption on all our apps. This means your files are encrypted on your device before they’re uploaded to our servers. This protects your privacy, but also makes it so there’s not much for hackers to steal in case of a breach.

All this is part of our mission to create a better internet. If that, as well as a more secure, private cloud storage alternative, sounds like something you’d want to be part of, create a free Proton Drive account and join us.

Keep your files private, share them securely
Get Proton Drive free

Related articles

If you’re comparing different password managers or researching password security, you’ll quickly run into terms like hashing and salting. While these terms might sound like steps you take to make breakfast potatoes, they’re actually processes that ar
People often choose to remove their personal information from the internet due to privacy and security concerns. For example, oversharing on social media can expose you to phishing attacks, identity theft, and cyberstalking. Plus, your data is highl
It’s been roughly three months since the European Union’s Digital Markets Act (DMA), which aims to restore competition and fairness to the internet, came into effect for Big Tech monopolies. Since then, Google has done precisely nothing to comply wit
Today we’re announcing enhancements to our business plans, further enriching our commitment to delivering the best privacy experience for businesses. These upgrades will help us continue expanding our feature suite for organizations, while giving mor
Proton Pass brings secure and private password management to all devices
Today, we’re excited to announce the launch of the Proton Pass macOS app and the Proton Pass Linux app. One of the most popular requests from the Proton community was a standalone desktop app, which is now available on every major platform — Windows,
When you use the internet at home, connected to everything from fitness equipment to game consoles, smartphones, and laptops, marketing companies could be watching you with a tiny piece of surveillance tech you might not even know about. We’re talki