Proton Drive - Privacy policy

Last modified: 15 March 2023

This sub-policy is an integral part of the Proton Privacy Policy. It details the data processing activities specifically related to the creation and activity of your Proton Account when you use Proton Drive.

2.2.1 Account Creation: There are two ways to create a Proton account for use with Proton Drive. The first method is to create an account using an existing email address. In this case, we save personal information in the form of this email address, which is also the unique identifier for your Proton account. You can change this address if you wish, and if you delete your Proton account, this information is removed from our systems. The second way to create a Proton account for use with Proton Drive is by creating a Proton Mail email address. In this case, it is not necessary to provide personal information in order to create an Account.

Irrespective of how your Proton account is created, you may provide an external email address for notification or password recovery purposes. Should you choose to provide it, we do associate this email address with your Account (for password recovery or notification purposes). Such data will only be used to contact you with important notifications about the Services, to send you information related to security, to verify your account or to send you password recovery links if you enable the option. We may also inform you about new Proton products in which you might have an interest. The legal basis for processing is consent and you are free to remove that data in your Account settings panel at any time.

In order to pursue our legitimate interest of preventing the creation of accounts by spam bots or human spammers, we use a variety of human verification methods. Verification may also be requested for some sensitive operations besides account creation in order to protect against brute-force attacks. You may be asked to verify using either hCaptcha (or reCAPTCHA in the event that hCaptcha is unavailable), email, or SMS. IP addresses, email addresses, and phone numbers provided are saved temporarily in order to send you a verification code and for anti-spam purposes. The period of temporary data retention is determined by our legitimate interests of protecting the service from spam, and also by any applicable Swiss legal requirements we must comply with. If this data is saved permanently, it is always saved as a cryptographic hash, which ensures that the raw values cannot be deciphered by us. Learn more

2.2.2 Account Activity: All files in Proton Drive are protected with end-to-end encryption and Proton does not possess the ability to decrypt end-to-end encrypted data and therefore cannot share them with third parties. Furthermore, metadata such as filenames, folder names, thumbnail previews are also end-to-end encrypted. We also only store the size of the encrypted files, and not the size of the original unencrypted file, which is therefore obfuscated in our system. In addition to end-to-end encryption, all content is also cryptographically signed. This means that you can always check the signature of any content you receive from our servers, which protects you from forgery (e.g. by a malicious actor). In order to operate the service and support some of the required features, we do have access to file/folder creation and modification times, permissions, and the username that created or uploaded a particular file (required in order to perform cryptographic signature checks in order to verify file authenticity).

When sharing URLs, we have access to the creation and last access time, the number of times the URL was accessed to and its creator. However, we do NOT have access to file contents, file and folder names, and thumbnail previews. Such data is end-to-end encrypted. We can only access the contents of a shared file or folder if a sharing URL is sent to us by a third party that themselves has access to the shared file, along with the access password (if enabled). This can happen from time to time, for instance, if the third party is reporting abuse to us.

2.2.3 IP logging: By default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks). The legal basis of this processing is our legitimate interest to protect our service against nefarious activities.

If you enable authentication logging for your Account, the record of your login IP addresses is kept for as long as the feature is enabled. This feature is off by default, and all the records are deleted upon deactivation of the feature. The legal basis of this processing is consent, and you are free to opt in or opt out of that processing at any time in the security panel of your Account.

2.2.4 Data storage: All servers used in connection with the provision of the Service are wholly owned and operated by the Company or its subsidiaries. Only employees of the Company have physical or other access to the servers. Data is always stored in encrypted format on our servers, which are exclusively located in Switzerland or Germany, under the protection of some of the world's strongest privacy laws. Offline backups, which may be stored periodically, are also encrypted. We cannot decrypt any user encrypted content on either the production servers or in the backups. Backups are kept for up to 30 days.

Note, if you trash a file, it is not actually deleted until you permanently delete it from trash. Furthermore, if Proton Drive's file versioning feature is activated, overwriting a file will not delete the previous version, which will remain available until it is permanently deleted by the user.