Proton
Looking into the Dropbox privacy policy

Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users(new window) in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions of people.

Turns out, there are some serious issues. Not only does Dropbox collect a lot of information about you, it can also share it with whomever it wants, including commercial partners and law enforcement. Being a Dropbox customer means giving the company a large measure of control over your data. 

This article breaks down the Dropbox privacy policy and explains how our private Dropbox alternative, Proton Drive, differs in fundamental ways.

Taking a look at Dropbox privacy

Dropbox’s privacy policy(new window) is effectively split into two sections: the first part describing the data  the service collects and a subsequent section listing all the entities Dropbox might share your data with. To its credit, Dropbox lays out all these terms clearly in a way anyone can understand. There’s also an FAQ(new window) page that goes into a bit more depth on certain topics.

What data Dropbox collects

The first thing you notice in the privacy policy is how much information Dropbox collects. Besides your email address — a core part of your online identity — Dropbox also collects your name, phone number, physical address, and your payment information.

Dropbox privacy policy personal information

Dropbox also collects and stores data associated with the files you upload, referred to as “Your Stuff.” This includes the size of the file, when and from where it was uploaded, with whom it was shared — Dropbox also collects data about your contact list — and any activity in the files.

Dropbox privacy policy your stuff

In fact, file activity gets its own subsection in the privacy policy, and it’s clear why. Dropbox seems to keep a record of practically anything you could do with a file. Creating, editing, sharing, etc. — it all gets logged somewhere for Dropbox’s use.

Dropbox privacy policy usage information

Finally, Dropbox also gathers a lot of information about the devices you use to access the service, as well as your IP address(new window), a unique identifier that can help determine your physical location. While this can have a legitimate purpose, like troubleshooting, it seems odd that Dropbox preemptively collects this.

Dropbox privacy policy device information

There’s more, but these seem to be the main data points that Dropbox seems to gather on its  customers. What does the company do with this treasure trove, though?

What does Dropbox do with all that data?

Dropbox states it does not sell your data to advertisers or third parties.

Dropbox privacy policy do not sell

However, that doesn’t mean that it doesn’t share it.

Dropbox privacy policy sharing guidelines

What’s most surprising is the number and kinds of third parties on the receiving end of your data. They include companies with extremely poor track records when it comes to privacy, including Google, Amazon, and OpenAI.

Dropbox privacy policy partners

Some of these make sense in the context that Dropbox provides, like support portal ZenDesk, or payment provider Stripe, or even Amazon Web Services, which likely hosts Dropbox’s servers. However, there are also some that should make anybody think twice, like Google, a company that sells data as a business model.

Other less well-known companies include Kissmetrics, which analyzes data for advertisers, and OpenAI, the company that developed ChatGPT, known for cutting corners when it comes to users’ privacy.

That’s not all of it, either. As a business headquartered in the United States, Dropbox has to comply with US search warrants and other orders, which may be secretive(new window) and are often easy to get(new window). This means your data could be seized on even flimsy pretexts. As a result, Dropbox gets a lot of requests from law enforcement(new window).

Dropbox privacy policy law and order

However, it gets worse: Dropbox also makes explicit that it’s more than happy to share data with the authorities on its own judgment. Where all cloud services are forced to cooperate with law enforcement when a warrant is served, Dropbox makes it very clear that it will volunteer information. No wonder Edward Snowden called it a “wannabe PRISM partner(new window).”

What it means for consumers

Dropbox doesn’t advertise as a privacy service, but even with that in mind it’s shocking how much data it collects and with whom it shares it. It pretty much knows everything it’s possible for them to know about you, and is more than happy to share it with marketers — its own, as well as third parties.

Worse yet, it also makes clear it will share data with police in the “public interest,” a term so vague it can be used to justify any kind of situation. All we know for sure is that privacy isn’t a matter of public interest according to Dropbox.

What makes it worse is that to harvest all this data it has made its users less secure. To see what users are doing on your platform, you must be able to decrypt their files. In other words, Dropbox does not use end-to-end encryption, the most secure form of data protection. This weak focus on security has led to a long string of Dropbox security incidents.

Even if you’re fine with Dropbox knowing about your private data (and why would you be?), the fact that this practice also makes it unsafe should give you pause.

A private Dropbox alternative

We developed Proton Drive to give our community a secure cloud storage service that takes your privacy seriously. Unlike with Dropbox, your privacy isn’t something we can take away on a whim — it’s included by default.

For example, we don’t collect much data about our customers. We have your email, your payment information if you upgrade your plan, and that’s about it. (You can see how we minimize data collection in our privacy policy.) We just have no interest in having that data because our business model is based on offering private and secure services to our customers. We’re funded entirely by our community and thus don’t need to sell data to advertisers. 

We’re also less exposed to law enforcement orders since we’re based in Switzerland and thus are subject to Swiss privacy laws, some of the strictest in the world.

Even if we wanted to access your data or share it, we can’t. Proton uses end-to-end encryption on all our apps. This means your files are encrypted on your device before they’re uploaded to our servers. This protects your privacy, but also makes it so there’s not much for hackers to steal in case of a breach.

All this is part of our mission to create a better internet. If that, as well as a more secure, private cloud storage alternative, sounds like something you’d want to be part of, create a free Proton Drive account and join us.

Related articles

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.