If your organisation signed a Dropbox Business, Dropbox Services or Dropbox Enterprise Agreement with Dropbox, that Agreement may have modified the Privacy Policy below. Please contact your organisation’s Admin for details.
This translation is provided for convenience only and the US English language version will control in the event of any discrepancies.
Dropbox Privacy Policy
Posted: 26 September 2023
Effective: 26 September 2023
You can see the previous Privacy Policy here.
Thank you for using Dropbox! Here we describe how we collect, use and handle your personal data when you use our websites, software and services (‘Services’). For more information and details, please see our Frequently Asked Questions page.
What & why
We collect and use the following information to provide, improve, protect and promote our Services.
Account information. We collect, and associate with your account, the information you provide to us when you do things such as sign up for your account, upgrade to a paid plan and set up two-factor authentication (such as your name, email address, phone number, payment info and physical address).
Your Stuff. Our Services are designed as a simple, personalised way for you to store your files, documents, photos, comments, messages and so on (‘Your Stuff’), collaborate with others and work across multiple devices and services. To make that possible, we store, process and transmit Your Stuff as well as information related to it. This related information includes your profile information, which makes it easier to collaborate and share Your Stuff with others, as well as things like the size of the file, the time it was uploaded, collaborators and usage activity.
Contacts. You may choose to give us access to your contacts to make it easy for you, and your Dropbox Team if you’re a Dropbox Team user, to do things like share and collaborate on Your Stuff, send messages and invite others to use the Services. If you do, we’ll store those contacts on our servers.
Usage information. We collect information related to how you use the Services, including actions you take in your account (like sharing, editing, viewing, creating and moving files or folders and sending and receiving electronic signature requests and other transactions). We use this information to provide, improve and promote our Services, and protect Dropbox users. Please refer to our FAQ for more information about how we use this usage information.
Device information. We also collect information from and about the devices you use to access the Services. This includes things like IP addresses, the type of browser and device you use, the web page you visited before coming to our sites, and identifiers associated with your devices. Your devices (depending on their settings) may also transmit location information to the Services. For example, we use device information to detect abuse and identify and troubleshoot bugs.
Cookies and other technologies. We use technologies like cookies and pixel tags to provide, improve, protect and promote our Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Services and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use the Services. If our systems receive a DNT:1 signal from your browser, we’ll respond to that signal as outlined here. We may also use third-party service providers that set cookies and similar technologies to promote Dropbox services. You can find out more about how cookies and similar technologies work, as well as how to opt out of the use of them for advertising purposes, here.
DocSend and Dropbox analytics. When you use the DocSend or Dropbox analytics portion of our Services to view content, we collect information including your identifying and device information, such as email addresses, IP addresses and device identifiers of devices you use to view the content. We also collect information on how you interact with the viewed content, such as the date and time you view the content, the number of times and length of time you view the content and which portions of the content you view.
Marketing. We give users the option to use some of our Services free of charge. These free Services are made possible by the fact that some users upgrade to one of our paid Services. If you register for our Services, we will, from time to time, send you information about upgrades when permissible. Users who receive these marketing materials can opt out at any time. If you don’t want to receive a particular type of marketing material from us, click the ‘unsubscribe’ link in the corresponding emails, or update your preferences in the Notifications section of your personal account.
We may also collect information from you if you interact with Dropbox representatives at an event, download marketing or educational materials from our website or contact a Dropbox representative. We may use the information you provide to send you additional marketing materials.
We sometimes contact people who don’t have a Dropbox account. For recipients in the EU, we or a third party will obtain consent before getting in touch. If you receive an email and no longer wish to be contacted by Dropbox, you can unsubscribe and remove yourself from our contact list via the message itself.
Bases for processing your data. We collect and use the personal data described above in order to provide you with the Services in a reliable and secure manner. We also collect and use personal data for our legitimate business needs. To the extent that we process your personal data for other purposes, we ask for your consent in advance or require our partners to obtain such consent. For more information on the lawful bases for processing your data, please see our FAQ.
For more details on the categories of personal information that are included in the information above, please see our FAQ.
With whom
We may share information as discussed below, but we won’t sell it to advertisers or other third parties.
Others working for and with Dropbox. Dropbox uses certain trusted third parties (for example, providers of customer support and IT services) for the business purposes of helping us provide, improve, protect and promote our Services. These third parties will access your information to perform tasks on our behalf, and we’ll remain responsible for their handling of your information per our instructions. For a list of trusted third parties that we use to process your personal data and more details about the categories of personal information that we’ve disclosed, please see our FAQ.
Other Dropbox Companies. Dropbox shares infrastructure, systems and technology with other Dropbox Companies to provide, improve, protect and promote Dropbox Company Services. We process your information across the Dropbox Companies for these purposes, as permitted by applicable law and in accordance with their terms and policies. For more information on Dropbox Companies, Dropbox Company Services and how your data is used, please see our FAQ.
Other users. Our Services are designed to help you collaborate with others. If you register your Dropbox account with an email address on a domain owned by your employer or organisation, join a Dropbox Team or collaborate with other Dropbox users, we may suggest you or your team as a potential collaborator to other users or teams. For example, if you interact with a person at a company, and that person frequently works with one of their colleagues, we may suggest you as a potential collaborator for that colleague. Collaborators and potential collaborators may see some of your basic information, like your name, Dropbox Team name, profile picture, device, email address and usage information. This helps you sync up with teams you can join and helps other users share files and folders with you.
Certain features let you make additional information available to others. For example, if you view a file or folder shared from DocSend or Dropbox analytics, we will share your identifying information such as name and email address, information on the device you used to view the content, for how long you viewed the content and what portion of the content you viewed with the owner of the file or folder.
Other applications. You can choose to connect your Dropbox account with third-party services – for example, via Dropbox APIs. By doing so, you’re enabling Dropbox and those third parties to exchange information about you and data in your account so that Dropbox and those third parties can provide, improve, protect and promote their services. Please remember that third parties’ use of your information will be governed by their own privacy policies and terms of service.
Team Admins. If you are a user of a Dropbox Team, your administrator may have the ability to access and control your Dropbox Team account. Please refer to your organisation’s internal policies if you have questions about this. If you aren’t a Dropbox Team user but interact with a Dropbox Team user (for example, by joining a shared folder or accessing stuff shared by that user), members of that organisation may be able to view information about you (such as your name, email address and profile picture) and your interaction with the Dropbox Team user (such as your IP address). If you share Your Stuff with a Dropbox Team user, the administrator of the team account may have the ability to access and edit what you share.
Law and order and the public interest. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to: (a) comply with any applicable law, regulation, legal process or appropriate government request; (b) protect any person from death or serious bodily harm; (c) prevent fraud or abuse of Dropbox or our users; (d) protect Dropbox’s rights, property, safety or interest; or (e) perform a task carried out in the public interest.
Stewardship of your data is critical to us and a responsibility that we embrace. We believe that your data should receive the same legal protections regardless of whether it’s stored on our Services or on your home computer’s hard drive. We’ll abide by the following Government Request Principles when receiving, scrutinising and responding to government requests (including national security requests) for your data:
- Be transparent
- Fight blanket requests
- Protect all users
- Provide trusted services
We publish a Transparency Report as part of our commitment to informing you about when and how governments ask us for information. This report details the types and numbers of requests we receive from law enforcement. We encourage you to review our Government Request Principles and Transparency Report for more detailed information on our approach and response to government requests.
How
Security. We have a team dedicated to keeping your information secure and testing for vulnerabilities. We continue to work on features to keep your information safe in addition to things like two-factor authentication, encryption of files at rest, and alerts when new devices and apps are linked to your account. We deploy automated technologies to detect abusive behaviour and content that may harm our Services, you or other users.
User controls. You can access, amend, download and delete your personal information by logging in to your Dropbox account and going to your account settings page. Find out more here about managing your account information generally, or click here to see how to change your profile information.
Retention. When you sign up for an account with us, we’ll retain information you store on our Services for as long as your account exists or for as long as we need it to provide you the Services. If you delete your account, we’ll initiate deletion of this information after 30 days. Find out more here. Please note: (1) there might be some latency in deleting this information from our servers and backup storage, and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes or enforce our agreements.
Use of Data from Google APIs. Dropbox’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Where
Around the world. To provide you with the Services, we may store, process and transmit data in the United States and locations around the world – including those outside your country. Data may also be stored locally on the devices that you use to access the Services.
Data Transfers. When transferring data from the European Union, the European Economic Area, the United Kingdom and Switzerland, Dropbox relies upon a variety of legal mechanisms, such as contracts with our customers and affiliates, Standard Contractual Clauses, the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework and the European Commission’s adequacy decisions about certain countries, as applicable.
Data Privacy Frameworks. Dropbox complies with the EU-US and Swiss-US Data Privacy Frameworks, as well as the UK Extension to the EU-US Data Privacy Framework, as set forth by the US Department of Commerce regarding the processing of personal data transferred from the European Union, the European Economic Area, the United Kingdom and Switzerland to the United States. Dropbox has certified to the US Department of Commerce that it adheres to the Principles of these Data Privacy Frameworks with respect to such data, but this does not include the DocSend or Formswift portions of the Services. If there is any conflict between this Privacy Policy and the Data Privacy Framework Principles, the Principles shall govern. In accordance with the Principles, Dropbox shall remain liable for onward transfers if a processor processes personal data in a manner inconsistent with the Principles. To find out more about the Data Privacy Framework, and to view our certification, visit https://www.dataprivacyframework.gov.
Dropbox is subject to oversight by the US Federal Trade Commission. JAMS is the US-based independent organisation responsible for reviewing and resolving complaints about our Data Privacy Framework compliance – free of charge to you. We ask that you first submit any such complaints directly to us via privacy@dropbox.com. If you aren’t satisfied with our response, please contact JAMS at https://www.jamsadr.com/dpf-dispute-resolution. In the event your concern still isn’t addressed by JAMS, you may be entitled to a binding arbitration as set forth in Annex I of the Data Privacy Framework Principles.
Your control of and access to Your Data
You have control over your personal data and how it’s collected, used and shared. For example, you can:
- Delete Your Stuff in your Dropbox account. You can find out more about how to delete files saved on Dropbox here.
- Change or correct personal data. You can manage your account and the content contained in it, as well as edit some of your personal data, through your account settings page.
- Access and take your data elsewhere. You can access your personal data from your Dropbox account and you can download a copy of Your Stuff in a machine-readable format as outlined here. You can also ask us for a copy of the personal data that you provided to us or that we’ve collected, the business or commercial purpose for collecting it, the types of sources we got it from and types of third parties we’ve shared it with.
- Object to the processing of your personal data. Depending on the processing activity, you can request that we stop or limit processing of your personal data.
If you would like to submit a data access request or object to the processing of your personal data, please email us at privacy@dropbox.com. To request deletion of your personal data, please fill in this form. For more information on how to control and access your personal data, please see our FAQ.
Dropbox as controller or processor. If you reside in North America (the United States, Canada and Mexico), Dropbox, Inc. acts as your service provider. For all other users, Dropbox International Unlimited Company acts as a controller of your personal data. Outside North America, if you are a Dropbox Team customer or use the Dropbox Sign or DocSend team portions of the Services, Dropbox acts as a processor of your data.
Changes
If we’re involved in a reorganisation, merger, acquisition or sale of our assets, your data may be transferred as part of that deal. We’ll notify you (for example, via a message to the email address associated with your account) of any such deal and outline your choices in that event.
We may revise this Privacy Policy from time to time, and will post the most current version on our website. If a revision meaningfully reduces your rights, we will notify you.
Contact
Do you have questions or concerns about Dropbox, our Services and privacy? Contact our Data Protection Officer at privacy@dropbox.com. If they can’t answer your question, you have the right to contact your local data protection supervisory authority.