Dropbox Privacy Policy

Posted: April 17, 2018

Effective: May 25, 2018

Thanks for using Dropbox! Our mission is to create a more enlightened way of working by providing an intuitive, unified platform to collaborate with others and unleash your creative energy. Here we describe how we collect, use, and handle your personal information when you use our websites, software, and services (“Services”). For more information and details, please see our Frequently Asked Questions page.

What & Why

We collect and use the following information to provide, improve, and protect our Services:

Account information. We collect, and associate with your account, the information you provide to us when you do things such as sign up for your account, upgrade to a paid plan, and set up two-factor authentication (like your name, email address, phone number, payment info, and physical address). Some of our Services let you access your accounts and your information via other service providers.

Your Stuff. Our Services are designed to make it simple for you to store your files, documents, photos, comments, messages, and so on (“Your Stuff”), collaborate with others, and work across multiple devices. To make that possible, we store, process, and transmit Your Stuff as well as information related to it. This related information includes your profile information that makes it easier to collaborate and share Your Stuff with others, as well as things like the size of the file, the time it was uploaded, collaborators, and usage activity. Our Services provide you with different options for sharing Your Stuff.

Contacts. You may choose to give us access to your contacts to make it easy for you to do things like share and collaborate on Your Stuff, send messages, and invite others to use the Services. If you do, we’ll store those contacts on our servers for you to use.

Usage information. We collect information related to how you use the Services, including actions you take in your account (like sharing, editing, viewing, and moving files or folders). We use this information to improve our Services, develop new services and features, and protect Dropbox users. Please refer to our FAQ for more information about how we use this usage information to improve our Services.

Device information. We also collect information from and about the devices you use to access the Services. This includes things like IP addresses, the type of browser and device you use, the web page you visited before coming to our sites, and identifiers associated with your devices. Your devices (depending on their settings) may also transmit location information to the Services.

Cookies and other technologies. We use technologies like cookies and pixel tags to provide, improve, protect, and promote our Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use the Services. If our systems receive a DNT:1 signal from your browser, we’ll respond to that signal as outlined here.

Marketing. We give users the option to use some of our Services free of charge. These free Services are made possible by the fact that some users upgrade to one of our paid Services. If you register for our free Services, we will, from time to time, send you information about upgrades when permissible. Users who receive these marketing materials can opt out at any time. If you do not want to receive marketing materials from us, simply click the ‘unsubscribe’ link in any email, or update your preferences in the Notifications section of your personal account.

We sometimes contact people who do not have a Dropbox account. For recipients in the EU, we or a third party will obtain consent before contacting you. If you receive an email and no longer wish to be contacted by Dropbox, you can unsubscribe and remove yourself from our contact list via the message itself.

Bases for processing your data. We collect and use the personal data described above in order to provide you with the Services in a reliable and secure manner. We also collect and use personal data for our legitimate business needs. To the extent we process your personal data for other purposes, we ask for your consent in advance or require that our partners obtain such consent. For more information on the lawful bases for processing your data, please see our FAQ.

With Whom

We may share information as discussed below, but we won’t sell it to advertisers or other third parties.

Others working for and with Dropbox. Dropbox uses certain trusted third parties (for example, providers of customer support and IT services) to help us provide, improve, protect, and promote our Services. These third parties will access your information only to perform tasks on our behalf in compliance with this Privacy Policy, and we’ll remain responsible for their handling of your information per our instructions. For a list of trusted third parties that we use to process your personal information, please see our FAQ.

Other users. Our Services display information like your name, profile picture, device, and email address to other users in places like your user profile and sharing notifications. You can also share Your Stuff with other users if you choose. When you register your Dropbox account with an email address on a domain owned by your employer or organization, we may help collaborators and administrators find you and your team by making some of your basic information—like your name, team name, profile picture, and email address—visible to other users on the same domain. This helps you sync up with teams you can join and helps other users share files and folders with you.

Certain features let you make additional information available to others.

Other applications. You can also give third-party providers access to your information and account—for example, via Dropbox APIs. Just remember that their use of your information will be governed by their privacy policies and terms.

Dropbox Team Admins.  If you are a user of a Dropbox team (e.g., Dropbox Business plans or Dropbox Education), your administrator may have the ability to access and control your Dropbox team account. Please refer to your organization’s internal policies if you have questions about this. If you are not a Dropbox team user but interact with a Dropbox team user (by, for example, joining a shared folder or accessing stuff shared by that user), members of that organization may be able to view the name, email address, profile picture, and IP address that was associated with your account at the time of that interaction.

Law & Order and the Public Interest. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to: (a) comply with any applicable law, regulation, legal process, or appropriate government request; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or our users; (d) protect Dropbox’s rights, property, safety, or interest; or (e) perform a task carried out in the public interest.

Stewardship of your data is critical to us and a responsibility that we embrace. We believe that your data should receive the same legal protections regardless of whether it’s stored on our Services or on your home computer’s hard drive. We’ll abide by the following Government Request Principles when receiving, scrutinizing, and responding to government requests (including national security requests) for your data:

We publish a Transparency Report as part of our commitment to informing you about when and how governments ask us for information. This report details the types and numbers of requests we receive from law enforcement. We encourage you to review our Government Request Principles and Transparency Report for more detailed information on our approach and response to government requests.

How

Security. We have a team dedicated to keeping your information secure and testing for vulnerabilities. We also continue to work on features to keep your information safe in addition to things like two-factor authentication, encryption of files at rest, and alerts when new devices and apps are linked to your account. We deploy automated technologies to detect abusive behavior and content that may harm our Services, you, or other users.

User Controls. You can access, amend, download, and delete your personal information by logging into your Dropbox account and going to your account settings page. You can also limit the way we collect and use your data on the user control page of your Dropbox account. Learn more here about managing your account information generally, or click here to learn how to change your profile information.

Retention. When you sign up for an account with us, we’ll retain information you store on our Services for as long as your account is in existence or as long as we need it to provide you the Services. If you delete your account, we will initiate deletion of this information after 30 days. Learn more here. But please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.

Where

Around the world. To provide you with the Services, we may store, process, and transmit information in the United States and locations around the world—including those outside your country. Information may also be stored locally on the devices you use to access the Services.

EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield.  When transferring data from the European Union, the European Economic Area, and Switzerland, Dropbox relies upon a variety of legal mechanisms, including contracts with our customers and affiliates. Dropbox complies with the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the European Economic Area, and Switzerland to the United States. You can find Dropbox’s Privacy Shield certification here. You can also learn more about Privacy Shield at https://www.privacyshield.gov.

Dropbox is subject to oversight by the U.S. Federal Trade Commission. JAMS is the US-based independent organization responsible for reviewing and resolving complaints about our Privacy Shield compliance—free of charge to you. We ask that you first submit any such complaints directly to us via privacy@dropbox.com. If you aren’t satisfied with our response, please contact JAMS at https://www.jamsadr.com/eu-us-privacy-shield. In the event your concern still isn’t addressed by JAMS, you may be entitled to a binding arbitration under Privacy Shield and its principles.

Changes

If we are involved in a reorganization, merger, acquisition, or sale of our assets, your information may be transferred as part of that deal. We will notify you (for example, via a message to the email address associated with your account) of any such deal and outline your choices in that event.

We may revise this Privacy Policy from time to time, and will post the most current version on our website. If a revision meaningfully reduces your rights, we will notify you.

Your Right to Control and Access Your Information

You have control over your personal information and how it is collected, used, and shared. For example, you have a right to:

For more information on your right to control and access your personal information, please see our FAQ.

Contact

If you reside in North America (the United States, Canada, and Mexico), your personal information is controlled by Dropbox, Inc. For all other users, your personal information is controlled by Dropbox International Unlimited Company. Have questions or concerns about Dropbox, our Services, and privacy? Contact our Data Protection Officer at privacy@dropbox.com. If they can’t answer your question, you have the right to contact your local data protection supervisory authority.