1. Overview & Key Points

FileDrop ("we", "us", or "our") operates the FileDrop mobile application and the website at filedrop-site.pages.dev (collectively, the "Service"). This Privacy Policy explains what information we collect, why we collect it, how we use it, and your rights with respect to that information.

We have designed FileDrop with privacy as a core principle:

• 🚫 No user accounts or registration required.
• 🚫 No names, email addresses, or phone numbers collected.
• 🚫 No tracking across other apps or websites.
• 🚫 No advertising or sale of personal data.
• ✅ All uploaded files automatically deleted within 24 hours.
• ✅ Files accessible only via a randomly generated code — never publicly listed.

2. Information We Collect

We collect the following categories of information when you use FileDrop:

2.1 Files You Upload

When you upload a file, the file content is temporarily stored on our servers to enable delivery to the recipient. The file is associated with a randomly generated 6-character code — not with you personally.

2.2 File Metadata

We store limited metadata about each uploaded file:

• File name — displayed to the recipient before download.
• File size — used to enforce storage limits.
• File type (MIME type) — used to display file type icons.
• Upload timestamp — used to calculate when the file expires.
• Download count — enforces the maximum download limit.
• Share code — random 6-character string used to retrieve the file.

None of this metadata is linked to your identity.

2.3 Device Identifier (App Only)

The FileDrop app generates a random UUID the first time it runs and stores it locally on your device using the device's secure shared preferences. This ID is used solely to:

• Track how many uploads you have made today (to enforce the daily limit).
• Associate uploads with your device so you can manage them in "My Uploads".

This ID is not tied to your name, email, or any other personal information. It is never shared with third parties and is not used for tracking across sessions or apps.

2.4 Server Logs

Like all web services, our servers automatically record the following when you make requests:

• IP address of the requesting device.
• Date and time of the request.
• The file code accessed (not the file content).
• HTTP method and response code.

Server logs are used solely for security monitoring, abuse prevention, and diagnosing technical issues. Logs are automatically deleted within 24 hours.

2.5 What We Do NOT Collect

We explicitly do not collect:

• Name, email address, phone number, or any contact information.
• GPS location or precise location data.
• Device contacts, call history, or messages.
• Browsing history or behavior across other apps.
• Payment or financial information.
• Biometric data of any kind.
• Social network profiles or connections.

3. How We Use Information

The information we collect is used exclusively for the following purposes:

• Service delivery: Storing and delivering the uploaded file to the intended recipient using the share code.
• Usage limits: Enforcing the daily upload limit (2 uploads per device per day) and per-file download limit (5 downloads maximum).
• Expiry management: Automatically deleting files and associated metadata after 24 hours.
• Abuse prevention: Detecting and blocking requests that appear to be automated attacks, spam uploads, or other abusive activity.
• Service improvement: Understanding aggregate usage patterns (e.g., average file size, peak usage times) in a non-identifiable way to improve reliability.

We do not use your data for advertising, profiling, behavioral analytics, or any commercial purpose beyond delivering the Service.

4. File Storage & Automatic Expiry

Understanding exactly how your files are stored and deleted is important to us, so we describe it in detail here.

4.1 Storage Location

Files are stored in one of two locations depending on size:

• Cloudflare KV (≤ 25 MB): Small and medium files are stored directly in Cloudflare's edge key-value store, distributed globally for fast access.
• Google Drive (> 25 MB): Larger files are stored in a dedicated Google Drive folder owned by FileDrop's service account. Only FileDrop has access to this folder.

All storage is encrypted at rest using industry-standard AES-256 encryption by the respective providers.

4.2 Automatic Deletion

Files are permanently and irreversibly deleted when any of the following conditions is met:

• The file has been available for 24 hours since upload (whichever comes first).
• The file has been downloaded 5 times.
• You manually delete the file from the "My Uploads" screen in the app.

An automated cleanup process runs every hour to purge expired files from both Cloudflare KV and Google Drive. Once deleted, files cannot be recovered — not even by FileDrop.

4.3 No Backups

FileDrop does not maintain backups of uploaded files. Deletion is final and permanent.

5. Data Sharing & Third Parties

We do not sell, rent, lease, or trade any information with third parties for commercial purposes.

We use the following service providers strictly to operate the Service:

• Cloudflare, Inc. (San Francisco, CA, USA) — provides our API hosting (Workers), file storage (KV), and website hosting (Pages). Cloudflare processes data in accordance with its Privacy Policy and is certified under the EU-U.S. Data Privacy Framework.
• Google LLC (Mountain View, CA, USA) — Google Drive is used as fallback storage for files over 25 MB. Access is limited to FileDrop's service account. Google processes data in accordance with its Privacy Policy.

These providers only receive the minimum data necessary to fulfill their role and are contractually prohibited from using that data for their own purposes.

5.1 Legal Disclosures

We may disclose information if we are legally required to do so, including:

• In response to a court order, subpoena, or other valid legal process.
• To comply with applicable laws and regulations.
• To protect the rights, property, or safety of FileDrop, its users, or the public.
• To report CSAM (child sexual abuse material) to the National Center for Missing & Exploited Children (NCMEC) or equivalent authority.

6. Data Retention

Data Type	Retention Period
Uploaded file content	Up to 24 hours or 5 downloads, then permanently deleted
File metadata (name, size, type)	Same as file — deleted together
Server access logs (IP, timestamp)	Up to 24 hours
Device ID (stored on your device)	Until you uninstall the app or clear app data

7. Your Rights & Choices

Because FileDrop does not collect personal information or create accounts, most traditional data rights (access, rectification, portability) do not apply in the usual sense. However, you have the following rights:

• Delete your files: You can delete any file you uploaded at any time from the "My Uploads" screen. Deletion is immediate and permanent.
• Automatic deletion: All files are automatically deleted within 24 hours — you do not need to take any action.
• Reset your device ID: Uninstalling the app or clearing app data removes the device ID from your device and effectively severs any link between the ID and future usage.
• Request log deletion: If you believe our servers hold logs related to your IP that should be removed urgently, contact us at the address below. We will investigate and respond within 30 days.

If you are in the European Economic Area (EEA), you may have additional rights under GDPR, including the right to lodge a complaint with your local data protection authority.

8. Security Measures

We apply the following security measures to protect your files and data:

• Encryption in transit: All communication between the app/browser and our API uses HTTPS with TLS 1.2+ encryption. No data is transmitted over unencrypted connections.
• Encryption at rest: Files stored in Cloudflare KV and Google Drive are encrypted at rest by those providers using AES-256.
• Unpredictable codes: Share codes are generated using a cryptographically secure random number generator (CSPRNG). The code space is large enough to make brute-force guessing practically infeasible.
• No file indexing: Files are never publicly listed, indexed, or discoverable by anyone other than someone who has the exact share code.
• Rate limiting: API requests are rate-limited to prevent abuse and brute-force attacks.
• Short-lived access: The maximum file lifetime of 24 hours limits the window during which a code could be compromised.

Despite these measures, no system is 100% secure. We recommend not using FileDrop for highly sensitive or confidential files. If you discover a security vulnerability, please report it to security@filedrop.app.

9. Cookies & Local Storage

The FileDrop website (filedrop-site.pages.dev) does not use cookies or any form of browser tracking.

The FileDrop mobile app stores the following data locally on your device using Android's SharedPreferences:

• Your randomly generated device ID.
• The list of codes from your recent uploads (to populate "My Uploads").
• Your daily upload count and reset timestamp.

This data never leaves your device except as part of normal API requests to our server.

10. Children's Privacy

The FileDrop Service is not directed to children under the age of 13 (or 16 in the EEA), and we do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has used FileDrop to upload files or that we have inadvertently received information from a child, please contact us immediately at privacy@filedrop.app. We will investigate and take prompt action, including deleting any relevant files.

11. International Users

FileDrop's infrastructure is powered by Cloudflare, whose edge network spans data centers globally. When you upload a file, it may be processed and stored in a data center closest to your location, which could be in a different country.

By using FileDrop, you acknowledge that your file data may be transferred to and stored in countries other than your country of residence. We rely on Cloudflare's and Google's standard contractual clauses and certifications to ensure adequate protection for such transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Post the updated policy on this page.

We encourage you to review this policy periodically. Your continued use of FileDrop after any changes to this policy constitutes your acceptance of those changes.

13. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or how we handle your data, please contact us: