Last updated May 7, 2024
Overall Score
Risk by Category
Dropbox's Privacy Policy details the collection, use, disclosure, and protection of personal information for users of their cloud storage and collaboration services. It covers data from account creation, file uploads, usage analytics, and device information, emphasizing compliance with laws like GDPR and CCPA, strong encryption practices, and user controls, while noting sharing with affiliates, service providers, and for legal purposes. The policy balances functionality with privacy but includes broad data retention and third-party disclosures.
Data retained as long as necessary for service provision, legal obligations, or disputes, with limited specifics.
Collects IP-derived location and detailed device info for analytics and security.
Extensive sharing with vendors for hosting, analytics, and support without opt-out.
Supports two-factor authentication, file-level encryption, and zero-knowledge options for paid users.
Clear processes for access, deletion, portability under GDPR/CCPA, with dedicated privacy contacts.
SOC 2 Type II, ISO 27001, regular audits, and breach notification within legal timelines.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
Name, email, phone, payment details, profile info.
Uploaded files, metadata, version history.
IP address, browser type, usage patterns, app interactions.
Approximate location from IP, precise if enabled.
Imported contacts for sharing features.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
To store files, sync devices, and enable collaboration features.
For product development, usage insights, and A/B testing.
To detect threats, enforce terms, and maintain platform integrity.
Personalized emails and promotions unless opted out.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
Hosting (AWS), analytics (Amplitude), support vendors under DPAs.
Sharing within Dropbox family for operations.
Disclosed in mergers/acquisitions.
When users share files/links publicly or with others.
Court orders, law enforcement, or to protect rights/safety.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Request confirmation and copy of personal data via privacy request form.
Export data in structured format where required by law.
Account deletion removes most data within 30 days, except backups/legal holds.
Controls for marketing and some analytics via settings.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
Retained while account is active and for legitimate business needs.
Deleted within 30 days, up to 90 for backups; indefinite for legal/dispute.
Retained indefinitely in aggregated form.
Minimum 7 years for financial/legal compliance.
Security & Transparency
Files encrypted at rest (AES-256) and in transit (TLS 1.2+).
Prompt notification as required by law; incident response plan disclosed.
SOC 2 Type II, ISO 27001, HIPAA BAA available.
Role-based access, multi-factor auth encouraged.
Source Text
We collect account, payment, content, device, and log data from various sources.
Interpretation
Comprehensive collection justified for service but risks overreach without granular consents.
Source Text
Use data for internal analytics, research, and AI training on anonymized data.
Interpretation
AI usage clause may concern users; anonymization not foolproof.
Source Text
Share with service providers, affiliates, and in business transfers; no selling.
Interpretation
No direct sales is positive, but vast provider ecosystem increases leak risk.
Source Text
Access, correction, deletion, objection rights with global support.
Interpretation
Strong CCPA/GDPR alignment with easy exercise mechanisms.
Source Text
As long as needed for purposes, legal holds extend indefinitely.
Interpretation
Vague 'needed' allows prolonged retention; lacks fixed periods.
Account details, uploaded content, device info, usage logs, and contacts if imported.