Privacy Policy

1. Who We Are

Deadrop ("we", "us", "our") operates the website deadrop.dev, a zero-knowledge, one-time secret sharing service. This Privacy Policy explains what data we collect, why we collect it, and how we handle it.

Contact: [email protected]

2. Our Core Principle: Zero Knowledge

Deadrop is architected so that we cannot read your secrets. Every secret is encrypted in your browser using AES-256-GCM before it reaches our servers. The decryption key exists only in the URL fragment (the portion after the # symbol), which is never transmitted to our servers by any browser or HTTP client, per the URI specification (RFC 3986, Section 3.5).

This means:

• — We store only encrypted ciphertext. We cannot decrypt it.
• — We cannot recover a secret if the link is lost.
• — We cannot comply with any request to produce the plaintext contents of a secret, because we do not possess the decryption key.
• — When a secret is viewed or expires, it is permanently and irreversibly deleted from our infrastructure. We do not maintain backups, archives, or copies of secrets.

3. Data We Collect

3.1 Data We Never Collect

• — Plaintext secrets. We never receive, process, or store the unencrypted contents of your secret.
• — Third-party tracking cookies. Deadrop sets no third-party cookies, advertising cookies, or cross-site tracking cookies.

3.2 Anonymous Use (Core Service)

The core secret sharing functionality does not require an account, username, email address, phone number, or any form of registration. You can use Deadrop without providing any personal information.

3.3 Account-Based Features

If you create an account for premium or team features, we collect the information you provide during registration (such as your email address and display name). This data is used solely to operate your account and deliver the features you signed up for. Account data is never shared with third parties for marketing or advertising purposes.

3.4 Data We Process

We collect only what is strictly necessary to operate the service:

For anonymous use, we do not collect or process any data beyond what is listed above. For account holders, we additionally store the account information described in Section 3.3.

4. What We Do Not Do

We state the following unequivocally:

• — We do not sell data. Not now, not ever. We have no advertising business, no data brokerage arrangements, and no third-party partnerships that involve sharing user data.
• — We do not track behaviour. We do not build user profiles, track users across sessions, fingerprint devices, or monitor individual browsing patterns.
• — We do not share data with third parties for marketing, analytics resale, or any purpose beyond operating this service.

5. Analytics

We use Umami, an open-source, privacy-focused analytics platform that we self-host on our own infrastructure. Umami is designed to comply with GDPR, CCPA, and PECR without requiring cookie consent banners.

• — No cookies. Umami does not set any cookies or use local storage for tracking.
• — No cross-site tracking. Visitors are not tracked across websites.
• — No personal data. Umami does not collect IP addresses, device identifiers, or any personally identifiable information.
• — Aggregated only. All data is aggregated and cannot be used to identify individual visitors.

Analytics exclusions: We do not load analytics on secret viewing pages or the offline page. When someone opens a secret, no analytics code runs — there is zero tracking of who views a secret or when.

6. Legal Basis for Processing (GDPR)

For visitors in the European Economic Area, our legal basis for processing is:

• — Performance of a contract (Article 6(1)(b) GDPR) — processing the encrypted secret payload to deliver the service you requested, and processing account data to provide premium features you signed up for.
• — Legitimate interest (Article 6(1)(f) GDPR) — rate limiting via hashed IP addresses to prevent abuse and ensure service availability. We have assessed that this processing is proportionate, minimally invasive (hashed, not stored in plain form, purged within one hour), and does not override your fundamental rights.

7. Infrastructure and Sub-Processors

The following third parties assist us in operating Deadrop:

Regarding Cloudflare: Cloudflare processes requests in transit as part of its CDN and security services. Cloudflare may temporarily log IP addresses and request metadata per its own privacy policy. Per the HTTP specification, URL fragments (which contain decryption keys) are not included in network requests and are not transmitted to Cloudflare or any upstream server. We maintain a Data Processing Agreement (DPA) with Cloudflare as required under GDPR.

Regarding Hetzner: All server infrastructure is located in Germany within the European Union. We maintain a DPA with Hetzner as required under GDPR.

No other third parties receive data from Deadrop.

8. Data Retention

When we say "deleted," we mean permanently removed from all storage, including active databases and any caching layers. We do not maintain cold storage, backups of secrets, or any mechanism to recover deleted data.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

• — Access — request a copy of the data we hold about you.
• — Deletion — request that we delete data associated with you.
• — Rectification — request correction of inaccurate data.
• — Objection — object to processing based on legitimate interest.
• — Portability — receive your data in a structured, machine-readable format.

In practice: The core functionality of Deadrop does not require an account and does not store personally identifiable information. For these anonymous uses, we generally cannot link stored data to a specific individual. If you create an account for premium features, we will collect the information you provide (such as your email address) and you may exercise these rights in full by contacting us. For any data rights request, contact us at [email protected] and we will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

10. Security

We implement the following measures to protect data in transit and at rest:

• — Encryption in transit: All connections use TLS 1.3.
• — Encryption at rest: Secrets are encrypted client-side with AES-256-GCM before transmission. The server stores only ciphertext.
• — Key isolation: Decryption keys exist only in URL fragments and are never transmitted to or stored on our servers.
• — Ephemeral storage: Secrets are stored in an in-memory data store and are permanently destroyed upon retrieval or expiry.
• — Rate limiting: API endpoints are rate-limited to prevent brute-force attacks and abuse.
• — Security headers: We enforce strict Content Security Policy, X-Frame-Options, and other HTTP security headers.

Your responsibility: The security of a shared secret depends on how the link is transmitted. We recommend sharing links through encrypted channels (e.g., encrypted messaging apps). If you share a link over an insecure channel, the secret may be intercepted. We cannot control or guarantee the security of the transmission channel you choose.

11. Children

Deadrop is not directed at children under the age of 16. We do not knowingly collect data from children. If we become aware that a child under 16 has created an account, we will promptly delete the account and any associated data.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this page periodically.

We will not introduce data collection, tracking, or third-party data sharing practices that conflict with the principles stated in this policy without prominently notifying users on the website.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: [email protected]