Worth reading before you agree.
Low confidence — read the source
Dropbox encrypts your files and holds many security certifications, but the documents are almost completely silent on what personal data is collected, how long it is kept, and who it is shared with. Free accounts can be closed after 12 months of inactivity, and once your account is terminated you lose all ability to access or export your content. You must use private arbitration, not court, for most disputes.
Moderate risk: notable concerns around data sharing, limited user controls, or vague language. Original assessment: Grade adjusted to E: 2 critical findings.
2 critical findings
This document contains terms that could seriously affect you. Read the watch-outs below before you agree.
You trade your files, account information, payment details, and usage data for cloud storage and collaboration tools. Dropbox encrypts data in transit and at rest and holds many security certifications, but you give up the right to sue in court, you lose all your files if your account is terminated, and the documents do not clearly say what data is collected or how long it is kept.
Dropbox explicitly states it does not sell personal data to advertisers, third parties, or anyone else.
Dropbox encrypts data in transit and at rest.
Dropbox holds many security certifications including ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 2, SOC 3, CSA STAR Level 2, PCI DSS, and NIST SP 800-171 R2.
Dropbox complies with the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework for international data transfers.
Dropbox provides the same level of data protection to all users regardless of location.
You can enable two-step verification for extra account security.
You can monitor linked devices, web sessions, and third-party apps from the Security page and cut off access with a click.
You can view a running log of file and folder activity from the Events page.
EU users have a 14-day right to cancel paid subscriptions for a refund.
You receive at least 30 days' notice before fee changes or material terms updates.
You can opt into notifications when a new device or app links to your account.
If Dropbox suspends or closes your account, you permanently lose access to all your files and cannot export them. This applies to free accounts after 12 months of inactivity and to any account terminated for alleged breach or legal issues.
Most disputes with Dropbox must be resolved through individual arbitration, not in court. You also give up your right to join a group lawsuit or have a jury trial.
If you have a free account and do not log in for 12 months, Dropbox can close your account and you may lose your data with no guarantee of recovery.
Dropbox can shut down your account without notice and without letting you download your files if they believe you have broken the rules or if there is a legal issue.
When you use Dropbox, your content may be accessed by Dropbox's affiliates and other companies it works with to provide hosting, backup, sharing, and features like OCR and search.
Dropbox can revise the Terms of Service whenever it wants. You will be notified at least 30 days before changes take effect, but if you do not cancel, you are bound by the new terms.
If Dropbox causes you harm, such as through data loss or a service failure, the most they have to pay you is $20 or the total amount you have paid for the service, whichever is greater. They are not responsible for most indirect damages.
If you view a document shared through DocSend, Dropbox tells the person who shared it how you viewed the document.
If you use Dropbox Business, your organization's admin can erase Dropbox data and local copies of files from your computer or phone without your direct consent.
Account creation, notifications, and service updates
Account creation and fax service provisioning
Billing
Fax service provisioning
Billing
Fax service provisioning
Hosting, backing up, sharing, commenting, searching, image thumbnails, document previews, OCR, sorting, organisation, and personalisation
Account creation and service access
Account security
Dropbox's affiliated companies can access your content to provide hosting, backup, sharing, and features like OCR and search.
Other companies Dropbox works with can access your content to provide core service functions.
When you use DocSend or Dropbox Sign, your data may be shared with additional companies that help run those services.
When you open a DocSend-shared document, the person who shared it can see how you viewed it.
What personal data is collected beyond account and payment information
The documents do not provide a complete list of data types collected, such as device information, usage data, IP addresses, or cookies. You cannot assess the full scope of data collection.
How long personal data is retained
The documents only mention a ten-year file recovery window and a 12-month inactivity rule for free accounts. There is no general retention policy for account data, payment information, or usage data.
Whether Dropbox uses AI or machine learning on user data
The documents do not address whether Dropbox trains AI models on your files, messages, or other content.
How to delete your account and data
The documents describe account cancellation but do not clearly explain how to delete your account or whether your data is fully removed afterward.
User rights such as data access, portability, and correction
The documents do not describe how you can request a copy of your data, transfer it elsewhere, or correct inaccurate information.
Cookies and tracking technologies
The documents do not disclose what cookies or trackers Dropbox uses or how to control them.
Breach notification procedures
The documents do not state whether Dropbox will notify you if your data is involved in a security breach.
Children's data protections
The documents mention a minimum age of 13 (or 16 outside the US) but do not describe special protections for minors' data.
International data transfer safeguards
While Dropbox states compliance with the EU-U.S. Data Privacy Framework, the documents do not detail specific safeguards like Standard Contractual Clauses for other transfers.
Assume the worst case: Your data may be retained for up to ten years based on the most specific evidence found.
Assume the worst case: If you are in the EU, you may not have a clear opt-out window for arbitration.
Mixed
Grade A–EDropbox has strong security infrastructure and a clear no-data-sale policy, which are meaningful protections. However, the combination of broad data collection (including national ID), sharing with unnamed affiliates and third parties, a 10-year file recovery window, mandatory arbitration with class action waiver, and the ability to terminate accounts without notice or export opportunity creates material privacy risks. The lack of detailed user rights mechanisms and retention schedules further limits the grade.
Status
Legacy risk index: 3/10
Dropbox collects your name, email, payment details, and all files you upload, shares them with affiliates and trusted third parties for service delivery, and can delete your data after 12 months of inactivity.
Dropbox does not sell your personal data to advertisers or third parties — this is explicitly stated across multiple documents.
Dropbox collects your name, email, billing address, payment information (credit card), national ID (where applicable), and all files you upload including content, messages, and contacts.
Your files are shared with Dropbox affiliates and 'trusted third parties' for hosting, backup, sharing, OCR, search, and personalization — these recipients are not named in the documents.
Does not sell your data
Not clearly stated
Not specified
Free accounts inactive for 12 months may be terminated; files edited or deleted can be recovered within 10 years; fax numbers released when service stops
Not specified
How clearly they explain their practices
Dropbox clearly states it does not sell personal data and lists some specific data types collected (email, name, payment info, national ID). However, most documents are security-focused and lack comprehensive disclosures about what data is collected, for what purposes, who receives it, and how long it is retained. Key privacy details are spread across multiple pages with no single comprehensive notice.
How much data they collect
Dropbox collects a broad range of data including email, name, billing address, physical address, payment information (credit card numbers), national ID numbers where applicable, and all user-uploaded files, content, messages, and contacts. The collection of national ID numbers and the comprehensive scope of file processing (OCR, thumbnails, search, personalization) push this beyond typical cloud storage collection.
How much control you have over your data
Users have some security controls (two-step verification, device monitoring, session revocation) but lack meaningful data rights mechanisms. There is no clear account deletion path, no data portability tool mentioned, and no granular opt-outs for data sharing. Critically, once an account is terminated, users lose all ability to access or export their content. The 30-day arbitration opt-out window is a narrow escape hatch.
How widely they share your data
Dropbox explicitly states it does not sell personal data, which is a genuine protection. However, it shares user content with affiliates and unnamed 'trusted third parties' for core service functions, and DocSend/Dropbox Sign expand the pool of recipients. The lack of specificity about who these third parties are and what safeguards apply is a material gap.
14 data vectors mapped
“Hosting, backing up, sharing, and providing service features”
“Hosting, backing up, sharing, commenting, searching, image thumbnails, document previews, OCR, sorting, organization, personalization”
“Reporting how a document was viewed to the sender; providing DocSend service”
“Providing Dropbox Sign service”
“Notifying sender when and how a shared document was viewed”
Dropbox has invested heavily in GDPR compliance, forming a dedicated data-protection team and completing a full assessment of its practices (Privacy and Governance page, en-GB locale).
Dropbox complies with the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework, providing a recognized legal mechanism for international data transfers from the EU/UK/Switzerland to the US (Standards and Regulations Compliance page).
Dropbox has achieved ISO 27701 certification as a PII Processor, demonstrating a formal privacy information management system (Standards and Regulations Compliance page).
Dropbox holds ISO 27018 certification for privacy and data protection for cloud service providers processing personal information (Standards and Regulations Compliance page).
Dropbox's Standard, Advanced, Enterprise, and Education plans have been declared adherent to the EU Cloud Code of Conduct with Level 2 Compliance Mark, meaning technical, organizational, and contractual measures are implemented in line with the Code (Standards and Regulations Compliance page).
Dropbox explicitly states it does not sell personal data to advertisers, third parties, or anyone else (Privacy and Governance pages).
Files stored in Dropbox are private by default and only visible to the user and those they choose to share with (Privacy and Governance page, en-GB locale).
Dropbox provides the same level of data protection to all users regardless of geographic origin (Privacy and Governance pages).
Dropbox trains every employee on security and privacy before granting access to systems or data (Privacy and Governance page, en-GB locale).
Encrypted file data transfer and application-level controls are used as part of a layered security architecture (multiple documents).
EU users have a 14-day right to cancel paid subscriptions and obtain a refund (Terms of Service).
Users receive at least 30 days' notice before material terms changes become effective (Terms of Service).
Users can export their content before account termination when given advance notice (Terms of Service).
No specific personal data types collected are enumerated in most documents — the data_collected arrays are empty across the majority of pages, making it impossible to assess data minimization or collection scope from the privacy-focused documents (all privacy_policy and security_policy documents).
No user rights section detailing data subject access, rectification, erasure, portability, or objection mechanisms is described in any of the documents (all documents).
No consent mechanisms or opt-out procedures for data processing are described in any document (all documents).
The ten-year file recovery window (mentioned in Privacy and Governance page) suggests very long retention without clear justification, retention schedules per data category, or user control over deletion — raising data minimization and storage limitation concerns.
No data retention periods are specified for core account data, payment information, or general personal data across most documents (all documents except narrow fax number and inactivity references in Terms of Service).
Third-party sharing is described only in broad terms — 'trusted third parties' and 'affiliates' are referenced but no specific subprocessors, recipient categories, or data processing agreements are detailed (Terms of Service, Privacy and Governance pages).
No breach notification policy or commitment is described in any document (all documents).
No Data Protection Impact Assessment (DPIA) references or data protection officer (DPO) contact information is provided in the extracted content (all documents).
The government access section states all requests are 'scrutinized' but does not specify the legal standard (e.g., warrant requirement) or whether users are notified (Privacy and Governance page, Advanced Information Security page).
No AI or automated decision-making disclosures are provided despite Dropbox scanning content for features like OCR and personalization (all documents).
The Terms of Service include a mandatory arbitration clause with class action waiver for US residents, which may conflict with GDPR's right to an effective judicial remedy depending on interpretation (Terms of Service).
Dropbox will sign Business Associate Agreements (BAAs) with Standard, Advanced, Enterprise, and Education customers who require them for HIPAA/HITECH compliance (Standards and Regulations Compliance page).
Dropbox makes available a SOC 2 examination evaluating its controls for the HIPAA/HITECH Security, Privacy, and Breach Notification rules (Standards and Regulations Compliance page).
Dropbox provides a mapping of internal practices and recommendations for customers seeking to meet HIPAA/HITECH Security and Privacy rule requirements (Standards and Regulations Compliance page).
Encryption-at-rest and encryption-in-transit are implemented (Security & Compliance Trust Center page).
Role-based access control, multi-factor authentication, and physical security controls are in place (Advanced Information Security page).
Subservice providers undergo regular SOC 1, SOC 2, and/or ISO 27001 audits reviewed at least annually (Standards and Regulations Compliance page).
The documents do not specify the exact scope of HIPAA-covered services or which specific Dropbox products/features are BAA-eligible beyond general plan names (Standards and Regulations Compliance page).
No details on breach notification procedures specific to PHI or HIPAA's 60-day notification requirement are provided (all documents).
No mention of administrative, physical, and technical safeguard specifics as required by the HIPAA Security Rule beyond general encryption and access control references (all documents).
The ten-year file recovery window may conflict with HIPAA's minimum necessary and retention limitation principles for PHI (Privacy and Governance page).
No discussion of audit controls, integrity controls, or transmission security specifics as required by HIPAA Security Rule (all documents).
Dropbox explicitly states it does not sell personal data to advertisers, third parties, or anyone else, which addresses the CCPA/CPRA 'do not sell' requirement (Privacy and Governance pages).
Users have meaningful self-service security controls including two-step verification, device monitoring with one-click revocation, and activity logs (Account Protection pages).
Users who do not use DocSend or Dropbox Sign experience no change to data use or sharing, providing a form of feature-level opt-out (Terms of Service and Privacy Policy updates page).
No CCPA-specific user rights are described — no right to know, right to delete, right to correct, or right to opt-out of sale/sharing mechanisms are documented (all documents).
No 'Do Not Sell or Share My Personal Information' link or equivalent mechanism is described (all documents).
No specific personal data categories collected are enumerated as required by CCPA disclosure obligations (all documents).
No data retention periods are specified for most data types, which is required for CCPA compliance (all documents).
No description of financial incentives for data collection or how they are calculated (all documents).
The privacy signals across all documents show 'sells_data: unclear' for most documents, with only the Privacy and Governance pages explicitly stating no sale — the Terms of Service and security policy documents do not address this (multiple documents).
No mention of sensitive personal information processing or the right to limit use of sensitive PI under CPRA (all documents).
No designated method for submitting CCPA requests (e.g., toll-free number, web form) is described (all documents).
Dropbox sets a minimum age of 13 for US users and 16 for users elsewhere, acknowledging age-based access restrictions (Terms of Service).
Dropbox acknowledges that local law may require a higher age for lawful provision of services without parental consent, including use of personal data (Terms of Service).
No parental consent mechanism or process for obtaining verifiable parental consent is described (all documents).
No special protections or data handling procedures for children's data are detailed (all documents).
The children_policy field is null across all privacy_policy and security_policy documents, indicating COPPA-specific protections are not addressed in those documents (all documents).
No description of what data is collected from users under 13 or how it is handled differently (all documents).
No parental right to review, delete, or refuse further collection of children's data is described (all documents).
We found a compliance score for CCPA, but no evidence-backed assessment notes yet. Re-run analysis to generate a justified grade, or treat this regime as unverified.
We found a compliance score for PIPEDA, but no evidence-backed assessment notes yet. Re-run analysis to generate a justified grade, or treat this regime as unverified.
We found a compliance score for LGPD, but no evidence-backed assessment notes yet. Re-run analysis to generate a justified grade, or treat this regime as unverified.