Privacy Policy

Last updated: March 1, 2026

1. What We Collect

DropVeil collects the minimum data necessary to provide the Service: your email address, hashed account password, billing information (processed by Stripe), and basic usage metadata (storage used, number of files, last login timestamp). We do not collect your name, phone number, or physical address unless required for invoicing.

2. What We Cannot Access

Due to our zero-knowledge architecture, DropVeil cannot access the contents of your files, your file names (encrypted on the client), or your encryption passphrase. Encryption keys are derived locally on your device and never transmitted to our servers.

3. Server Logs

Our servers record connection timestamps, IP addresses, and data transfer volumes for operational purposes (abuse prevention, capacity planning). Logs are retained for 14 days and then permanently deleted. Logs do not contain file contents, file names, or any decrypted data.

4. Third Parties

We use Stripe for payment processing and Postmark for transactional email. These services receive only the data necessary for their function. We do not sell, rent, or share your personal information with advertisers or data brokers. We do not use analytics trackers, advertising pixels, or social media SDKs on our platform.

5. Data Location

Encrypted file data is stored on servers located in the European Union (Poland). Account metadata is stored in the EU. We do not transfer personal data outside the EEA without appropriate safeguards as required by GDPR.

6. Law Enforcement

DropVeil may disclose account metadata in response to valid legal orders from Polish courts. However, due to zero-knowledge encryption, we are technically unable to provide file contents or decryption keys, as we do not possess them.

7. Data Retention

Account data is retained for the duration of your subscription plus 30 days after cancellation. After this period, all associated data, including encrypted files, is permanently deleted from our servers and backups.

8. Your Rights (GDPR)

You have the right to access, correct, export, or delete your personal data at any time through your account settings. For data deletion requests, contact privacy@dropveil.org. We respond within 30 days as required by GDPR.

9. Contact

Data Protection Officer: privacy@dropveil.org. DropVeil, ul. Marszalkowska 84/92, 00-514 Warszawa, Poland.