Privacy Policy
Last updated: April 2026 · Effective immediately
Short version: DropKey does not store any files, file names, or personal data beyond what is technically necessary for session routing. Your files are encrypted end-to-end and transmitted directly between devices. DropKey servers never see your file content.
1. What we do not store
DropKey is designed with zero data retention as a core principle. Specifically, we do not store, log, or retain:
- File content — files are transferred peer-to-peer over WebRTC. The DropKey signaling server only relays the WebRTC handshake (SDP offer/answer and ICE candidates). File bytes never transit through our servers.
- File names or metadata — file names and sizes are transmitted directly between the sender and receiver over the encrypted peer-to-peer channel. The server does not receive this information.
- Encryption keys — ECDH key exchange happens directly between peers. The shared AES-256-GCM encryption key is never transmitted to or derivable by DropKey servers.
- Cookies or tracking data — we do not set cookies, use pixels, fingerprint browsers, or employ any analytics that identify individual users.
- Account information — DropKey has no user accounts, no registration, and no login for file transfer.
2. What we temporarily hold in memory
To enable session routing, DropKey holds the following data in server memory only (never written to disk in plaintext, never sold or shared):
- Session keys — 12-character one-time keys that exist for a maximum of 5 minutes or until the transfer completes, whichever comes first. They are automatically deleted when the session ends.
- WebRTC signaling messages — SDP offers, answers, and ICE candidates are relayed and immediately discarded. They are not stored after relay.
3. IP addresses and access logs
For security, rate limiting, and abuse prevention, DropKey retains:
- IP addresses — stored in server memory for rate limiting (max 5 minutes) and written to access logs retained for a maximum of 30 days before automatic deletion.
- Security event logs — blocked file attempts, rate limit breaches, and other security events are logged with IP address and timestamp. These logs are retained for 30 days.
IP address data is used exclusively for abuse prevention. It is never sold, shared with advertisers, or used for profiling.
4. Encryption
All file transfers are protected by:
- ECDH key exchange — a unique shared secret is derived for each session. The server cannot compute this key.
- AES-256-GCM encryption — every file chunk is encrypted before leaving the sender's device.
- SHA-256 integrity verification — the receiver verifies the hash of every received file against the sender's original hash.
- TLS in transit — all connections to DropKey servers use TLS 1.2+.
5. Compliance — GDPR and India DPDPA 2023
DropKey is designed to be compliant by architecture. Because we do not store personal data beyond temporary IP addresses used for security, most GDPR and DPDPA obligations do not apply to a typical transfer session.
- Right to erasure (GDPR Art. 17 / DPDPA) — automatic. Session data is deleted within 5 minutes. IP logs are purged after 30 days.
- Data minimisation — we collect only what is technically necessary for the service to function.
- No cross-border transfers of personal data — IP addresses used for rate limiting are processed on the server they arrive at and are not transferred to third parties.
If you have a specific GDPR or DPDPA compliance requirement, contact us at the address below to discuss your use case.
6. Third-party services
- STUN servers — DropKey uses Google's public STUN servers (stun.l.google.com) to help establish peer connections. Your IP address is visible to these servers during connection negotiation. Google's privacy policy applies.
- TURN relay — if a direct peer connection cannot be established, traffic may be relayed through a TURN server. If using DropKey's hosted service, the TURN server is operated by DropKey and subject to this policy.
- No advertising networks — we do not integrate with any advertising or marketing platforms.
7. Changes to this policy
If we make material changes to this policy, we will display a notice on DropKey for at least 30 days before the change takes effect. Continued use after that period constitutes acceptance of the updated policy.
Privacy contact
For privacy-related questions, data subject requests, or compliance enquiries, contact: privacy@[yourdomain.com]
Replace [yourdomain.com] with your actual domain before publishing.
Terms of Service
Last updated: April 2026 · Effective immediately
Short version: Use DropKey for lawful file transfers only. Do not use it to distribute malware, illegal content, or to harm others. We provide this service as-is and are not liable for transfer failures.
1. Acceptance of terms
By using DropKey (the "Service"), you agree to these Terms of Service. If you do not agree, do not use the Service. These terms apply to all users, including individuals and organisations.
2. Acceptable use
You may use DropKey only for lawful purposes. The following uses are strictly prohibited:
- Malware and malicious software — transferring viruses, ransomware, trojans, spyware, or any software designed to damage or gain unauthorised access to systems.
- Child sexual abuse material (CSAM) — any content that sexually exploits minors. Such use will be reported to law enforcement.
- Stolen credentials and personal data — transferring passwords, credit card numbers, identity documents, or other personal data obtained without authorisation.
- Export-controlled materials — files subject to export control regulations (e.g., ITAR, EAR) where transfer would violate applicable law.
- Abuse of the service — automated scanning, enumeration of session keys, denial-of-service attacks, or any activity intended to degrade the service for others.
- Circumventing rate limits or security controls — using proxies, VPNs, or automated tools to bypass rate limiting or other security measures.
3. Service availability and no warranty
DropKey is provided "as is" and "as available" without warranty of any kind, express or implied. We do not guarantee:
- Uninterrupted or error-free service availability.
- That any particular transfer will complete successfully.
- That the service will be available in all geographic regions or network environments.
We strongly recommend keeping your own copies of important files. DropKey is a transfer tool, not a backup or storage service.
4. Limitation of liability
To the maximum extent permitted by applicable law, DropKey and its operators shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of (or inability to use) the Service, including loss of data, loss of profits, or business interruption, even if advised of the possibility of such damages.
Our total liability for any claim arising from these terms or the Service shall not exceed the amount you paid for the Service in the twelve months preceding the claim. If you have not paid anything, our liability is limited to INR 1,000 (or equivalent).
5. Rate limits and automated abuse prevention
To protect service quality for all users, DropKey automatically enforces rate limits on session key generation and WebSocket connections. IPs that exceed these limits will be temporarily blocked. Repeated or intentional abuse may result in permanent IP blocking and, where applicable, referral to law enforcement.
6. Indemnification
You agree to indemnify and hold harmless DropKey and its operators from any claims, damages, or expenses (including legal fees) arising from your violation of these terms or any applicable law.
7. Governing law and jurisdiction
These terms are governed by the laws of [Your Jurisdiction — e.g., India / Republic of India]. Any disputes shall be subject to the exclusive jurisdiction of the courts of [Your City, e.g., New Delhi].
Replace the jurisdiction placeholders before publishing.
8. Changes to these terms
We reserve the right to modify these terms at any time. We will provide at least 30 days' notice of material changes by displaying a prominent banner on the DropKey website. Your continued use of the Service after the effective date constitutes acceptance of the new terms.
9. Contact
Legal enquiries
For legal notices, compliance requests, or abuse reports: legal@[yourdomain.com]
To report CSAM or other illegal content: abuse@[yourdomain.com]
Replace [yourdomain.com] with your actual domain before publishing.