> SecretDrop
Features
Encryption
Policies
File Bundles
Analytics
Pricing About FAQ
Get Started

Privacy Policy

Last updated: February 17, 2026

This Privacy Policy explains how SecretDrop.dev ("Service", "we", "us", or "our") collects, uses, and protects information when you use our website and application.

By using the Service, you agree to the terms of this Privacy Policy.

1. Data Controller

The operator of SecretDrop.dev is the data controller responsible for processing personal data in accordance with applicable data protection laws.

Contact: jovanovic@thecodecave.de

2. Information We Collect

A. Account Information

When you create an account, we may collect:

  • Email address
  • Authentication provider information (e.g., Google OAuth ID)
  • Account creation timestamp
  • Subscription status

B. Billing Information

If you purchase a subscription:

  • Payment status
  • Plan type
  • Transaction metadata provided by the payment processor

We do NOT store full payment card details. Payment processing is handled by third-party providers.

C. Bundle Metadata

When you create a bundle:

  • Bundle ID (random UUID)
  • Creation timestamp
  • Expiration settings
  • Policy configuration
  • Download and access counters

D. Analytics Data

We use Rybbit as a privacy-focused, no-cookie analytics provider. Rybbit does not use tracking cookies and does not perform cross-site tracking or behavioral profiling.

Analytics may include:

  • Page views
  • Referrer information
  • Device type (generalized)
  • Country (coarse location)
  • Aggregated usage statistics

Analytics data is processed in anonymized or privacy-preserving form.

E. Access Logs

For security and abuse prevention, we may process:

  • Timestamp of access attempts
  • Hashed or pseudonymized IP information
  • Event types (view, password attempt, download)

We do not intentionally log decrypted content or plaintext secrets.

3. Encrypted Content

Files and secrets uploaded to SecretDrop.dev are encrypted before storage.

We store encrypted payloads and limited metadata necessary to operate the Service.

We do not intentionally access, inspect, or analyze the plaintext content of encrypted bundles.

Users are responsible for determining whether the Service meets their security and compliance requirements.

4. Purpose of Processing

We process data to:

  • Provide and operate the Service
  • Enforce bundle policies and access restrictions
  • Prevent abuse and unauthorized access
  • Process subscriptions and manage billing
  • Improve performance and reliability
  • Comply with legal obligations

We do not sell personal data.

We do not use user data for advertising purposes.

5. Legal Basis for Processing (Where Applicable)

Depending on jurisdiction, processing may be based on:

  • Performance of a contract (providing the Service)
  • Legitimate interest (security, analytics, abuse prevention)
  • Legal obligation
  • Consent (where explicitly required)

6. Data Retention

Account Data: Retained for as long as your account remains active.

Bundle Data: Bundles may be automatically deleted based on:

  • Expiration policies
  • Download limits
  • Failed password thresholds
  • Account termination

Free-tier bundles are automatically deleted after 7 days.

Encrypted payloads are permanently deleted upon expiration or deletion events, subject to backup retention policies.

Analytics Data: Retained in aggregated or anonymized form for operational purposes.

Log Data: Retained only as long as necessary for security and abuse prevention.

7. Data Sharing

We may share data with:

  • Hosting providers
  • Payment processors
  • Authentication providers (e.g., Google OAuth)
  • Analytics provider (Rybbit)

We do not sell personal data.

We do not share decrypted secret content.

We may disclose information if required by law or valid legal request.

See our subprocessors page for details.

8. International Transfers

If data is transferred outside your jurisdiction, appropriate safeguards are implemented where required by law.

9. User Rights (Where Applicable)

Depending on applicable law (e.g., GDPR), you may have the right to:

  • Access your personal data
  • Request correction
  • Request deletion
  • Restrict processing
  • Object to processing
  • Data portability
  • Lodge a complaint with a supervisory authority

To exercise your rights, contact: jovanovic@thecodecave.de

10. Security Measures

We implement technical and organizational measures designed to protect data, including:

  • Encryption of stored bundle content
  • Access control mechanisms
  • Rate limiting and abuse detection
  • Secure authentication flows

However, no system is completely secure. Use of the Service is at your own risk.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age.

We do not knowingly collect personal data from minors.

12. Third-Party Links

The Service may contain links to third-party services. We are not responsible for their privacy practices.

13. Changes to This Policy

We may update this Privacy Policy at any time.

Continued use of the Service after updates constitutes acceptance of the revised policy.

14. Contact

For privacy-related inquiries, contact: jovanovic@thecodecave.de

Back to home