Privacy Policy

Locker Drop is built so that we cannot read your files. This policy explains exactly what we can and cannot see.

What we CANNOT see

Your file content. Files are encrypted in your browser (XChaCha20-Poly1305 via libsodium) before upload. The decryption key is generated on your device and travels only in the link fragment, which is never sent to our servers. We store only encrypted ciphertext, which is useless without your key. We cannot decrypt your files, and neither can our storage provider.

What we DO collect (routing metadata)

To deliver and operate the Service we retain, for up to 90 days: the sender and recipient email addresses you provide (if any), sender IP address, timestamps, encrypted file sizes, expiry settings, and a reference to the Polar payment. We do not sell data, run advertising, or build profiles.

Payment data

Payment details are handled entirely by Polar (our Merchant of Record) under their privacy policy. We receive only an order reference, never your card details.

Data retention

Encrypted file content is deleted on your chosen timer or on open, and in all cases within 7 days. Routing metadata is deleted within 90 days. Payment records are retained by Polar per their policy.

Legal disclosure

We disclose the metadata we hold only in response to valid legal process. See our Law Enforcement Guidelines. We cannot disclose file content because we do not have it in readable form.

Your rights

Depending on your location, you may have rights to access or delete your personal data. Contact support@inbox.locker.