A widening privacy policy: data flowing to Google, Amazon, OpenAI, Stripe and more
2024
A 2024 Proton analysis found Dropbox's privacy policy permits extensive data sharing with third parties — including Google, Amazon, OpenAI, Kissmetrics, and Stripe — and lets Dropbox volunteer user data to authorities in the vaguely defined 'public interest.'
What happened
Dropbox's privacy policy and data practices have broadened over the years as the company added analytics, advertising/marketing, AI, and payments capabilities. In February 2024, Proton published a detailed critique ('We took a dive into the Dropbox privacy policy — it's not good') concluding that, while Dropbox says it does not sell data to advertisers, the policy permits sharing personal information with a range of named third parties including Google, Amazon, OpenAI, Kissmetrics, and Stripe.
Proton also highlighted that Dropbox keeps 'a record of practically anything you could do with a file' — creating, editing, sharing — and that the company says it may disclose user data to law enforcement based on its own judgment, including where it believes disclosure is in the 'public interest,' a phrase Proton called 'so vague it can be used to justify any kind of situation.' Because Dropbox decrypts files to provide its features, this all rests on the company's server-side access to user content. These are characterizations of Dropbox's stated policy by a competitor; the policy language is public and Dropbox frames its data use as service-related.
Impact
The analysis crystallized how a service marketed as a private place for files has, over time, become a hub that routes user data to advertising-analytics, AI, and payment partners, and that reserves broad discretion to share with governments. It reinforced the case that Dropbox's privacy posture depends heavily on trusting the company's judgment, given its server-side access.