Privacy Policy

Updated June 30, 2023

Table of Contents

• Preamble
• Scope
• Information we collect
• Account details
• Account most recent login time
• File details
• Other information
• How we use the account information
• Cookies
• Third party privacy policies

Preamble

This website at f-drop.org ("the Site", "this Site", "the Service", "this Instance") is a private instance of the open source software project F-Drop.

F-Drop is a simple secure file transfer web application built on the Django framework and released under the GNU Affero General Public License version 3 (AGPLv3).

This Privacy Policy document outlines the types of information that are collected and recorded by this Site and how they are used.

By using this Site, you hereby consent to this Privacy Policy.

Please note that this Privacy Policy may be updated from time to time. Whenever this occurs, the next time you log in to your account and use the Site, you will be shown a summary of the updates and prompted to agree to them to be able to continue using the Site as normal. If you do not agree, you may access your Account Details page to delete your account and all user-related content before discontinuing your use of the Site.

Scope

This privacy policy applies only to this website at f-drop.org with regards to the information that users submit when creating or using an account, and information on the active status of their account.

This policy is not applicable to any information collected offline or via channels other than this website.

Information we collect

Account details

When you register for a new account or when an admin user registers a new account for you, the application asks for a minimum amount of identifying information, namely, a username, an email address, and a new password for your new account.

If an admin user registers an account for you, they will typically set your email address to validated to save you the trouble of validating it yourself. They will then ask you to set an account password yourself via the password reset form (assuming they have enabled notifications emails), which will effectively prove your email address is valid.

The application stores this identifying information together with the registration date/time in its relational database.

Your account username and email address are stored in the database in plain text, whereas your password is stored as a salted non-reversible hash.

Other than by using the Password reset link on the login page, you can also change your password via the user Account Details page while logged in.

You may delete your account at any time through the user Account page. Doing so will instantly delete all of your uploaded files and account-related database records.

Account most recent login time

Whenever you log in to your account, the application updates your account database record with the current date and time.

If you don't log in to your account for at least 4 months, it will be assumed to be abandoned and will be deleted along with all of your uploaded files and account-related database records without notice.

Provided that the Service is configured to allow self-registrations, you may subsequently register a new user account with the same username and email address you used for your deleted account or with a different username and email address.

File details

Before uploading a file, you choose one of two types of key that will be used to encrypt and decrypt the file courtesy of the installed open source module Django Encrypted Files:

• the default encryption key (stored persistently on the server), or
• a custom key derived from a password you enter specifically for that file

Custom keys are stored only from when a user submits the password until they have uploaded or downloaded the file, they log out, or the 15-minute expiry has passed; file passwords are not stored in any format.

For details about custom keys (benefits/drawbacks, and technical details on derivation, storage and deletion), see here.

The module encrypts the file as the server is receiving it rather than after the server has finished receiving it.

Whenever you upload a file, the application stores the following file data:

• On the file system
• the file's contents (in AES256-CTR encrypted format)
• the file's name and size (in plain text)

• In the database (in plain text, unless stated otherwise)
• the ID number that points to your account
• any expiry date you set for the file download link
• any email addresses you set to specify who can open the download link
• any value you set for the maximum number of downloads allowed
• any description you add (stored in AES256-CBC encrypted format)
• the PyScrypt input parameters if you used a password-derived AES key (see here for details)
• the PyCryptodome initialization vector (iv) if you added a file description

Any description added to a file (at the time of upload or afterwards) is encrypted in AES-256 CBC mode by the installed open source module PyCryptodome using the same 32-character (256-bit) AES key that Django Encrypted Files used to encrypt the file's contents.

Other information

If you contact us directly, we may receive additional information about you such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.

How we use the account information

We use the information we collect to:

• Respond to any enquiries or to any issues that users report to us about their account
• Locate and delete inactive accounts and related user content (though, the process has been automated by the installed open source module Django Crontab)

We do not share any information related to your account with any third parties.

Cookies

f-drop.org does not track the activity of users or visitors of the site by cookies, javascript, or web beacons.

However, in order to function optimally, f-drop.org sets certain types of ‘cookies' in the user's web browser.

The cookies used include:

• a sessionid cookie to hold a random id for your current login session
• a csrftoken cookie to protect your account from potentially being hijacked by requests from a malicious website (see the official Django documentation for an explanation on this cookie)

Though the two cookies used at f-drop.org serve functional and protective purposes only, you can choose to disable cookies through your browser settings. Note that doing so will prevent you from being able to use your account or to create a new account.

To learn more about cookie management for your specific web browser, you may search online using the search string "how to manage cookies in [insert your browser's name e.g. Firefox or Chrome]"

Third-Party Privacy Policies

This Privacy Policy does not cover any websites linked from f-drop.org.

Thus, we advise you to consult the respective Privacy Policies of any third-party websites for more detailed information. Their Privacy Policies may include their practices and instructions about how to opt-out of certain options.