OTDrop

Privacy Policy

Effective date: April 13, 2026

This Privacy Policy describes how NuSecuritas, LLC ("we", "us", "our") collects, uses, shares, and protects information in connection with the OTDrop service at otdrop.com (the "Service"). Capitalized terms used but not defined here have the meaning given in the Terms of Use.

1. Scope

This Policy applies to information we process through the Service. It does not apply to information processed by third parties linked to or integrated with the Service (for example, the identity provider you choose to sign in with, or the third-party services that deliver email on our behalf), whose practices are governed by their own privacy policies.

2. Information We Collect

2.1 Account and authentication data

When you sign in as a sender, we receive from your chosen OAuth provider (Google or Microsoft) a stable identifier, your email address, and, where available, your display name. We do not receive your password. The OAuth provider may record and share additional data with us subject to their own policies.

2.2 Transfer metadata

When you create a transfer we collect and store:

  • The recipient's email address.
  • If the sender sets a passphrase, a salted one-way hash of that passphrase (used to verify the recipient at claim time; wiped on successful claim).
  • The original filename, file size, and declared content type.
  • Timestamps (creation, upload completion, claim, expiration).
  • A randomly generated claim token.

This metadata is readable by us and is used to operate the Service, route notifications, and enforce expiration.

2.3 File contents and sender messages

File contents and any optional sender message are encrypted in your browser with a per-transfer key before they are uploaded. That key is wrapped with our server-side master key and stored alongside the ciphertext; the plaintext of your file and message never leaves your device unencrypted. We cannot read your files or messages.

Ciphertext is stored with our infrastructure provider. Transfers are automatically deleted seven (7) days after creation or upon first successful download, whichever is earlier.

2.4 Recipient verification

When a recipient claims a passphrase-protected transfer, they enter the passphrase the sender shared with them. The passphrase is compared against the salted hash we received from the sender using a constant-time comparison. On successful verification, the hash is permanently deleted from our database.

2.5 Technical and usage data

We automatically collect information your device sends when you use the Service, including IP address, user agent string, approximate geolocation derived from IP, request timestamps, and referrer. We use this for security, abuse prevention, and analytics.

2.6 Cookies, analytics, and similar technologies

We use cookies and similar technologies for the following purposes:

  • Strictly necessary. Session cookies carry your authentication state. Without these the Service cannot function.
  • Bot protection. Our bot-protection provider may set short-lived cookies to evaluate requests.
  • Analytics. We use Google Analytics and may use other privacy-respecting analytics tools to understand how the Service is used, measure performance, and improve features. Google Analytics may use cookies or similar identifiers and may transfer this data to Google. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on or by using a browser that blocks analytics cookies.

We do not currently honor "Do Not Track" browser signals, because there is no industry consensus on what the signal means. We do honor browser-level Global Privacy Control (GPC) signals where required by law.

2.7 Communications

If you contact us (for example by email to our support address), we will receive and retain the content of your message, your contact details, and any attachments.

3. How We Use Information

We use the information described above to:

  • Operate, maintain, and secure the Service.
  • Authenticate users, deliver transfers, and enforce rate limits and expiration.
  • Send transactional notifications (transfer ready, claim link, verification codes, expiration warnings, security alerts).
  • Send marketing communications about products and services we believe may interest you, consistent with Section 7 of the Terms of Use and applicable law; you may opt out at any time.
  • Analyze usage, measure performance, and improve the Service.
  • Detect, investigate, and prevent fraud, abuse, and violations of our Terms.
  • Comply with legal obligations, respond to lawful requests, and enforce our rights.

Legal bases for processing (for users in the EEA, UK, or Switzerland). To the extent the GDPR applies, we process personal data on the bases of (a) performance of a contract with you, (b) our legitimate interests in operating and securing the Service, (c) your consent (for marketing communications and certain cookies), and (d) compliance with legal obligations.

4. How We Share Information

We share information only as described below. We do not sell your personal information.

  • With service providers that help us run the Service. These providers are contractually restricted to using your information only to provide services to us. The categories of providers we engage include:
    • Infrastructure providers — cloud hosting, content delivery, DNS, storage, bot protection, and service analytics.
    • Identity providers — the third-party sign-in service you choose when you authenticate (for example, Google or Microsoft). We receive only the profile information described in Section 2.1.
    • Communications providers — third-party services that deliver email (including transactional and marketing messages) on our behalf.
    • Product analytics providers — Google Analytics and similar tools that help us measure usage and improve the Service, as described in Section 2.6.
    We will provide the specific identity of any individual service provider on request to the extent required by applicable law.
  • With recipients you designate. When you create a transfer, the recipient email you provide is used to deliver the transfer.
  • To comply with law. We may disclose information to comply with subpoenas, court orders, legal process, or other legal obligations, or when we believe in good faith that disclosure is necessary to protect our rights, enforce our Terms, protect the safety of any person, or investigate suspected fraud or abuse.
  • In connection with a business transaction. If we are involved in a merger, acquisition, financing, sale of assets, or similar transaction, information may be transferred as part of that transaction. We will require any acquirer to honor the material terms of this Policy or give you notice.
  • With your consent. For any purpose not described in this Policy, with your consent.

5. Security

We use reasonable administrative, technical, and physical measures designed to protect information, including:

  • Encryption of file contents and sender messages in your browser before upload, using industry-standard algorithms, with per-transfer keys wrapped under a server-held key.
  • Encryption in transit for all connections between you, our infrastructure, and our service providers.
  • Authentication through established third-party identity providers; short-lived session tokens; secure cookies.
  • One-way hashing of passphrases (stored as salted SHA-256, wiped on successful claim); constant-time comparison for sensitive equality checks.
  • Automatic deletion of transfer ciphertext after seven (7) days or first download.
  • Rate limits, bot protection, and audit logging for abuse-sensitive operations.

No security measure is perfect. You acknowledge that use of the Service carries residual risk and that we cannot guarantee against unauthorized access, interception, or disclosure. You are responsible for sending only content whose sensitivity is appropriate for a free, general-purpose utility (see the prohibited-uses list in the Terms of Use).

6. Data Retention

  • Transfer ciphertext and sender message ciphertext: deleted from our infrastructure seven (7) days after creation or upon first successful download, whichever comes first.
  • Transfer metadata: the row is retained in our database after ciphertext deletion for operational and audit purposes; may be purged on a rolling basis per our retention schedule.
  • Account data: retained while your account is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce agreements.
  • Audit logs: typically retained for ninety (90) days.
  • Passphrase hashes: wiped from the database on successful claim or when the transfer expires.

7. Your Choices and Rights

7.1 Opting out of marketing

Every marketing email we send includes an unsubscribe link. Opting out does not end transactional communications required to operate the Service.

7.2 Access, correction, deletion

You may request access to, correction of, or deletion of your personal information by mailing us at PO Box 702, Hillsdale, MI 49242. We will respond in accordance with applicable law. For data we hold only in encrypted form and cannot read (such as file contents), we can delete the ciphertext but cannot produce the plaintext.

7.3 California residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, use, and share; to request deletion of your personal information; to correct inaccurate information; and to opt out of the sale or sharing of your personal information. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined by the CCPA/CPRA. We will not discriminate against you for exercising these rights.

7.4 EEA, UK, and Swiss residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing, and withdrawal of consent. You may lodge a complaint with your local data-protection authority. Contact us at to exercise your rights. Note that the Service is operated from the United States; by using the Service you consent to the transfer of your information to the United States.

7.5 Children

The Service is not directed to, and we do not knowingly collect personal information from, individuals under thirteen (13). If we learn we have collected personal information from a child under 13, we will delete it.

8. International Transfers

We operate the Service in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, which may have data-protection laws different from those in your jurisdiction. By using the Service you consent to this transfer.

9. Third-Party Links

The Service may contain links to third-party websites or services. Those third parties are not controlled by us, and we are not responsible for their privacy practices. This Policy does not apply to any third party; review their policies before providing information.

10. Changes to This Policy

We may update this Policy at any time by posting the revised version at otdrop.com/privacy and updating the Effective Date. Material changes will be noted on the page or communicated by email to registered senders. Your continued use of the Service after an update constitutes acceptance of the revised Policy.

11. Contact

NuSecuritas, LLC

PO Box 702, Hillsdale, MI 49242

OTDrop
  1. 01ChoosePick a file up to 100 MB.
  2. 02AddressEmail + mobile for the recipient.
  3. 03DeliverThey verify, download, done.

Files are sealed in your browser before they leave your device. Each transfer is single-use and self-destructs after one download or seven days — whichever comes first.

FAQSecurityAboutTermsPrivacy© 2026 OTDrop. All rights reserved.