Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Dropbox is a cloud file storage, sharing and collaboration service from Dropbox Inc. (San Francisco). On a website it appears in two main forms: as a backend storage processor for user uploaded files (via the Dropbox API or third party connectors), or as an embedded component, the Dropbox Chooser, Saver or Embedder, that lets visitors interact with Dropbox content from the operator's page. The embedded components load JavaScript and cookies from dropbox.com, which triggers consent requirements under ePrivacy.
Dropbox is one of the original cloud file storage and synchronisation services, operated by Dropbox Inc., headquartered in San Francisco and listed on NASDAQ. On a website, Dropbox appears either as a backend storage processor (the operator uses the Dropbox API or a third party connector to store files in a Dropbox account) or as an embedded component (Dropbox Chooser to pick a file from the visitor''s Dropbox, Dropbox Saver to save a file into the visitor''s Dropbox, Dropbox Embedder to preview a shared file). The embedded components are JavaScript widgets loaded from www.dropbox.com.
For backend storage, the operator''s server uploads files to a Dropbox folder via the API. The file content and metadata sit in Dropbox infrastructure. For embedded components, the visitor''s browser loads JavaScript directly from dropbox.com and authenticates against the visitor''s own Dropbox account. In that flow, Dropbox sees the visitor''s IP address, user agent, the referring URL of the operator''s page, and the visitor''s Dropbox account identity. Dropbox sets a handful of cookies (lid, gvc, t, hp_session) on the dropbox.com domain.
For backend storage, GDPR applies and Dropbox acts as a data processor under its Business Agreement and Data Processing Addendum. ePrivacy Art. 5(3) does not apply unless cookies are set on the visitor''s device. For embedded components, both apply: cookies on dropbox.com require consent, and the personal data shared with Dropbox (IP, account identity, referrer) is subject to the GDPR. Operators should treat embedded components as third party widgets that need a granular consent gate (functional or marketing depending on use case).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Dropbox Business Advanced and Enterprise plans include EU data residency: file content is stored in Dropbox owned data centres in Germany (Frankfurt). Account metadata, sharing audit logs and team management data still flow to US infrastructure. Dropbox Inc. is a US company subject to the US CLOUD Act, which European supervisors (BfDI, DSK, CNIL) flag as a residual transfer concern. Dropbox self certifies under the EU US Data Privacy Framework and provides Standard Contractual Clauses. For HIPAA covered entities, Dropbox offers a separate HIPAA addendum.
Dropbox encrypts files at rest with AES 256 and in transit with TLS 1.2+. Key management is provider managed on standard plans. Operators with high sensitivity needs can use client side encryption tools like Cryptomator before uploading files to Dropbox, which removes Dropbox''s ability to read content but is incompatible with Dropbox preview and search features. Enterprise plans offer additional security controls including watermarking, advanced audit logs and granular admin controls.
Sign the Dropbox Business Agreement and the Data Processing Addendum. For EU content residency, subscribe to Business Advanced or Enterprise and enable the EU storage option. Document Dropbox as a processor in the record of processing with the data categories, the storage location, the retention period and the US transfer mechanism. For embedded components on public pages, wrap them in a Consent Management Platform gate (functional or marketing) and list the dropbox.com cookies in the cookie policy. Run a Transfer Impact Assessment for any storage of personal data, with mitigations (EU residency, encryption, limited admin access).
Websites using Dropbox must obtain user consent under GDPR regulations.
DPIA considerations
Dropbox processing differs by use case. DPIA considerations: (1) for backend file storage, content can be stored in German data centres if the operator subscribes to Dropbox Business Advanced or Enterprise; account metadata and audit logs still flow to the US; (2) US CLOUD Act exposure is the main residual transfer risk, as Dropbox Inc. is a US company; (3) Dropbox Chooser, Saver and Embedder components load JavaScript from dropbox.com on the operator's page, which sets cookies (lid, gvc, t, hp_session) and creates a third party tracking touchpoint requiring consent; (4) if file content includes special category data (health records, identity documents, financial), the DPIA must reflect the higher risk and the operator should evaluate Dropbox encryption options or self managed encryption keys; (5) Dropbox supports its own Data Processing Addendum and Standard Contractual Clauses, plus a Business Advanced HIPAA option for healthcare. A DPIA is recommended whenever Dropbox is used for special category data or as a primary backend storage of personal data.
Sample consent text
We use Dropbox from Dropbox Inc. as our cloud file storage and sharing platform. For our business plan, file content is stored in Dropbox data centres in Germany, while account metadata and audit logs are processed by Dropbox in the United States. Dropbox Inc. is exposed to the US CLOUD Act, so we have signed Standard Contractual Clauses and rely on the EU US Data Privacy Framework. If you see a Dropbox embedded preview or button on our site, Dropbox sets cookies on dropbox.com and you can refuse consent in our cookie settings.
Third-party domains contacted
dropbox.comwww.dropbox.comcfl.dropboxstatic.comapi.dropboxapi.comcontent.dropboxapi.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| lid | Functional / Marketing | 11 months | Set by Dropbox on dropbox.com. Persistent identifier used to recognise the visitor across visits to Dropbox properties and embedded components. |
| gvc | Functional | 11 months | Set by Dropbox on dropbox.com. Stores a Google verification challenge value used during Dropbox sign in flows that involve Google accounts. |
| t | Strictly Necessary / Functional | Session | Set by Dropbox on dropbox.com. CSRF protection token used to validate requests during interactive flows (sign in, file sharing, Chooser, Saver). |
| hp_session | Functional | Session | Set by Dropbox on dropbox.com. Session identifier used by the Dropbox home page and embedded components to maintain the visitor's session state across navigation. |
| bjar | Marketing | 13 months | Set by Dropbox on dropbox.com. Used for advertising attribution and audience building across Dropbox campaigns. |
Dropbox uses cookies for user preferences — inform visitors with a consent banner.
Dropbox itself does not set cookies on the operator's domain when used as backend storage. When the Dropbox Chooser, Saver or Embedder is loaded on a public page, Dropbox sets cookies on the dropbox.com domain (lid, gvc, t, hp_session, and others depending on whether the visitor is signed in to a Dropbox account).
For backend storage, consent depends on the underlying processing purpose, not on Dropbox itself. For embedded components on public pages, the dropbox.com cookies are not strictly necessary and ePrivacy Art. 5(3) requires prior consent before the component loads.
Backend storage typically rests on contract necessity under Art. 6(1)(b) (when storing files for a service the user signed up to) or legitimate interest under Art. 6(1)(f) (for internal business document storage). Embedded components require consent under Art. 6(1)(a).
Yes by default. EU content residency is available on Business Advanced and Enterprise plans, with file content stored in German data centres, but account metadata and audit logs remain in the US. Dropbox self certifies under the EU US Data Privacy Framework and offers SCCs. US CLOUD Act exposure must be assessed.
A DPIA is recommended whenever Dropbox is used for special category data (health, identity documents, financial), or as primary backend storage of personal data at scale. For ad hoc use of embedded components or small scale storage, the DPIA threshold may not be met but documentation in the record of processing is still required.
Sign the Dropbox Business Agreement and DPA. Subscribe to Business Advanced or Enterprise and enable EU content residency. For embedded components on public pages, gate them behind a Consent Management Platform with explicit user consent. Document Dropbox in the record of processing with data categories, storage location, retention period and US transfer mechanism. Consider client side encryption for very sensitive content.
EU sovereign alternatives include Tresorit (Switzerland, end to end encrypted), pCloud (Switzerland), Sync.com (Canada, zero knowledge), Nextcloud (Germany, self hosted) and OVH Object Storage (France). US alternatives include Box, Google Drive, Microsoft OneDrive and Amazon S3, all with similar US CLOUD Act considerations.
List Dropbox as a sub processor in the privacy notice with the data categories, the EU content residency status, and the US transfer mechanism. If the Chooser, Saver or Embedder is used on public pages, list the dropbox.com cookies (lid, gvc, t, hp_session) in the cookie policy as functional or marketing cookies depending on use case.