Privacy Policy

We collect only what is necessary to provide the service:

• Account information — your name, email address, and password (stored as a one-way hash) when you create an account.
• Social sign-in — your name and email address if you choose to sign in with a third-party identity provider such as Google or GitHub. We do not store your social account password.
• Uploaded files — files you upload are stored in distributed cloud storage and automatically deleted when the transfer expires.
• Usage information — pages you visit, download events, your IP address, and browser type, used solely for service operation and security monitoring.
• Billing information — payment details for paid plans are processed entirely by our payment provider. CortexDrop never stores raw card numbers or bank information.

We use your information to:

• Create and manage your account and deliver the core transfer service
• Send transactional emails — account verification, password resets, transfer notifications, and storage alerts
• Detect and prevent fraud, abuse, and security threats
• Enforce rate limits and fair-use policies to maintain service quality
• Display usage analytics (storage, bandwidth, downloads) inside your own dashboard
• Comply with applicable laws and regulations

We do not use your data to train AI models, build advertising profiles, or sell insights to third parties.

Files you upload are stored in geo-distributed cloud infrastructure and identified by a unique content hash. Every transfer has an expiry date you choose at upload time. When a transfer expires, the file is automatically removed from storage and deleted from our database — no manual action required.

We do not read, scan, or analyze the contents of your files except to compute storage usage and deliver the file to authorized recipients. All file transfers are encrypted in transit using TLS 1.2+.

If you delete a transfer manually before it expires, the file is removed immediately. Residual copies in backup infrastructure are purged within 30 days.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• Infrastructure providers — we use cloud services for file storage, email delivery, and payment processing. These providers are contractually bound to use your data only to perform services on our behalf.
• Identity providers — if you use social sign-in, your identity provider shares your name and email with us. We do not share data back to them beyond what the OAuth flow requires.
• Legal obligations — we may disclose information when required by law, court order, or to protect the rights, property, or safety of CortexDrop, our users, or the public.
• Business transfers — in the event of a merger, acquisition, or sale of assets, user data may be transferred to the successor entity, subject to the same privacy commitments.

We use a single session cookie to keep you signed in. This cookie contains an encrypted session token and no personally identifiable information beyond what is needed to authenticate you.

We do not use advertising cookies, cross-site tracking pixels, or third-party analytics scripts. All usage analytics are first-party, stored in our own database, and never shared with advertising networks.

We retain your account information for as long as your account is active. If you request account deletion, we will permanently delete your profile, files, and associated data within 30 days. Some records may be retained in anonymized or aggregated form for internal analytics.

Audit logs for security and compliance purposes may be retained for up to 12 months even after account deletion.

To request deletion, email us at privacy@cortexdrop.net from the address associated with your account.

Depending on your location, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete information.
• Deletion — request that we delete your account and personal data.
• Portability — receive your data in a portable, machine-readable format.
• Objection — object to certain types of processing, including direct marketing.

To exercise any of these rights, contact us at privacy@cortexdrop.net. We will respond within 30 days.

We apply industry-standard technical and organizational measures to protect your data — including HTTPS encryption for all connections, secure password hashing, rate limiting, and detailed audit logging of privileged actions.

No system can guarantee absolute security. If you discover a vulnerability, please report it responsibly to security@cortexdrop.net and we will address it promptly.

CortexDrop is not directed to individuals under the age of 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

CortexDrop operates globally. Your information may be processed in countries other than where you live. Where required, we apply appropriate safeguards — such as standard contractual clauses — to ensure your data receives an adequate level of protection regardless of where it is processed.

We may update this policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The date at the top of this page always reflects the most recent revision.

If you have questions, concerns, or requests regarding this policy or how we handle your data, please reach out:

CortexDrop
privacy@cortexdrop.net