The short version
Dropshare does not ask for your name, email, or account, does not profile users, and does not sell or share personal information. Files are encrypted in your browser, held for twenty-four hours, and deleted. For California consumers there is very little personal information in play to begin with, and none of it is used for advertising.
What the California law actually covers
The California Consumer Privacy Act, as amended by the CPRA, is mostly concerned with how businesses collect personal information about California residents, what they do with it, whether they sell or share it, and how they let people see, correct or delete what has been gathered. Most of that machinery exists because modern online services collect a lot — accounts, device identifiers, behavioural profiles, inferences drawn from all of the above — and consumers have had essentially no visibility into any of it.
Dropshare approaches file sharing from a different angle. There is no account to create, no profile to build and nothing we can usefully monetise, because the files themselves are encrypted in your browser with a key we never receive. What we store is ciphertext and the small amount of metadata needed to serve and expire it: upload time, size, a random identifier in the URL. Request-level information such as IP addresses is used for abuse prevention and rate limiting, not for building a picture of who you are.
The consumer rights, in plain terms
The right to know under §1798.110 and §1798.115 exists so that people can find out what a business has collected about them and where it went. In our case the honest answer is short: we do not hold a profile of you, we do not know your name, and the file you uploaded was encrypted before we ever saw it. We do not disclose personal information to third parties for their own purposes, and we do not sell it.
The right to delete under §1798.105 normally triggers a workflow inside the provider. With Dropshare, deletion is the default: the encrypted object is removed automatically after twenty-four hours, and because we never held the key, any residual copies in storage infrastructure are unreadable. If you need an object gone sooner, stop sharing the link and, if you have access to it, delete it directly.
The right to correct inaccurate personal information under §1798.106 rarely applies to us in a meaningful way, because we do not hold records about you that could be inaccurate. The file is yours; you correct it on your own device and share an updated link if you need to.
The right to opt out of sale or sharing under §1798.120 is straightforward: there is nothing to opt out of. Dropshare does not sell personal information and does not share it for cross-context behavioural advertising. No part of our business model depends on learning anything about the people who use the service.
The right to limit the use of sensitive personal information under §1798.121 is similarly easy to honour. We do not collect categories of sensitive personal information for our own purposes. If you choose to put sensitive material into a file you upload, that content is encrypted and unreadable to us; it is not processed, inferred from, or used in any secondary way.
The right to non-discrimination is structural. There is no premium tier that buys back privacy you would otherwise have to give up, because the privacy properties are the same for everyone.
How Dropshare fits into your own compliance
If you are a California business using Dropshare to send files to customers or vendors, we act as a service provider for the narrow technical operation of transporting and temporarily storing encrypted data. We do not retain, use, or disclose that data for any purpose other than performing the service, and we do not combine it with data from other sources to build profiles. That role is small enough that, for most businesses, Dropshare fits comfortably into the service-provider framework the CCPA contemplates without complicating your own disclosures.
Your obligations to your own California consumers — the notices at collection, the privacy policy, the rights-request workflow — stay with you. What Dropshare tries to do is not quietly widen the scope of those obligations by seeing more than it needs to.
Where Dropshare is not the answer
The pages that overclaim about privacy tend to skip this part, so it’s worth being direct. Dropshare is a short-lived sharing tool. It is not a customer-data platform, not a CRM, and not an archive; if your compliance model depends on retaining records, producing per-access audit trails, or verifying the identity of recipients, you need a system built around those requirements, not a 24-hour link. And because we cannot see what has been uploaded, we cannot help you discover that someone sent something they shouldn’t have. The sender remains responsible for the contents of the envelope.
In practice
For most California businesses, using Dropshare responsibly looks unremarkable: you upload a file, share the resulting link with the intended recipient through a channel you already trust, and let it expire. No account provisioning, no tracking pixels, no long tail of old documents sitting on a vendor’s disk. The law is satisfied not because we spent a lot of effort on compliance theatre, but because there is very little personal information to begin with.
Our Privacy Policy describes exactly what is and isn’t collected, and the Terms spell out the service relationship. If a California rights request ever does need a human response from us, contact details are on those pages.