Privacy

Last updated Feb 14 2026

Welcome to Droplock,

Droplock is a photo vault app that lets you store private photos and videos in password-protected vaults. This Privacy Policy explains what data we process, why, and what choices and rights you have under the GDPR.


We take privacy very seriously. This Privacy Policy explains what we collect, why we collect it, and how we keep it safe.

Who we are

Droplock is created by Supermax (“we”, “us”), in France.

That means we follow the GDPR (European data protection rules).


If you ever have questions, complaints, or just wanna say hi, slide in there:

[email protected]

Quick overview

  • No account required: You can use Droplock without signing up. In that mode, your vault content stays on your device.
  • Cloud backup is optional (Premium): If you create an account, you can back up and restore your vault on another phone.
  • We don’t receive Face ID data: whether you use FaceID, FaceUnlock or fingerprint, you device handles it; we don't get your biometric information.
  • We do use analytics & crash reports (technical data) to improve reliability and performance.

What we collect (and why)

We don't want your life story, we just need enough info to keep Droplock running smoothly and to improve it.

Here’s what we might collect:

Data your phone shares automatically

When you use Droplock, we get some basic, anonymous data like:


  • Your device model and OS version
  • App version, language, and country
  • Crash logs or error reports (so we can fix bugs faster)

Data you give us

When you subscribe for cloud storage:


  • Email address
  • Sign-in identifiers provided by:
    • Apple (if you use Sign in with Apple)
    • Google (if you use Google Sign-In)

Where are your medias stored?

By default your medias are stored locally on your device in the app’s private storage. We don’t receive them.

Cloud storage

Your vault items (and related previews/thumbnails/metadata like timestamps and basic file details) may be uploaded so you can restore them across devices.

App permissions (and why)

Droplock may request:


  • Photo Library – to import/export items
  • Biometrics (Face ID/Touch ID) – optional, to add an extra unlock step
  • Camera – only if you enable “Intruder Alerts”

Biometrics note: Your device performs the biometric match. We do not access or receive your biometric data.

Passwords, vault access, and security

Vault passwords

When you open Droplock, you enter a password.
Different passwords open different vaults.


We do not store vault passwords in plaintext.
Vault passwords are hashed.

Encryption & security

We use measures designed to protect data:


  • Encryption in transit: HTTPS/TLS for network traffic.
  • Cloud storage encryption at rest: using industry standard AES-256 encryption. Each vault is additionally encrypted with a unique, server-derived key that the storage provider never retains.
  • On-device storage: Items are stored within the app’s local storage on your device and using you device's secure enclave when relevant.

Accounts & passwordless login emails

If you choose email login, we send you passwordless authentication emails to sign you in. These are service emails (not marketing).


Premium purchases are processed through Apple App Store / Google Play. We do not receive your full payment card details.

Intruder Alerts (Premium)

If you enable Intruder Alerts:


  • Droplock takes a photo after any incorrect password attempt on the vault unlock screen
  • The intruder photo is stored locally on your device
  • We store the time of the attempt and gps location of the attempt (if enabled), on device

Intruder photos and metadata are not uploaded to our servers.

Screenshot blocking

Droplock includes a feature designed to block screenshots when viewing vault content. Please note it may not prevent every capture method on every device (for example, recording the screen with another camera).

We process personal data for the following purposes and legal bases:

  1. Provide the app and requested features (including cloud backup/restore if you enable it)

    Legal basis: Contract (GDPR Art. 6(1)(b))

  2. Account authentication and security (passwordless login, abuse prevention)

    Legal basis: Contract (Art. 6(1)(b)) and Legitimate interests (Art. 6(1)(f))

  3. Improve app performance and fix bugs (analytics & crash reporting)

    Legal basis: Legitimate interests (Art. 6(1)(f))

    (Our interest is keeping the app reliable and improving it, while limiting data collection to what’s necessary.)

  4. Customer support

    Legal basis: Legitimate interests (Art. 6(1)(f)) and/or Contract (Art. 6(1)(b))

  5. Legal compliance (responding to lawful requests, enforcing rights)

    Legal basis: Legal obligation (Art. 6(1)(c)) and Legitimate interests (Art. 6(1)(f))

Where consent is required under local law for certain device permissions, the permission prompt and your device settings control that choice.

Who we share data with (recipients)

We don’t sell your personal data.


We share data only with trusted service providers (processors) who help us operate Droplock:


  • Cloudflare (cloud storage)
  • Statsig (analytics)
  • Authentication providers (Apple/Google) when you choose those sign-in methods
  • RevenueCat (analytics)
  • Firebase (analytics)
  • Supabase (Database)

We may also disclose data if required to comply with law or to protect users and our services.

International transfers

We are based in France, and some providers and infrastructure may be located outside the EEA/UK (for example, cloud storage in the United States).

The servers are located

When personal data is transferred outside the EEA/UK, we use appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum, plus
  • Additional technical and organizational protections where appropriate.

How long we keep data

We keep data only as long as needed for the purposes described above.

Account & cloud data

  • If you have an account, we keep your account data while it’s active.
  • If you request account deletion, we delete your account data and associated cloud data within up to 30 days. (to process deletion safely and prevent accidental loss), signing in during this 30 days period will retrieve your account and cancel the account deletion.

Analytics & crash reporting

We retain analytics/crash data for a limited time, then delete or anonymize it.

  • Analytics: 13 months
  • Crash reports: 180 days
  • Security logs (if any): 90 days

Intruder Alert photos

Intruder photos are stored on your device until you delete them (or until we introduce optional auto-delete controls in the future).

Your GDPR rights

If you are in the EEA/UK, you have the right to:


  • Access your personal data (right from the app)
  • Rectify incorrect data
  • Delete your data (“right to be forgotten”) (right from the app)
  • Restrict or object to certain processing
  • Data portability (for certain data you provided)
  • Withdraw consent where processing is based on consent (this won’t affect processing already performed)

To exercise your rights, contact us at [email protected]. We may verify your request (for example, by verifying access to the email on the account).

Complaints

You can lodge a complaint with your local supervisory authority. In France, this is CNIL.

Children

Droplock isn’t intended for children. You must be at least the minimum legal age in your country to use it. If you believe a child has provided personal data to us, contact us and we’ll take appropriate steps.

Automated decision-making

Droplock does not use your personal data to make decisions based solely on automated processing that produce legal or similarly significant effects about you (GDPR Art. 22).

Changes to this policy

If we make material changes, we’ll update the effective date and provide notice in the app where appropriate.

Contact

Supermax SAS

229 rue Saint-Honoré, 75001 Paris, France

[email protected]

© 2026 Supermax