Privacy

Last updated: 2026-05-09

zz-drop is a command-line program that runs entirely on your machine. The hosted services we operate are this website and the OAuth callback domain. This page describes what we do and don't collect across both.

What we don't collect

• No telemetry from the CLI. The binary makes no calls home, ever.
• No product analytics, page-view trackers, or third-party scripts on this site.
• No cookies. This site sets none.
• No IP or user-agent logs are tied to your zz-drop profiles or OAuth identities. Web-server access logs (raw IP, path, status code) are kept transient — rotated every 24 hours and never joined to any account.
• No advertising networks. No remarketing pixels.

What stays on your device

• Your passphrase. It is never transmitted, in any form.
• Your encrypted profile, including OAuth refresh tokens. Stored at ~/.config/zz-drop/profiles/, sealed with a key derived from your passphrase via Argon2id.
• The plaintext file content you transfer. zz-drop streams it directly from your machine to the configured cloud provider over TLS.

What the cloud provider sees

For the four active providers in v1 — Nextcloud, Google Drive, OneDrive, Dropbox — file content is uploaded as-is. The provider sees the file the same way it would if you used their own client. zz-drop does not add an additional encryption layer on file content in v1; that is on the v1.1 roadmap.

OAuth

For Google Drive and OneDrive, zz-drop uses OAuth 2.0 device flow (RFC 8628): your browser is sent to the provider's authorization page, you approve there, and the CLI polls the provider directly for the resulting tokens. For Dropbox, zz-drop uses paste-code (Authorization Code + PKCE without redirect_uri): the provider shows you a code, you paste it into the CLI. None of these flows sends a redirect to a host we operate; we have no OAuth callback server. Tokens are written only to your local encrypted profile and are never seen by any zz-drop-operated server.

This website

The site is static HTML and CSS, served from a single OVH virtual machine in Gravelines, France. No JavaScript is required to read any page. No fonts, scripts, or images are loaded from third-party CDNs.

Contact

Questions, corrections, requests: privacy@zz-drop.net.