Privacy Policy

Last updated: February 20, 2026

This Privacy Policy describes how Question Labs LLC ("Company," "we," "us," or "our") collects, uses, and protects information when you use the zkDrop platform ("Service"). We are committed to protecting your privacy and operating a zero-knowledge architecture where we cannot access your encrypted data.

1. Information We Collect

1.1 Information You Provide

  • Email address: Required for authentication via magic link sign-in. This is the only personally identifiable information we require.
  • Upload request labels: Optional descriptive labels you may add to upload requests. These are stored in plaintext on our servers.

1.2 Information We Collect Automatically

  • IP addresses: Logged for security, rate limiting, and audit trail purposes.
  • User agent strings: Browser and device information included in HTTP requests, logged for audit purposes.
  • Timestamps: Date and time of account creation, upload requests, file uploads, and file access events.
  • Ciphertext file sizes: The size of encrypted files (not plaintext) for storage management and validation.

1.3 Information We Do NOT Collect or Have Access To

Due to our zero-knowledge encryption architecture, we do not have access to:

  • Encryption keys (generated and stored only in your browser)
  • Plaintext file contents
  • Original file names, file types, or file metadata
  • The contents of files uploaded through the Service

All file metadata (name, type, size) is encrypted client-side before being transmitted to our servers. We store only the encrypted (ciphertext) versions, which we cannot decrypt.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Authentication: To verify your identity and provide access to your account via magic link emails.
  • Service operation: To process upload requests, generate presigned URLs for file storage, manage file expiration, and provide core functionality.
  • Security and abuse prevention: To enforce rate limits, detect and prevent abuse, and maintain the integrity of the Service.
  • Audit logging: To maintain compliance-grade audit trails of security-relevant actions (authentication events, file uploads, file access, deletions).
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.

3. Data Storage and Security

3.1 Encryption

The Service implements multiple layers of encryption:

  • Client-side end-to-end encryption: Files are encrypted in your browser using AES-256-GCM before being uploaded. Encryption keys never leave your device.
  • Encryption in transit: All communications use TLS (HTTPS).
  • Encryption at rest: Encrypted files are stored with additional server-side encryption (AES-256) provided by our cloud storage infrastructure.

3.2 Infrastructure

Your data is processed and stored using the following third-party services:

  • Cloud hosting: Application hosting with security headers, DDoS protection, and edge caching.
  • Database: PostgreSQL database for account information, upload request metadata, and audit logs.
  • File storage: Amazon Web Services (AWS) S3 for encrypted file storage with server-side encryption and access controls.
  • Email delivery: Third-party email service for sending authentication magic links.

4. Data Retention

  • Account data: Retained as long as your account is active. You may request deletion at any time (see Section 7).
  • Encrypted files: Automatically deleted upon expiration of the upload request (configurable: 1 hour, 24 hours, 7 days, or 30 days). Files may also be manually deleted by the account holder at any time.
  • Audit logs: Retained for a minimum of one (1) year for compliance purposes, after which they may be archived or deleted.
  • Expired upload requests: Metadata for expired upload requests is retained for audit purposes but associated encrypted files are permanently deleted.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may disclose information in the following limited circumstances:

  • Service providers: We share data with third-party infrastructure providers (hosting, storage, email) solely for the purpose of operating the Service. These providers are bound by their own privacy policies and data processing agreements.
  • Legal requirements: We may disclose information if required by law, regulation, subpoena, court order, or other legal process. However, due to our zero-knowledge architecture, we can only provide encrypted data (ciphertext) and metadata — we cannot provide plaintext file contents or encryption keys, as we do not possess them.
  • Protection of rights: We may disclose information when we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or ensure the safety of our users or the public.
  • Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

6. Cookies and Tracking

We use only essential cookies required for authentication and session management. We do not use:

  • Third-party analytics or tracking cookies
  • Advertising cookies or pixels
  • Social media tracking scripts
  • Fingerprinting or cross-site tracking technologies

The authentication cookie is HTTP-only, secure, and uses SameSite=Strict to prevent cross-site request forgery.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

7.1 All Users

  • Access: Request a copy of the personal data we hold about you.
  • Deletion: Request deletion of your account and all associated data.
  • Correction: Request correction of inaccurate personal data.

7.2 European Economic Area (EEA) Residents — GDPR

If you are located in the EEA, you have additional rights under the GDPR:

  • Legal basis for processing: We process your email address based on contractual necessity (to provide the Service). We process IP addresses and audit logs based on our legitimate interest in security and compliance.
  • Data portability: You may request your personal data in a structured, commonly used, machine-readable format.
  • Restriction of processing: You may request that we restrict the processing of your personal data in certain circumstances.
  • Object to processing: You may object to processing based on legitimate interests.
  • Supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority in your member state.
  • Data transfers: Your data may be transferred to and processed in the United States. We rely on standard contractual clauses and the adequacy of our service providers' data protection practices for such transfers.

7.3 California Residents — CCPA/CPRA

If you are a California resident, you have the following rights:

  • Right to know: You may request information about the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to opt-out: We do not sell personal information, so this right does not apply.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

8. Data Minimization

We adhere to the principle of data minimization. We collect only the minimum amount of personal data necessary to provide the Service (your email address). File contents and metadata are encrypted end-to-end and are inaccessible to us by design.

9. Children's Privacy

The Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to such transfers. We take appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Policy.

11. Security Incident Notification

In the event of a data breach that affects your personal information, we will notify you and applicable regulatory authorities as required by law. Due to our zero-knowledge architecture, a breach of our servers would not expose plaintext file contents, as we do not possess encryption keys. However, email addresses, IP addresses, and upload request metadata could potentially be affected.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service with a revised "Last updated" date. Your continued use of the Service after such changes constitutes acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

13. Contact Information

For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, please contact:

Question Labs LLC
Email: support@majority.fun

For GDPR-related inquiries, you may also contact our data protection point of contact at support@majority.fun.