Privacy Policy
Last updated: 2026
1. Controller
The controller responsible for data processing within the meaning of the GDPR is:
Diego Rodriguez (Rodriguez-Web)
Delftstraße 8, 27474 Cuxhaven, Germany
Email: diego@rodriguez-web.de
2. Core principle: end-to-end encryption (zero-knowledge)
devdrops is built so that we cannot read your Secrets. Passwords, API keys, tokens, and .env values are encrypted with AES-256-GCM in your browser before they are transmitted to the server. The encryption key (DEK) is derived from your password or recovery key and never leaves your device in plaintext. Our database contains ciphertext only. We are technically unable to access the plaintext Secrets.
3. What data we process
a) Account data
To register and sign in, we process your email address and a cryptographically derived password credential (authentication is handled by Firebase Authentication; the password itself is not stored in plaintext).
b) Encrypted content (Secrets)
We store your Secrets exclusively as ciphertext (see section 2). In addition, we store the Vault key encrypted with your password and your recovery key, so that you can recover your Secrets after a password change or loss — these keys are likewise stored only in encrypted form.
c) Project content
Project names, descriptions, setup notes, and saved commands are stored in plaintext so that they are searchable and shareable. For this reason, do not store any secrets in these fields — the encrypted Secrets area is intended for that purpose.
d) Team features
When you invite someone to a project by email, we process their email address in order to implement the invitation and grant access.
e) Technical data
When the application is accessed, server-side log data is generated at our hosting provider (including IP address, date/time, and the requested resource), which serves delivery, security, and error analysis.
f) Local storage on your device
We do not use tracking cookies. The following are necessary for operation: a Firebase auth token (keeps you signed in) and the decrypted Vault key in sessionStorage, which is deleted when you close the tab or sign out.
4. Purposes and legal bases
- Provision of the service, account and contract management — Art. 6 (1) (b) GDPR (performance of a contract).
- Data security, abuse prevention, logging — Art. 6 (1) (f) GDPR (legitimate interest in secure operation).
- Processing of paid plans (where booked) — Art. 6 (1) (b) GDPR; payment processing is handled by a payment service provider that acts as an independent controller for the payment data.
5. Data processing and hosting
We operate devdrops on the Google Firebase platform (Google Ireland Limited / Google LLC). Firebase processes account data, (encrypted) content, and technical data on our behalf. Services used: Firebase Authentication, Cloud Firestore, Cloud Functions, Cloud Storage, and Firebase Hosting. Our database is located in the EU (region eur3), and the server functions run in europe-west1 (Belgium).
A data processing agreement (DPA) is in place with Google. Where a transfer to the USA occurs in an individual case, it is safeguarded by the EU Standard Contractual Clauses.
6. Retention
We store account and content data for as long as your account exists. If you delete your account or a project, the associated data (including encrypted Secrets and file blobs) is deleted. Technical logs are automatically removed after a short period.
7. Your rights
Under the GDPR, you have the following rights:
- Access to the data stored about you (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure (Art. 17) and restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection to processing based on legitimate interests (Art. 21)
To exercise these rights, simply send an email to diego@rodriguez-web.de. Please note: because we cannot decrypt your Secrets, a request for access covers only the encrypted data in this respect.
8. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.
9. Data security
All transmission is exclusively TLS-encrypted. Secrets are encrypted with AES-256-GCM; key derivation uses PBKDF2-HMAC-SHA256 with 600,000 iterations. Access to project content is enforced server-side through Firestore security rules.
10. Changes to this Privacy Policy
We update this policy when our data processing changes. The version published here at any given time applies.