Privacy Policy

Effective date: March 7, 2026 · Last updated: March 7, 2026

KvikDrop is operated by Vestar Digital ("we", "us", "our"). We operate the KvikDrop mobile application (iOS and Android), the KvikDrop web application at kvikdrop.com, and related services (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, and your choices.

    Key principle: KvikDrop is built around privacy. Files are transferred directly between devices using peer-to-peer technology and end-to-end encryption. We never see, store, or have access to the content of your transfers.

1. Information We Collect

1.1 Account Information

When you create an account you provide your phone number. We use Firebase Authentication to verify your number via a one-time SMS code. We store:

Phone number (hashed where possible)
Account creation date
Premium subscription status

1.2 Usage Metadata

To enforce free-tier limits and provide the Service we store minimal usage metadata in your user profile:

Daily transfer count (number of transfers, not file contents)
Date of last transfer
Trusted-device list (device name, device type, public key fingerprint)

1.3 Temporary Session Data

When you initiate a file transfer, a short-lived session record is created in our database to allow the receiving device to connect. This record contains:

A random 6-digit session code
Sender device name and type
Encrypted WebRTC signaling data (SDP offer/answer, ICE candidates)
Sender's public encryption key

Session records are automatically deleted within 3 minutes and cannot be used to reconstruct transferred files.

1.4 Subscription & Payment Data

If you subscribe to KvikDrop Premium, payment processing is handled entirely by the platform store (Apple App Store, Google Play) or by our subscription partner RevenueCat. We do not collect or store credit card numbers, bank details, or billing addresses. We receive only:

Subscription status (active/expired)
Subscription plan type (monthly/yearly)
An anonymous subscriber identifier

1.5 Information We Do NOT Collect

File contents — all transfers are peer-to-peer and end-to-end encrypted
Precise location
Contacts or address book
Browsing history
Advertising identifiers
Analytics or behavioral tracking data

2. How We Use Your Information

Purpose	Data used
Verify your identity & secure your account	Phone number, SMS verification code
Establish peer-to-peer connections	Temporary session data
Enforce free-tier transfer limits	Daily transfer count
Enable trusted-device quick-send	Device name, type, public key
Manage your Premium subscription	Subscription status via RevenueCat
Provide customer support	Phone number, account metadata

3. End-to-End Encryption

Every file transfer in KvikDrop is protected by strong cryptography:

X25519 key exchange — A unique keypair is generated per session. The shared secret is derived using Elliptic-Curve Diffie-Hellman.
HKDF key derivation — The shared secret is expanded into a symmetric encryption key.
AES-256-GCM encryption — Each file chunk is encrypted and authenticated before transmission.

Encryption keys exist only in device memory during the transfer and are discarded afterward. We have zero access to your files at any point.

4. Peer-to-Peer Transfers & WebRTC

File data travels directly between the sender and receiver using WebRTC DataChannels. In most cases data does not pass through any server. When a direct connection is not possible (e.g., restrictive NAT), an encrypted TURN relay may be used. Even in this case, the relay sees only encrypted ciphertext and cannot decrypt your files.

5. Device Permissions

KvikDrop requests device permissions only when needed:

Permission	Why it's needed	Platforms
Camera	Scan QR codes for pairing	iOS, Android
Photo Library / Media	Select photos/videos to send; save received media	iOS, Android
NFC	Tap-to-pair with nearby devices	iOS, Android (where supported)
Local Network	Discover and connect to nearby devices	iOS
Notifications	Alert you to incoming transfer requests	iOS, Android

The web application may request access to the file system (for picking and saving files) through standard browser APIs. No additional OS-level permissions are required.

6. Third-Party Services

We use a limited set of third-party services:

Google Firebase (Authentication, Firestore) — Account verification via SMS and temporary session signaling. Firebase Privacy Policy.
Google STUN/TURN servers — NAT traversal for WebRTC connections. No file data is accessible to these servers.
RevenueCat — Subscription management and receipt validation. RevenueCat Privacy Policy.
Apple App Store / Google Play — Payment processing for Premium subscriptions. Subject to the respective platform's privacy policy.
Netlify — Hosting the web application. Netlify Privacy Policy.

We do not use any advertising networks, analytics SDKs, or tracking pixels.

7. Data Retention

Session records: Automatically deleted within 3 minutes of creation.
Account data: Retained as long as your account exists. You may request deletion at any time (see Section 10).
Subscription records: Retained by RevenueCat and the platform stores per their own policies.
Transferred files: Never stored on our servers — zero retention.

8. Data Security

We protect your data through:

End-to-end encryption for all file transfers (AES-256-GCM)
TLS 1.3 encryption for all communication with our servers
Firebase Security Rules restricting database access to authenticated users and their own data
Automatic expiration and deletion of session records
No server-side storage of file content at any time

9. International Data Transfers

Our infrastructure is hosted on Google Cloud (Firebase) and Netlify, with servers primarily located in the United States and Europe. If you access the Service from outside these regions, your account information (phone number, usage metadata) may be transferred to and processed in these locations. File content is never transmitted to our servers, so it is not subject to international transfer.

10. Your Rights & Choices

Depending on your jurisdiction (including the EU/EEA under GDPR, California under CCPA, and other applicable laws), you may have the right to:

Access the personal data we hold about you
Correct inaccurate data
Delete your account and associated data
Export your data in a portable format
Object to or restrict certain processing
Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, email us at privacy@kvikdrop.com. We will respond within 30 days.

Account Deletion

You may request complete deletion of your account and all associated data by contacting privacy@kvikdrop.com. Upon verification of your identity, we will permanently delete your account data from our systems within 30 days.

11. Children's Privacy

KvikDrop is not intended for use by children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will delete that data promptly.

12. Cookies & Local Storage

The KvikDrop web application uses browser localStorage to persist your preferences (theme, trusted devices). We do not use tracking cookies, third-party cookies, or any advertising cookies. No data stored locally is transmitted to our servers except as described in this policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app or by updating the "Last updated" date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@kvikdrop.com
Support: support@kvikdrop.com
Website: kvikdrop.com