Privacy Policy

Last Updated: March 10, 2026

1. Overview

Moondrop is a private, invitation-only image and video hosting platform operated by Scryptica. This Privacy Policy describes what personal data we collect, why we collect it, how it is stored and protected, and the rights you have over your data.

By registering and using Moondrop, you agree to the practices described in this policy. If you have any questions or concerns, you can reach us at info@moondrop.cc.

2. Data We Collect

We collect and store the following categories of personal data:

Account Information

  • Username: chosen by you at registration. Used to identify your public profile and your uploaded files.
  • Email address: collected at registration and verified via a one-time code. Used for account recovery, email change verification, and optional security notifications.
  • Password: your password is never stored in plain text. It is hashed before being saved. We cannot read or recover your original password.
  • Profile description: an optional short bio visible on your public profile.
  • Profile picture: an optional avatar image you upload, stored securely on our servers.
  • Registration date: the date and time your account was created.

Uploaded Files

  • File content: images and videos you upload (up to 50 MB each), stored securely in European servers.
  • File metadata: original filename, file type, file size, upload date, and a short share ID. Associated with your account.
  • Video thumbnails: optional preview images for video files.

Session & Device Data

Every time you log in, a new session is created. For each session we record:

  • IP address: collected at login time. Used for security monitoring and new-device notifications.
  • Device information: device type (desktop/mobile), operating system, and browser name, derived from your browser.
  • Authentication token: hashed before storage. The original token is never saved.
  • Last seen timestamp: updated on each request so you can see recent activity per session.

You can review all active sessions and revoke any of them at any time from your account settings.

Email Verification Codes

When you verify your email address or request an email change, a temporary verification code is generated and sent to you. It expires shortly after being issued and is deleted once used or expired.

Invite Codes

Because Moondrop is invitation-only, your account is linked to the invite code used during registration. Invite codes do not contain personal information.

3. Why We Collect This Data

Each piece of data serves a specific, necessary purpose:

  • Username & email: required to create your account, allow you to log in, and enable account recovery.
  • Password: required to authenticate you securely without ever knowing your actual password.
  • Uploaded files & metadata: required to store, serve, and manage your uploads on the platform.
  • IP address & device info: used to detect logins from new or unrecognized devices and optionally alert you via email. Also used for abuse prevention.
  • Session data: required to keep you logged in and to let you manage which devices have access to your account.
  • Verification codes: required to confirm ownership of your email address before sensitive account changes take effect.

We do not collect data for advertising, analytics profiling, or selling to third parties. We collect only what is necessary to operate the service.

4. How We Store & Protect Your Data

Your data is stored across secure, managed infrastructure located in Europe. Protection measures in place include:

  • Passwords are hashed before storage and are irreversible.
  • Authentication tokens are hashed before storage:the original token is never saved.
  • All communication is served over HTTPS with DDoS protection.
  • Credentials and keys are stored as server-side secrets and never exposed to clients.
  • Files are served through our API. Direct storage URLs are never exposed to users.

5. Third-Party Services

To provide our service, we rely on the following third-party providers. Each receives only the data necessary to perform their function:

  • Cloudflare: handles traffic routing, DDoS protection, and hosts our API. Processes IP addresses and request headers.
  • Backblaze: stores your uploaded files and avatars in an EU data center.
  • Vercel: hosts the Moondrop web frontend. Does not process your personal data beyond standard access logs.
  • Email provider: sends transactional emails such as verification codes and new-device login alerts. Receives your email address only. Does not receive your password or file content.

We do not use advertising networks, tracking pixels, or third-party analytics scripts on any Moondrop page.

6. Data Retention

  • Account data is retained for as long as your account exists. Deleting your account permanently removes all associated data from our database.
  • Uploaded files are retained until you delete them or delete your account. When a file is deleted, it is permanently removed from all our systems.
  • Sessions persist until you revoke them or change your password (which invalidates all existing sessions).
  • Verification codes expire shortly after being issued and are deleted upon use or expiry.
  • Invite codes are retained indefinitely as part of platform records. They contain no personal information beyond a reference to which account used them.

7. Your Rights & Controls

You have the following rights over your personal data:

  • Access: you can view all data associated with your account from the dashboard, including your profile, uploaded files, and active sessions.
  • Correction: you can update your username, email address, description, profile picture, and password at any time from your account settings.
  • Deletion of files: you can delete individual files at any time from your uploads list. Deleted files are permanently removed from storage.
  • Session revocation: you can view and revoke any active session (i.e. logged-in device) from the Sessions section of your settings.
  • Account deletion: you can permanently delete your account from the settings page or by contacting us at info@moondrop.cc. Account deletion removes your profile, all uploaded files, all sessions, and all associated metadata from our systems.
  • Login notifications: you can opt in or out of email alerts for new device logins from your account settings at any time.

To exercise any right not directly available in the UI, contact us at info@moondrop.cc. We will respond within a reasonable timeframe.

8. File Visibility

Uploaded files are accessible to anyone who has the short link (e.g. moondrop.cc/f/abc123). Files are not listed publicly or indexed by search engines by default, but they are not password-protected. You are responsible for only sharing links with people you trust.

Your public profile page (e.g. moondrop.cc/u/username) displays your username and profile description. It does not display your email address, IP address, or session data.

9. Children's Privacy

Moondrop is not intended for users under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has registered an account, please contact us at info@moondrop.cc and we will remove it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. Continued use of Moondrop after changes are posted constitutes your acceptance of the updated policy. For significant changes, we will make reasonable efforts to notify users via email.

11. Contact

For any privacy-related questions, data requests, or concerns, please contact us at info@moondrop.cc.

Coming soon