If Dropbox is acquired, merges with another company, or sells its assets, your personal data may be transferred to the new owner, with Dropbox committing to notify you by email or website notice.
This analysis describes what Dropbox's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
A corporate transaction could result in your data moving to a company with different privacy practices, values, or business models, and the notification commitment, while present, does not give you a right to prevent the transfer.
In the event of a merger or acquisition, your Dropbox data including stored files and account information may transfer to a new company, and while Dropbox commits to notify you, the policy does not grant you the right to block the transfer or delete your data before it occurs. Proactively deleting data you no longer need in Dropbox reduces the volume of information subject to any future transfer.
How other platforms handle this
In connection with any reorganization, restructuring, merger or sale, or other transfer of assets, we will transfer information, including personal information, provided that the receiving party agrees to respect your personal information in a manner that is consistent with our Privacy Policy.
If Canva is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website prior to your information becoming subject to a different privacy policy.
We may access, preserve, and share information with regulators, law enforcement, or others if we believe it is reasonably necessary to: detect, prevent, and address fraud and other illegal activity; protect ourselves, you, and others, including as part of investigations; and prevent death or imminen...
Monitoring
Dropbox has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.— Excerpt from Dropbox's Dropbox Privacy Policy
1) REGULATORY LANDSCAPE: Business transfers involving personal data engage GDPR Article 6 (lawful basis for processing), as a transfer to a new controller in connection with an acquisition requires an independent lawful basis and may require notification to data subjects and data protection authorities under Article 13/14. CCPA/CPRA requires that consumers be notified of material changes to data practices resulting from business transfers. The FTC has taken enforcement action against companies that used personal data inconsistently with representations made at the time of collection following acquisitions. 2) GOVERNANCE EXPOSURE: Low to Medium. The notification commitment is a positive disclosure, but the policy does not specify a notice timeline before the transfer occurs, nor does it commit to providing deletion rights before transfer. For enterprise customers, the transfer of a DPA relationship to a new entity may require renegotiation of data processing terms. 3) JURISDICTION FLAGS: EEA users may have stronger rights under GDPR to receive specific information about a new controller and to object to processing by that new entity. US users outside California have limited formal rights in this scenario. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers whose DPAs are with Dropbox, Inc. should assess whether those agreements would automatically transfer to an acquirer or require renegotiation, and whether change-of-control provisions trigger any notification or termination rights in their commercial agreements. 5) COMPLIANCE CONSIDERATIONS: Organizations relying on Dropbox for data processing should include change-of-control review triggers in their vendor management programs, and should assess whether a Dropbox acquisition by a competitor or a company with different security certifications would require reassessment of their own compliance posture.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
A corporate transaction could result in your data moving to a company with different privacy practices, values, or business models, and the notification commitment, while present, does not give you a right to prevent the transfer.
In the event of a merger or acquisition, your Dropbox data including stored files and account information may transfer to a new company, and while Dropbox commits to notify you, the policy does not grant you the right to block the transfer or delete your data before it occurs. Proactively deleting data you no longer need in Dropbox reduces the …
ConductAtlas has identified this type of provision across 6 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Dropbox.