LocalDrop

Privacy and self-hosting

Where your data lives

LocalDrop stores every file, note, and link on the server it runs on: a laptop, a Raspberry Pi, an office mini-PC, or an internal server. Nothing is sent to third-party cloud storage. No analytics or advertising services are contacted.

Data retention

Every room has an expiry time (24 hours by default). A cleanup job runs every ten minutes and permanently deletes expired rooms together with all of their files, notes, links, and activity records. The room owner can also end a room at any moment, which removes its content immediately. Deleted files are removed from disk and cannot be retrieved through the application.

Sessions

LocalDrop does not use accounts. Each device receives an anonymous session cookie so the application can tell devices apart, attribute shared items, and let you delete what you shared. The cookie contains a random identifier and nothing else.

Administrator controls

The person who runs the server configures limits through environment variables:

  • LOCALDROP_MAX_FILE_MB — maximum size per file (default 500 MB)
  • LOCALDROP_MAX_FILES_PER_ROOM — maximum files per room (default 100)
  • LOCALDROP_DEFAULT_EXPIRY_HOURS — default room lifetime (default 24 hours)
  • LOCALDROP_ALLOWED_EXTENSIONS / LOCALDROP_BLOCKED_EXTENSIONS — permitted file types. Executable and script files are blocked by default.
  • LOCALDROP_CLAMAV_HOST — optional ClamAV virus scanning for every upload

Network scope

Rooms are reachable only by devices that can reach this server — normally devices on the same Wi-Fi or LAN. If you need access from outside the network, the administrator must set up a VPN or a secure reverse proxy; LocalDrop does not expose anything to the public internet on its own.