Privacy Policy

1. Introduction

Welcome to Dropper ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our file management platform and services.

Company Information:
Dropper
Website: https://dropper.dev
Email: privacy@dropper.dev

By using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide to us when you:

• Create an account: Name, email address, company name, password (encrypted)
• Subscribe to our services: Billing information (processed through Chargebee)
• Configure storage providers: Storage provider credentials (encrypted), configuration settings
• Contact us: Name, email, message content, and any other information you choose to provide

2.2 Information Collected Automatically

When you access our services, we automatically collect:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, time spent, click patterns
• Authentication Data: Login timestamps, session information, refresh tokens
• Technical Data: User agent strings, referring URLs, access times

2.3 File and Storage Data

As a Bring Your Own Storage (BYOS) platform:

• File Metadata: File names, sizes, types, upload timestamps, folder structures
• Storage Provider Credentials: API keys, access tokens, bucket names (encrypted at rest)
• File Content: Stored in YOUR cloud storage (AWS S3, Azure Blob, Google Cloud, etc.) - we do not store your actual file content on our servers

2.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies:

• Essential Cookies: Required for authentication and service functionality
• Analytics Cookies: Microsoft Clarity for user behavior insights
• Session Cookies: Maintain your logged-in state

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: Provide, maintain, and improve our file management platform
• Account Management: Create and manage your account, authenticate users, process subscriptions
• Storage Integration: Connect to your cloud storage providers (S3, Azure, Google Cloud) using encrypted credentials
• Payment Processing: Process payments through Chargebee (we do not store credit card information)
• Communication: Send service updates, security alerts, support messages, and marketing communications (with consent)
• Analytics: Understand usage patterns, improve user experience, and optimize our services
• Security: Detect and prevent fraud, abuse, and security incidents
• Legal Compliance: Comply with legal obligations and enforce our terms of service

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our services (account creation, file management, storage integration)
• Legitimate Interests: Improving our services, security, fraud prevention, analytics
• Legal Obligation: Compliance with applicable laws and regulations
• Consent: Marketing communications, optional analytics (you can withdraw consent at any time)

5. Cookies and Tracking Technologies

5.1 Types of Cookies We Use

5.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect service functionality. To opt-out of Microsoft Clarity, visit their privacy settings.

6. Data Sharing and Third-Party Processors

We share your information with trusted third-party service providers who assist us in operating our platform:

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6.1 Legal Disclosures

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

7. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained while your account is active, plus 90 days after deletion
• File Metadata: Retained while your account is active (actual files are in YOUR storage)
• Authentication Tokens: Refresh tokens expire after 30 days; revoked tokens deleted after 90 days
• Billing Records: Retained for 7 years for tax and accounting purposes
• Analytics Data: Aggregated and anonymized data may be retained indefinitely
• Email Verification Tokens: Expire after 24 hours

You can request deletion of your data at any time by contacting us at privacy@dropper.dev.

8. Data Security

We implement industry-standard security measures to protect your information:

• Encryption at Rest: Storage provider credentials encrypted using AES-256
• Encryption in Transit: All data transmitted over HTTPS/TLS
• Password Security: Passwords hashed using bcrypt with salt rounds
• Access Controls: Role-based access control (RBAC) with CASL authorization
• Token Security: JWT tokens with expiration, refresh token rotation
• Database Security: Secure database connections, parameterized queries to prevent SQL injection
• Regular Security Audits: Ongoing monitoring and security assessments

Important: Your file content is stored in YOUR cloud storage account (BYOS model), giving you complete control over your data security and compliance requirements.

9. Your Rights and Choices

9.1 GDPR Rights (EEA Residents)

If you are in the European Economic Area, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for marketing or optional processing

9.2 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights:

• Right to Know: Request information about personal data collected, used, and shared
• Right to Delete: Request deletion of your personal data
• Right to Opt-Out: Opt-out of the "sale" of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use: Limit use of sensitive personal information

9.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: privacy@dropper.dev
• Subject Line: "Privacy Rights Request"

We will respond to your request within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.

10. Children's Privacy (COPPA Compliance)

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@dropper.dev.

If we discover that we have collected personal information from a child under 13, we will delete that information promptly.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

When we transfer personal data from the EEA to other countries, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally approved transfer mechanisms

BYOS Advantage: Since your file content is stored in YOUR cloud storage account, you control the geographic location of your data and can ensure compliance with local data residency requirements.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on our platform

Your continued use of our services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 5 business days.

14. Additional Information

14.1 Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at dpo@dropper.dev.

14.2 Supervisory Authority

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

14.3 California "Shine the Light" Law

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.