Dropless is operated by [LEGAL NAME / sole proprietor], based in the Republic of Korea (contact: ssin6505@gmail.com).
user.created webhook carrying an end user's email). We process payload contents solely to deliver, retry, sign, store, and display webhooks to you, and to operate the Service. We do not use payload contents for any independent purpose, to train models, or for advertising. You are responsible for having a lawful basis and for providing any required notice to your end users. We recommend you avoid sending unnecessary sensitive personal data in payloads.We use data to provide the Service and dashboard, meter usage for billing, and secure and improve the Service. We do not sell your personal information. Under the GDPR / UK GDPR our legal bases are: (a) performance of our contract (Art. 6(1)(b)); (b) legitimate interests (Art. 6(1)(f)) — securing the platform, preventing abuse, improving the Service; and (c) legal obligation (Art. 6(1)(c)) — keeping billing/tax records. Where we rely on consent, you may withdraw it at any time.
We use a small number of strictly necessary, first-party cookies only. We do not use advertising, analytics, or cross-site tracking cookies.
dropless_session — keeps you signed in; HttpOnly, SameSite=Lax, Secure on HTTPS, expires after 30 days or on sign-out.dropless_oauth_state — a short-lived (10-minute) security cookie protecting the Google sign-in flow against CSRF.Because these cookies are essential, they do not require consent. You can clear them via your browser, but the dashboard will not function without the session cookie.
We will aim to give at least 30 days' notice before adding or replacing a subprocessor that processes personal data.
Dropless is operated from the Republic of Korea, but your data is stored and processed in the United States by our subprocessors. For each overseas transfer: the recipients are the subprocessors in Section 5; the country is the United States; the items include account data (email, name, avatar), event/operational data, billing identifiers, and email address for transactional mail; the purpose is to provide the Service; and retention is per Section 7. If you are in the EEA, UK, or Switzerland, we rely on the EU-US / UK-US Data Privacy Framework where a subprocessor is certified, and otherwise on the European Commission's Standard Contractual Clauses with the UK IDTA. Request a copy via ssin6505@gmail.com.
When the retention period ends or the purpose is achieved, we destroy the personal data without delay. Electronic files are deleted irrecoverably; any printed materials are shredded or incinerated. Where law requires continued storage, the data is moved to a separate store and used only for that legal purpose.
You may request access, correction, deletion, restriction, objection, portability/export, or withdrawal of consent by emailing ssin6505@gmail.com from the address on your account. We may verify your identity first.
Exports are provided in a machine-readable format (e.g., JSON/CSV). If your request concerns personal data contained in another customer's webhook payloads, please contact that customer (the controller); we will assist them as their processor. You may also complain to a supervisory authority: in Korea, the 개인정보보호위원회 (privacy.go.kr / 182) or KISA (118); in the EU, your local DPA; in the UK, the ICO.
In the past 12 months we have collected identifiers (email, name, avatar), commercial information (usage and billing), and internet activity (delivery logs), for the business purposes described above. We do not sell or share your personal information for cross-context behavioral advertising, and we honor Global Privacy Control signals. You have the right to know, delete, correct, and opt out, and you will not be discriminated against for exercising these rights. Submit requests to ssin6505@gmail.com.
If we become aware of a security breach affecting your personal data, we will notify affected customers without undue delay by email and, where required, notify the relevant authorities (in Korea, the 개인정보보호위원회; under GDPR, the supervisory authority within 72 hours where required). Where we act as your processor, we will notify you (the controller) without undue delay.
Dropless is a developer tool intended for businesses and is not directed to children. You must be at least 14 years old (or the age of digital consent in your jurisdiction) to create an account. We do not knowingly collect personal data from children; contact ssin6505@gmail.com and we will delete it.
We apply reasonable technical and organizational safeguards: API keys and session tokens are stored only as hashes; outbound webhooks are HMAC-signed so you can verify authenticity; all transport uses HTTPS/TLS; and our managed PostgreSQL is encrypted at rest by our hosting provider. To support retries and dashboard inspection, event payloads are stored in readable form for the retention period above — please avoid placing unnecessary sensitive data in payloads. No system is perfectly secure, but we work to protect your data.
Privacy Officer: [NAME], ssin6505@gmail.com. You may contact the Privacy Officer for any questions, requests, or complaints regarding your personal data.
We may update this policy from time to time. For material changes we will provide notice by email or an in-product/website notice. The "last updated" date above reflects the latest version.