DropLaunch OSDropLaunch OS

Privacy Policy

Last updated: May 20, 2026

This Privacy Policy describes how DropLaunch OS ("we") collects, uses and protects your personal data, in compliance with the EU General Data Protection Regulation 2016/679 (GDPR).

Data controller contact: support@droplaunch.me. You can also reach us through the contact form.

1. Data we collect

Account data

  • Email address (required for sign-up + authentication)
  • Optional: full name, avatar URL (provided by you or your OAuth provider)
  • Hashed password (we never store passwords in plain text — Supabase Auth handles this)
  • Account creation timestamp, last login timestamp
  • Plan, credit balance, transaction history

Generation data

  • Product URLs you submit and the scraped content (titles, descriptions, images)
  • Inputs you type into generators (audience hints, brand context, etc.)
  • AI-generated outputs (brand names, copy, images, reviews, etc.) — stored in your account
  • Logs of every AI call: prompt type, model used, token counts, cost, duration, status

Billing data

  • For paid plans: Stripe customer ID, subscription ID, payment status
  • Payment card data is processed and stored by Stripe — we never see or store full card numbers
  • Invoices and payment history

Support data

  • Messages and attachments you send via the contact form or the in-app help centre
  • For unauthenticated contact form submissions: the name and email you provided

Technical data

  • IP address (logged for security and rate-limit purposes)
  • Browser and device user agent
  • Session cookies (necessary for keeping you logged in)

2. Why we process your data — legal basis

  • Performance of contract (GDPR Art. 6(1)(b)): account creation, AI generations, billing, customer support.
  • Legal obligation (GDPR Art. 6(1)(c)): tax invoicing, anti-fraud, accounting record retention.
  • Legitimate interest (GDPR Art. 6(1)(f)): security logging, abuse prevention, product analytics, replying to messages sent via the public contact form.
  • Consent (GDPR Art. 6(1)(a)): marketing communications, when applicable (opt-in only).

3. Third-party processors (sub-processors)

We share data with the following sub-processors, each bound by a data processing agreement under GDPR Art. 28. See our public Data Processing Agreement for the full processor terms we offer to business customers.

  • Supabase Inc. (EU region) — database, authentication, file storage
  • Vercel Inc. — application hosting and CDN (EU region)
  • OpenRouter — routing layer to AI providers (OpenAI, Google, Anthropic). Generation inputs and outputs transit through OpenRouter.
  • Stripe Payments Europe, Ltd. — payment processing (Ireland)
  • OpenAI, Google — AI model providers receiving generation prompts

Generation prompts may include data extracted from product URLs you submit. By default we do not use your data to train models, and we configure our AI providers to disable training on our API traffic where the option is available. We do not sell personal data to third parties.

4. Data transfers outside the EU

Some AI providers (OpenAI, Google) process data on US infrastructure. Transfers occur under the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs), in compliance with GDPR Art. 46.

5. How long we keep your data

  • Account data: until you delete your account.
  • Generation outputs: until you delete them or delete your account.
  • AI call logs: 12 months for operational purposes, then anonymised.
  • Support tickets and contact-form messages: 24 months from last activity, then deleted.
  • Billing records: retained for the period required by the applicable tax law of our place of business.

On account deletion, personal data is purged within 30 days, except records we must retain by law.

6. Your GDPR rights

You have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Request deletion / "right to be forgotten" (Art. 17)
  • Restrict or object to processing (Art. 18 & 21)
  • Receive your data in a portable format (Art. 20)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with your local EU data protection authority

Most of these can be exercised directly from your account settings. For anything else, email support@droplaunch.me — we reply within 30 days as required by GDPR Art. 12(3).

7. Cookies

We use only strictly necessary cookies (session, locale preference, CSRF). We do not run third-party tracking, advertising or analytics cookies. No banner consent is required for strictly necessary cookies under EU ePrivacy Directive 2002/58/EC.

8. Security

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database backups are encrypted. Access to production systems requires MFA. We notify affected users and the competent supervisory authority within 72 hours of any data breach that creates a risk to user rights (GDPR Art. 33–34).

9. Children

The Service is not directed to children under 18 and we do not knowingly collect data from anyone under that age. If we learn we have, we delete the account.

10. Changes to this policy

We may update this Privacy Policy. Material changes are notified by email at least 14 days before they take effect.