Privacy Policy

1.1. Information you provide directly

• Account information. If you create an account, we store your email address. Authentication uses a one-time code sent to your email; we do not store passwords.
• Billing information. If you subscribe to Dropvert Pro or buy a credit pack, payment is processed by our payment provider (Polar). We never see or store your full payment card details. We receive a record of the transaction and your subscription tier.
• Files for paid server-side processing. Some conversions (for example, certain PDF, DOCX, EPUB, and other document or ebook formats) require server-side processing. When you use these features, the file is uploaded to our processing infrastructure, converted, and the output is returned to you. Source files are retained only as long as needed to complete the job.
• Files you choose to share. If you create a share link, the file is encrypted in transit and stored in object storage with a time-to-live that expires the link automatically (24 hours on Free, 8 days on Pro). After expiry the file is deleted.
• AI generator inputs. Prompts and parameters you submit to the AI Logo, Icon, Illustration, or Logo Animator tools are sent to our AI providers (currently Recraft and Anthropic) to generate the requested asset. Generated outputs are stored in your account.
• Figma OAuth tokens. If you connect a Figma account to use the Figma Animator, we store an OAuth refresh token so we can fetch your designated files on your behalf. You can revoke this access at any time from your dashboard or from Figma's account settings.
• Saved presets and settings. Tool presets you save are stored against your account so they persist across sessions.

1.2. Information collected automatically

• Analytics. With your consent (granted via the cookie banner), we use Google Analytics 4 to understand which tools and pages are used and how the Service performs. GA4 runs in Google's Consent Mode v2 — analytics storage is denied by default until you opt in.
• Server logs. Our hosting providers (Cloudflare and Supabase) generate standard request logs (IP address, user agent, timestamp, requested path) for security and operations. These are retained for limited periods per the providers' policies.
• Cookies and similar technologies. See "Cookies" below.

• To provide and improve the Service, including running the conversion tools you request.
• To authenticate you, manage subscriptions, and apply credit balances.
• To detect, prevent, and respond to fraud, abuse, and security incidents.
• To communicate with you about service updates, billing, and support requests.
• To comply with legal obligations.

We do not sell personal information, and we do not use the contents of files you process for our own purposes (such as training models).

Dropvert uses a small number of cookies and local storage entries:

• Strictly necessary. A consent record cookie (dv_consent) and the session cookie issued by our authentication provider when you sign in. These are required for the Service to function and do not require consent.
• Analytics (optional). Google Analytics cookies are set only after you grant consent via the cookie banner. You can withdraw consent at any time by clearing site data and re-loading the page; we will then re-prompt.
• Advertising. Dropvert uses Google AdSense to serve ads on free-tier pages. Google and its partner networks may use cookies and similar identifiers to serve, measure, and personalize ads based on your prior visits to this and other sites. For visitors from the European Economic Area, the United Kingdom, and Switzerland, the AdSense script automatically presents a Google-managed consent message (under the IAB Transparency & Consent Framework v2.2) before personalized advertising is enabled — no ads are personalized, and no advertising cookies are read or written, until consent is granted. You can opt out of personalized advertising at any time via Google Ads Settings or aboutads.info, and re-trigger the consent message at any time by clearing site data and reloading the page. Pro-tier subscribers see no ads. For a complete list of cookies set by Dropvert and Google, see our Cookies Policy.

We rely on the following processors to deliver the Service. Each handles your data under their own privacy terms:

• Cloudflare — hosting, content delivery, and object storage (R2).
• Supabase — database, authentication, and edge function execution.
• Polar — subscription billing and payment processing.
• Google Analytics 4 — usage analytics (consent-gated).
• Google AdSense — advertising on free-tier pages, consent-gated in the EEA / UK / CH.
• Recraft AI — image generation for AI Logo, Icon, and Illustration tools.
• Anthropic — model inference for AI animation generation.
• Figma — only when you explicitly authorize the Figma Animator integration.

Our service providers may process data in the United States, the European Union, or other regions. Where applicable, we rely on standard contractual clauses or equivalent legal mechanisms required for cross-border transfers.

• Account data: for as long as your account is active. You can delete your account at any time.
• Files for server-side processing: retained only for the duration of the job, then deleted.
• Share-link files: deleted automatically when the link expires.
• Server logs and analytics: retained for limited periods per provider policies.

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to withdraw consent at any time.

If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (and equivalent UK/Swiss law) gives you the right to:

• Access the personal data we hold about you (Article 15).
• Rectification of inaccurate or incomplete data (Article 16).
• Erasure ("right to be forgotten") — request that we delete your data (Article 17).
• Restrict processing of your data in certain circumstances (Article 18).
• Portability — receive your data in a structured, commonly used, machine-readable format (Article 20).
• Object to processing based on legitimate interests, including profiling for advertising (Article 21).
• Withdraw consent for any processing that relies on consent, at any time, without affecting prior lawful processing.
• Lodge a complaint with your national supervisory authority if you believe your data is being mishandled.

To exercise any of these rights, email hello@dropvert.com with the subject line "GDPR request". We respond within 30 days as required by Article 12 of the GDPR.

California residents have specific rights under the CCPA/CPRA, including the right to know, delete, and opt out of the "sale" or "sharing" of personal information. We do not sell personal information.

We use HTTPS for all traffic, encrypt sensitive data at rest where supported by our providers, and follow least-privilege access controls. No method of transmission or storage is completely secure; we cannot guarantee absolute security but we work to protect your information against unauthorized access, alteration, disclosure, or destruction.

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact us and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Material changes will be communicated through the Service or by email where appropriate.

Questions, requests, or concerns about this Privacy Policy can be sent to hello@dropvert.com.