Install it now — it's free to install and use
Droplio.io
Join free
Back to home page
Legal document

Privacy Policy

Information on the processing of personal data on the Droplio.io platform in accordance with the GDPR.

Last updated: 22 March 2026

§1. Data controller

  1. The controller of personal data of users of the droplio.io platform (hereinafter: "Platform") is Windify Digital Services, with its registered office at ul. Płocka 127/16, 87-800 Włocławek, NIP: 8943145650, REGON: 384382857 (hereinafter: "Controller").
  2. Contact with the Controller regarding personal data matters: office@droplio.io
  3. The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter: "GDPR"), and applicable national data protection laws, including the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781 as amended), the Act of 18 July 2002 on the Provision of Electronic Services, the Act of 16 July 2004 — Telecommunications Law (with regard to Art. 173 and 174 concerning cookies), the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 for users in the United Kingdom, and the ePrivacy Directive 2002/58/EC.

§2. Scope of data collected

The Controller collects and processes the following categories of personal data:

Data provided during registration and use of the Platform

  • Full name — provided during Account registration.
  • Email address — required for registration, login, identity verification, and communication.
  • Password — stored in encrypted form (bcrypt hash). The Controller does not have access to the password in plain text.

Automatically collected data

  • IP address — collected in server logs and security systems (Cloudflare Turnstile).
  • Device data — browser type, operating system, screen resolution, browser language.
  • Activity data — visited subpages, visit duration, traffic source, interactions with Platform elements (collected by Google Analytics 4 and PostHog — only with the User's consent given via the cookie banner).
  • Cookies and similar technologies — detailed information in the Cookie Policy. The rules for storing and accessing cookies are governed by Article 5(3) of the ePrivacy Directive (2002/58/EC), as implemented in Poland by Art. 173 and 174 of the Telecommunications Law of 16 July 2004.

Transaction data

  • Credit purchase history — date, amount, selected package, Stripe transaction identifier.
  • Credit balance and history — charges, deductions, bonuses.
  • The Controller does not store payment card data. It is processed solely by the payment operator Stripe, Inc. (PCI DSS Level 1 certified).

Data processed as part of AI services

  • Product data — names, descriptions, specifications, and images of products imported from AliExpress and Amazon, processed as part of AI services. This data does not contain Users' personal data and is transmitted to external APIs (OpenRouter/Gemini) solely for the purpose of delivering the service.
  • Background removal from images — processing is performed entirely in the User's browser (client-side). Images are not transmitted to the Controller's servers for processing — only the result (processed image) is saved on the server with a 6-hour retention period.

§3. Purposes and legal bases for processing

Purpose of processingLegal basis (GDPR)
Account registration and managementArt. 6(1)(b) — performance of a contract
Provision of services (description generation, image processing)Art. 6(1)(b) — performance of a contract
Payment processing and settlementArt. 6(1)(b) — performance of a contract
Email verification and security (Turnstile)Art. 6(1)(f) — legitimate interest
Traffic analysis (Google Analytics 4, PostHog)Art. 6(1)(a) — consent
Marketing and remarketing (Meta Pixel)Art. 6(1)(a) — consent
Sending emails (verification, notifications, contact)Art. 6(1)(b) — performance of a contract / Art. 6(1)(f) — legitimate interest
Handling the contact formArt. 6(1)(f) — legitimate interest
Handling complaintsArt. 6(1)(b) — performance of a contract
Fulfilling legal obligations (e.g. tax obligations)Art. 6(1)(c) — legal obligation
Establishing, pursuing, or defending against claimsArt. 6(1)(f) — legitimate interest

§4. Recipients of data

Users' personal data may be transferred to the following categories of recipients:

  1. Stripe, Inc. (USA) — payment operator. Processes transaction data and payment card data. PCI DSS Level 1 certified.
  2. Google LLC (USA) — Google Analytics 4 (traffic analysis — only with consent), Google Tag Manager (tag management).
  3. Meta Platforms, Inc. (USA) — Meta Pixel / Facebook Pixel (conversion tracking, remarketing — only with consent).
  4. Cloudflare, Inc. (USA) — Cloudflare Turnstile (anti-spam and anti-bot protection).
  5. OpenRouter / Google (Gemini API) — processing of AI queries (product description generation, image processing). Product data sent to the API does not contain Users' personal data.
  6. Resend, Inc. (USA) — email delivery service provider. Processes Users' email addresses for the purpose of delivering verification messages, notifications, and responses to contact form submissions.
  7. PostHog, Inc. (USA, EU servers) — analytics platform for collecting statistical data on Platform usage (visited subpages, interactions with interface elements, events related to Platform feature usage). For logged-in Users, data may be linked to the Account identifier, email address, and name for service usage analysis. Data collected only with the User's consent (analytics cookies). Data processed on servers in the European Union (eu.i.posthog.com).
  8. Apify Technologies s.r.o. (Czech Republic, EU) — service for fetching publicly available product data from the Amazon platform at the User's request. Processes only product URLs provided by the User — does not process Users' personal data.
  9. Hosting provider — servers on which the Platform database is stored.
  10. Public authorities — at the request of authorised authorities, pursuant to applicable law.
  11. Legal and tax advisors — to the extent necessary to establish, pursue, or defend against claims.
The Controller does not sell Users' personal data to third parties. Data is shared only to the extent necessary for the provision of services and fulfilment of the purposes described in this Policy.

§5. Transfer of data outside the EEA

  1. Some of the entities to which the Controller entrusts data processing are based outside the European Economic Area (EEA), in particular in the United States (Google LLC, Meta Platforms Inc., Stripe Inc., Cloudflare Inc., Resend Inc., PostHog Inc.).
  2. Data transfers to the USA take place on the basis of the EU-US Data Privacy Framework (European Commission Implementing Decision of 10 July 2023) or standard contractual clauses (SCCs) approved by the European Commission.
  3. The Controller uses only providers that ensure an adequate level of protection of personal data in accordance with the requirements of the GDPR.
  4. For users in the United Kingdom, data transfers are carried out on the basis of the UK Extension to the EU-US Data Privacy Framework (in force since 12 October 2023), the UK International Data Transfer Agreement (UK IDTA), or the UK Addendum to EU Standard Contractual Clauses, as applicable.
  5. In the event that the data transfer mechanism (e.g. EU-US Data Privacy Framework) is invalidated or changed, the Controller will immediately take steps to ensure that data transfers comply with applicable law.

§6. Data retention periods

Data categoryRetention period
Account data (name, email)Until Account deletion by the User or Controller
Generation history and imported productsUntil Account deletion
Transaction history (credit purchases)5 years from the end of the tax year (accounting obligation)
Background-removed image files6 hours after processing (automatic deletion)
Contact form dataUntil the submission is handled + 12 months
Analytics data (Google Analytics 4)14 months (GA4 setting)
Analytics data (PostHog)12 months
Server logs (IP addresses)Up to 90 days
Data for establishing/defending claimsUntil the claims limitation period expires (up to 6 years)
  1. After the retention period expires, data is permanently deleted or anonymised.
  2. Upon Account deletion, User data is deleted immediately, with the exception of data whose retention is required by law (e.g. transactional data retained for 5 years) or data necessary for establishing, pursuing, or defending against claims.

§7. User rights

Under the GDPR, the User has the following rights:

Right of access (Art. 15)

Obtaining information about processed data, including a copy of the data.

Right to rectification (Art. 16)

Correcting inaccurate or completing incomplete data.

Right to erasure (Art. 17)

Requesting deletion of data (“right to be forgotten”). The User may independently delete their Account in the Platform settings. This right does not apply to data whose retention is required by law.

Right to restriction (Art. 18)

Restriction of data processing in specific cases.

Right to data portability (Art. 20)

Receiving data in a structured, commonly used, machine-readable format.

Right to object (Art. 21)

Objecting to processing based on the Controller's legitimate interest. In the event of an objection, the Controller will cease processing unless it demonstrates the existence of compelling legitimate grounds that override the User's interests.

Right to withdraw consent (Art. 7(3))

Withdrawing consent at any time, without affecting the lawfulness of prior processing. This applies in particular to consent for analytics and marketing cookies.

Right to lodge a complaint

Lodging a complaint with your local data protection supervisory authority. For users in Poland, this is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw (uodo.gov.pl). For users in the United Kingdom, this is the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (ico.org.uk). For users in other EU/EEA countries, contact your national data protection authority.

To exercise the above rights, please contact the Controller at: office@droplio.io. The Controller will handle the request within 30 days. For complex or numerous requests, the deadline may be extended by a further 60 days, of which the Controller will inform the User.

§8. Data security

  1. The Controller applies appropriate technical and organisational measures to protect personal data, including:

    • SSL/TLS encryption — all communication with the Platform takes place over an encrypted HTTPS connection.
    • Password hashing — passwords stored in encrypted form (bcrypt). The Controller does not have access to passwords in plain text.
    • JWT tokens — sessions based on signed JSON Web Tokens.
    • Anti-bot protection — Cloudflare Turnstile on registration, login, and contact forms.
    • No payment card data stored — payment data processed solely by Stripe (PCI DSS Level 1).
    • Access control — access to data limited to authorised persons.
  2. Despite applying the above security measures, the Controller cannot guarantee complete security of data transmitted over the Internet. The User uses the Platform at their own risk and is responsible for securing their login credentials.

§9. Personal data breach

  1. In the event of a personal data breach that may result in a risk to the rights or freedoms of natural persons, the Controller will notify the President of the Personal Data Protection Office without undue delay and no later than 72 hours after becoming aware of the breach (Art. 33 GDPR).
  2. If a personal data breach is likely to result in a high risk to the rights or freedoms of natural persons, the Controller will promptly inform the affected Users (Art. 34 GDPR), including the nature of the breach, possible consequences, and measures taken to address it.

§10. Profiling and automated decision-making

  1. The Platform does not use profiling within the meaning of Art. 22 GDPR that would produce legal effects or similarly significantly affect the User.
  2. Google Analytics 4 and Meta Pixel may create audience segments based on on-site behaviour. This is profiling for marketing purposes, for which the User gives separate consent via the cookie banner. The User may withdraw this consent at any time.

§11. Children's personal data

  1. The Platform is not intended for persons under the age of 16.
  2. The Controller does not knowingly collect personal data of children. If the Controller becomes aware that data relates to a person under the age of 16, it will immediately delete such data.

§12. Obligation to provide data

  1. Providing personal data (name, email, password) is voluntary, but necessary for Account registration and use of the Platform's services. Without providing this data, registration and use of paid features is not possible.
  2. Providing data in the contact form is voluntary, but necessary in order to receive a response to the submission.
  3. Consenting to analytics and marketing cookies is entirely voluntary and does not affect the ability to use the Platform.

§13. Additional information for California residents

  1. This section applies to users who are residents of California, United States, and supplements the information provided in this Privacy Policy with disclosures required under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
  2. The Controller does not sell or share personal information of users as defined under the CCPA/CPRA. The Controller does not use personal information for cross-context behavioural advertising.
  3. California residents have the right to: (a) know what personal information is collected, used, and disclosed; (b) request deletion of their personal information; (c) correct inaccurate personal information; (d) non-discrimination for exercising their privacy rights.
  4. To exercise these rights, California residents may contact the Controller at: office@droplio.io. The Controller will verify the identity of the requesting consumer and respond within 45 days of receiving the request.

§14. Additional information for United Kingdom residents

  1. This section applies to users who are residents of the United Kingdom. The processing of personal data of UK residents is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
  2. UK residents have the same rights as described in §7 of this Privacy Policy. The supervisory authority for data protection matters in the United Kingdom is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom (ico.org.uk).
  3. Transfers of personal data from the United Kingdom to countries outside the UK are carried out on the basis of the UK Extension to the EU-US Data Privacy Framework, the UK International Data Transfer Agreement (UK IDTA), or the UK Addendum to EU Standard Contractual Clauses, as applicable.

§15. Changes to the Privacy Policy

  1. The Controller reserves the right to amend this Privacy Policy at any time, in particular to adapt it to changes in legislation, technological changes, or changes in the scope of data processing.
  2. The Controller will notify Users with Accounts of significant changes by email with at least 14 days' notice. Changes take effect on the date indicated in the notification.
  3. We recommend reviewing the content of this Policy regularly.
  4. Continued use of the Platform after changes are introduced constitutes acceptance of those changes. A User who does not accept the changes should cease using the Platform and delete their Account.

Windify Digital Services
ul. Płocka 127/16, 87-800 Włocławek
NIP: 8943145650 | REGON: 384382857
E-mail: office@droplio.io | Tel: 787-667-271