[§]

Legal · Privacy

Your data, in plain language.

We keep what we collect small and say exactly what happens to it. We don't run analytics trackers, we don't sell your data, and we don't keep your IP address. This policy is written to satisfy the EU's GDPR.

Last updated · 16 June 2026 Governing law · Slovenia (EU)
Data controller
Demc, Damjan Malis s.p.
Drenov Grič 171D, 1360 Vrhnika, Slovenia
Reg. no. 8911215000 · VAT SI16792823
[email protected]

01 — Who we are

Who we are

dropthis is a service that turns what your AI makes into a link you can share. It is operated by Demc, Damjan Malis s.p., a sole proprietorship registered in Slovenia (the European Union). We are the data controller for the personal data described here. Because we are based in the EU, your data is handled under the General Data Protection Regulation (GDPR).

Questions about your data? Email [email protected].

02 — What we collect

What we collect

We keep the list short. We collect:

  • Your account — your email address and name. If you sign in with Google, we receive your Google account email and basic profile from that sign-in.
  • API keys — we store only a one-way hash of each key, never the key itself.
  • What you publish — the content of your drops (HTML, files, and the text fetched from a URL you give us) plus file metadata such as names and sizes.
  • Custom domains — if you connect your own web address, the hostname and DNS verification status.
  • Billing references — if you upgrade to Pro, a customer reference from our payment processor (Stripe). We never see or store your full card details.

A note on two things we deliberately do not keep:

  • IP addresses — we use your IP only momentarily to rate-limit requests (held in a short-lived cache that auto-expires). We do not store it with your account or anywhere persistent.
  • We do not capture your browser's User-Agent, and we run no third-party analytics or advertising trackers.

03 — Why we use it

Why we use it

Under GDPR we rely on these legal bases:

  • To run the service you asked for (contract) — creating your account, storing and serving your drops, managing custom domains, and handling your plan.
  • To keep the service safe (legitimate interest) — rate limiting, preventing abuse, and acting on abuse reports.
  • To meet legal obligations — for example, responding to valid legal requests or keeping records we are required to keep.

04 — Who processes it for us

Who processes it for us

We use a small set of trusted providers (sub-processors) to run dropthis. Each only handles data for the purpose listed:

  • Google Cloud — application hosting and the database.
  • Cloudflare — storage of your published content and serving it at the edge.
  • Resend — sending transactional email (such as your sign-in code).
  • Stripe — payment processing for Pro plans.
  • Google — as a sign-in provider, if you choose Google sign-in.

05 — Where it lives

Where your data lives, and transfers

Our database and application run in the United States (Google Cloud, region us-central1). Your published content is stored with Cloudflare and served from its global network so links load quickly anywhere. This means some of your data is transferred outside the EU.

Where data leaves the EU, our providers rely on the European Commission's Standard Contractual Clauses (and equivalent safeguards) to protect it. If you'd like more detail on a specific transfer, email us.

06 — How long we keep it

How long we keep it

  • Free drops expire 7 days after they're published, plus a short grace period, and are then permanently removed.
  • Pro drops stay until you delete them.
  • When you delete a drop, we remove its stored content and stop serving it.
  • When you delete your account, we anonymize your email and remove the data tied to it.
  • Backups of our database are kept for 30 days, then rotated out.

07 — What you publish is public

What you publish is public

A drop is meant to be shared, so anyone with the link can open it. Don't publish anything you wouldn't want others to see. You decide what goes into a drop, you can update it, and you can delete it at any time. Pro lets you password-protect a drop if you want a softer gate.

When you ask us to publish from a URL, our server fetches that page for you. That fetch is restricted so it can't be used to reach private or internal network addresses — a safeguard against misuse.

08 — Your rights

Your rights

Under GDPR you can ask us to:

  • show you the data we hold about you (access);
  • correct it if it's wrong (rectification);
  • delete it (erasure);
  • get a copy you can take elsewhere (portability);
  • limit or object to certain processing.

Email [email protected] and we'll handle it. If you think we've got it wrong, you can complain to your local data protection authority — in Slovenia that's the Information Commissioner (Informacijski pooblaščenec).

09 — Security

Security

Traffic is encrypted in transit (HTTPS). API keys and sign-in codes are stored as one-way hashes, never as plain text. We keep the data we collect to a minimum, which is itself a security measure — what we don't hold can't leak.

10 — The marketing site

The marketing site

This website (dropthis.app) loads fonts from Google Fonts, which means your browser contacts Google to fetch them and Google may see your IP address as part of that request. We don't set advertising cookies and we don't run analytics trackers on this site.

11 — Children

Children

dropthis isn't intended for children. You must be at least 16 to use it (or older, where your country sets a higher age). We don't knowingly collect data from children.

12 — Changes & contact

Changes & contact

If we change this policy, we'll update the date at the top. For anything privacy-related, reach us at [email protected]. See also our Terms of Service.