Privacy Policy

This policy covers two groups of people whose data we touch:

• Founders — the people who sign up for DropFix and use the dashboard.
• Founder's end users— the people who use products that have the DropFix SDK installed. We process their data on the founder's behalf, never our own behalf.

2.1 Account information

• Name, email, and the name of your product or company
• Payment information (handled directly by Stripe — we never see card numbers)
• Content you create inside DropFix: drafts, user notes, settings
• Support emails and replies you send us

2.2 Automatically collected

• Browser type, device, and operating system
• IP address and approximate location
• Page views and clicks inside the DropFix dashboard
• Log data needed for debugging and security

When you install the DropFix SDK in your product, we receive behavioral data about people who use that product:

• User identifiers you assign via DropFix.identify()
• Page views, clicks, form submissions, API calls your app makes
• Event timestamps and session duration
• Optional traits you choose to pass (e.g. name, email, plan, MRR, trial end date)

We don't use this data for our own marketing, analytics, or AI training. We act strictly as a data processor — your end users' data is processed on your behalf, for your retention work, and nothing else. You're responsible for telling your end users that you use DropFix and getting any consents your jurisdiction requires.

To provide the service and only the service, we use it to:

• Run your DropFix account and send service-related emails
• Process subscriptions and billing
• Detect churn signals and score user health for you
• Generate AI win-back drafts (see Section 5 for AI privacy)
• Deliver daily digests, weekly summaries, and Slack alerts you've enabled
• Diagnose bugs, prevent abuse, and improve the product
• Comply with legal obligations

We don't sell your data. We don't share it with advertisers. We don't use it to train external AI models.

When DropFix drafts a win-back email, only anonymised behavioural signals are sent to our AI provider — not raw personal data. Names, emails, and phone numbers stay inside our system. The AI sees patterns like “hasn't logged in for 12 days, dropped feature X last week”, not jane@example.com.

Anything you choose to type into DropFix (e.g. when editing a draft) stays in your workspace — we don't feed your customers' identifying details into AI providers' training pipelines.

• Account data: kept while your account is active. Deleted on request, or 90 days after you cancel.
• Behavioural events: retained for up to 12 months, then automatically deleted or anonymised.
• Billing records: retained as required by tax and accounting law (typically 7 years).
• Backups: rotated every 30 days. Deleted data falls out of backups within that window.

• All data encrypted in transit (TLS 1.2+) and at rest
• Gmail / Slack OAuth tokens and Stripe Restricted API Keys encrypted with AES-256-GCM before storage
• Role-based access controls — only team members who need access have it
• Two-factor authentication on every internal account
• Regular dependency and vulnerability audits

See the Security page for more.

We use a small number of cookies for essential things only: keeping you signed in, remembering preferences, and basic anonymous analytics. We don't set advertising cookies. You can disable non-essential cookies in your browser settings — DropFix still works, but you'll be signed out more often.

DropFix's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

9.1 Scopes we request

When you connect Gmail from Settings → Integrations, DropFix requests these Google OAuth scopes:

• openid, userinfo.email, userinfo.profile — to identify your Google account and show your name in DropFix
• gmail.send — to send re-engagement emails from your inbox after you approve each one

We do not request gmail.readonly, gmail.modify, gmail.compose, gmail.labels, contacts, calendar, or drive scopes. DropFix cannot read, modify, or delete any email in your Gmail account.

9.2 How we use Gmail data

The gmail.send permission is used solely to send win-back emails that you have reviewed and explicitly approved inside DropFix. Each email originates from your Gmail address so the recipient sees a personal sender, not a generic noreply address.

9.3 Limited Use compliance

• Data from Google APIs is used only for the features you see in the DropFix UI
• Never transferred to advertisers, retargeting platforms, or for ad personalisation
• Never read by a human (including DropFix staff) except with your explicit consent, for security investigations, or to comply with law
• Never used to train AI models

9.4 Revoking access

Disconnect any time from Settings → Integrations → Disconnect Gmail (DropFix deletes the stored tokens immediately). You can also revoke directly with Google at myaccount.google.com/permissions.

Depending on where you live, you may have the right to:

• Access the data we hold about you
• Correct anything inaccurate
• Delete your data
• Export your data in a portable format
• Opt out of marketing communications
• Object to specific processing

These rights are protected under GDPR (EU), CCPA (California), and the DPDP Act (India), among others. To exercise any of them, email privacy@dropfix.in from your registered email. We'll respond within 30 days.

Your data may be transferred to and processed in countries other than where you live. When that happens, we use appropriate safeguards (Standard Contractual Clauses or equivalent) as required by GDPR and similar laws.

DropFix is not intended for anyone under 18. We don't knowingly collect data from children. If you believe a child has provided us with personal information, email privacy@dropfix.in and we'll delete it.

We'll update this page if we materially change how we handle data. The “Last updated” date at the top tells you when. For significant changes we'll also email you.