This Privacy Policy describes how Dropinly ("Dropinly", "we", "us") processes personal data when you use:

• The dropinly.com website and its sub-domains
• The Dropinly Owner mobile app (`com.dropinly.owner`)
• The Dropinly Customer mobile app (`com.dropinly.customer`)
• Any custom-domain booking pages a shop owner connects to Dropinly
• APIs and webhooks documented at https://dropinly.com/api/openapi.json

Dropinly is operated from Sweden. For data we collect from shop owners (account holders), Dropinly is the data controller. For data that flows through Dropinly from end-customers booking with a shop (customer name, email, phone, booking history at that shop), the shop owner is the controller and Dropinly is the processor acting on the shop's instructions.

2.1 From shop owners (you signed up)

• Email address, magic-link sign-in tokens, OAuth identifiers (Google sub, Microsoft oid, Apple sub)
• Shop information: name, slug, industry, time zone, currency, business address (if entered), staff, services, intake forms
• Billing data via Stripe Connect (Stripe handles card details directly; we receive only the Stripe customer ID + subscription state)
• Mobile device identifiers when you register a push token (platform, OS version, model, locale, time zone)

2.2 From end-customers (booked with a shop)

• Name (optional), email, phone (optional)
• Booking details: chosen service, staff, slot, intake-form answers, consent flags (email/SMS)
• Booking history at that shop and any other shops you've used Dropinly with
• Preferences if you create a Dropinly customer account: locale, time zone, display name, pronouns

2.3 Automatic

• IP address, user-agent, referrer (via Cloudflare and Vercel logs, 30-day retention)
• Crash & error data (Sentry, anonymized stack traces only, 90-day retention)
• Product analytics events such as page views, booking funnel steps (PostHog, EU-hosted, 365-day retention)
• Cookies — see §5 and the Cookie Policy

2.4 From third parties

If you sign in with Google, Microsoft, or Apple, we receive the basic profile data those providers return (email, name, profile picture URL). If you connect Stripe Connect we receive your Stripe-connected-account identifier and onboarding state from Stripe; financial details remain in Stripe.

We never sell personal data. We share data with the following sub-processors strictly for the purposes described above. Each is bound by Article 28 GDPR contractual terms.

• Supabase (Switzerland HQ, AWS eu-west-1 data) — database, auth, file storage
• Vercel (US, with EU edge) — hosting, request routing, edge functions
• Cloudflare (US) — DNS, CDN, security, bot mitigation
• Stripe (Stripe Payments Europe Ltd, Ireland) — payment processing for shop subscriptions + customer deposits
• Resend (US, EU data residency configured) — transactional email delivery
• Twilio (US) — SMS delivery (Pro+ shops only)
• Google Firebase / FCM (US) — Android push notifications
• Apple APNs (US) — iOS push notifications
• Sentry (US) — error monitoring, anonymized stack traces only
• PostHog (EU-hosted, posthog.com) — product analytics
• Google OAuth, Microsoft Azure, Apple Sign In — only the basic profile fields when you choose those sign-in methods

A full machine-readable sub-processor list is at /legal/subprocessors.

We may also disclose data when required by law, to comply with a court order or government request, to enforce our terms, or to protect the rights, property, or safety of Dropinly, our users, or others.

We use a small set of essential cookies (sign-in session, locale preference, CSRF state) and one optional analytics cookie (PostHog). Details and your controls are in the Cookie Policy.

Some of our sub-processors are based in the United States. Data is transferred under the EU-U.S. Data Privacy Framework where the sub-processor self-certifies, or under European Commission Standard Contractual Clauses with appropriate supplementary measures. UK transfers use the UK International Data Transfer Addendum.

You have the following rights, no matter where you live:

• Access — request a copy of the data we hold about you
• Rectification — fix incorrect data via your preferences page or by emailing us
• Deletion — see the Account Deletion page for the in-app path and the public web form
• Portability — request export of your booking history in CSV format
• Restriction & objection — pause specific processing, opt out of marketing
• Withdraw consent — for SMS, push, marketing — via your preferences page
• Complain to a supervisory authority — for EEA/UK users, the Swedish IMY or your local DPA

For California / CPRA residents, see §11 Regional addenda which includes Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale/Share, and Right to Limit Use of Sensitive Personal Information.

We protect your data with industry-standard controls: TLS 1.2+ in transit, encryption at rest via Supabase/AWS, RLS-isolated multi-tenant database, HMAC-signed webhooks and tokens, ETag-gated mutations, and Cloudflare WAF + DDoS protection at the edge. We monitor production via Sentry and PostHog and run end-to-end soak tests on every deploy. No system is perfectly secure; if you discover a vulnerability, please report at /security.

Dropinly is not directed to children under 16 (or under 13 in the United States). If you become aware that a child has provided us with personal data, please contact [email protected] and we will delete it.

Country-specific rights and notices live at /legal/regions:

• EEA + UK — GDPR / UK GDPR
• California — CCPA / CPRA, "Do Not Sell or Share" right
• Virginia, Colorado, Connecticut, Utah, Texas — US state privacy laws
• Brazil — LGPD
• Canada — PIPEDA / Quebec Law 25
• Australia — Privacy Act
• India — DPDP Act

We update this policy when our practices change. Material changes are notified by email to owners and in-app to customers at least 30 days before they take effect.