Privacy Policy

1. Information We Collect

We collect information you provide directly to us, including:

• Account information (name, email address)
• Payment information (processed securely through Stripe)
• Order details and fulfillment information
• Usage data and interactions with our service

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send you technical notices, updates, and support messages
• Respond to your comments and questions
• Send promotional communications (with your consent)

3. Information Sharing

We do not sell, trade, or otherwise transfer your personal information to third parties except:

• To trusted third parties who assist us in operating our website (e.g., Stripe (payment processing), Railway (hosting and database), Vercel (hosting), Supabase (database), Shopify (order data sync))
• When required by law or to protect our rights
• With your consent

4. Shopify Order Data

When merchants install the DropWinners Shopify app on their store, we receive copies of new orders via Shopify's order webhooks. This includes the customer's name, email address, and shipping address. We use this data exclusively to:

• Display the order in the merchant's DropWinners dashboard
• Generate fulfillment requests
• Push tracking information back to Shopify when the order ships

We do not use Shopify customer data for marketing, advertising, analytics, profiling, or any purpose other than fulfilling the order.

Storage and security:

• Encrypted in transit (HTTPS) and at rest in our Postgres databases
• Stored only as long as needed to fulfill the order, and deleted no later than 60 days after the order is fulfilled or the merchant uninstalls the app
• Access restricted to authenticated DropWinners administrators
• Never sold, never shared with marketers, never used to train models

When a merchant uninstalls our Shopify app, we delete their stored Shopify access token immediately and purge associated customer data within 60 days. Merchants and end customers can request immediate deletion by emailing support@dropwinners.com.

Sub-processors that may store Shopify customer data on our behalf: Railway (database hosting and backups), Vercel (web hosting), Supabase (database), Shopify (order data sync).

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information. All data, including Shopify order data, is encrypted in transit using HTTPS and at rest using AES-256 encryption. However, no method of transmission over the Internet is 100% secure.

6. Cookies

We use cookies and similar tracking technologies to track activity on our service and hold certain information. You can instruct your browser to refuse all cookies or indicate when a cookie is being sent.

7. Third-Party Services

Our service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites.

8. Your Rights

You have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Opt-out of marketing communications

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new policy on this page.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at support@dropwinners.com.