Privacy Policy

1. Responsible Entity (Data Controller)

The responsible party for data processing on this website is:

2. Scope of This Privacy Policy

This Privacy Policy applies to personal data collected through:

• Our website (including any subdomains and related online services)
• Our Drop in browser extension for Chrome (the “Extension”)

It covers data you provide to us, data we collect automatically, and data generated through your use of the Service. It also covers how we use and share that data. Please note that our website may contain links to third-party sites or services that are not owned or controlled by us; this Policy does not apply to those third-party sites. We are not responsible for the privacy practices of third parties, and we encourage you to review their privacy policies separately.

By using our website or installing/using the Extension, you agree to the collection and use of your information in accordance with this Privacy Policy.

3. Data We Collect

We only collect the data that is necessary to provide and improve our Service, to communicate with you, and to fulfill the purposes described in this Policy. The types of data we may collect include:

• Account and Contact Information: When you create an account or sign up to use Drop in, we collect information such as your name, email address, and password. If you contact us (for example, via email or a contact form), we will collect the information you provide in that communication (such as your email address and any other contact details or content of your message).
• Authentication Data: We store authentication tokens and credentials needed to keep you logged in and to secure your account. For example, when you sign in via the Extension or website, we may generate and store session tokens or API tokens in order to authenticate your requests. This allows you to remain logged in across sessions. These tokens are stored securely (for instance, in Chrome extension storage on your device and/or our servers) and are used solely for managing your authenticated access to the Service.
• User Preferences and Settings: We record settings and preferences you configure in the Extension or on the website. This can include interface preferences, feature toggles (e.g. whether you have enabled “Allow user scripts” in Chrome settings for our Extension), notification preferences, and any other customization you save. Storing these preferences allows us to personalize your experience and remember your choices across browser sessions or devices.
• User-Generated Content – “Drop ins” (Custom Scripts): A core feature of our Service is allowing you to create and manage custom scripts (“Drop ins”) for specific websites based on your natural-language instructions. When you use the Extension to create a Drop in:
• The Extension may capture the current webpage’s content or context (such as the HTML of the page you are viewing, and possibly a screenshot of the visible portion of the page if needed) but only when you explicitly request a Drop in generation. This page content is used to understand the context so that our backend can generate a suitable custom script for you. We do not automatically collect your browsing content or history. Content from a page is only captured and sent to our servers when you actively request a feature for that page.
• The page content captured for generation is transmitted securely to our backend server. We do not permanently store the raw page HTML or any screenshots from this process on our servers. They are used transiently in memory to generate the script and then discarded. We also do not save this content in the Extension’s local storage beyond the immediate need for generation.
• The result of this process is a small piece of code (a “Drop in” script) that customizes the website per your request (for example, hiding an element or adding a button). We do store the generated script associated with your user account so that you can reuse, enable/disable, and manage it going forward. The scripts you generate are stored in two places: (1) in your browser’s extension storage (so that the Extension can quickly load and execute them when you visit the target site), and (2) in our secure cloud storage or database associated with your account (so that your Drop ins persist across devices and sessions and can be restored or managed from multiple devices). These stored scripts include metadata such as the site or URL pattern they apply to, the date of creation, and whether they are currently enabled or disabled.
• Important: The scripts generated are based on your instructions and the page context. We do not use these scripts or your instructions for any purpose other than providing the service to you. We do not share your custom scripts with other users or third parties, and you remain in control: you can view the code of each script, enable or disable it, or delete it at any time. If you delete a script, it will be removed from both your local Extension storage and our servers (after a short backup retention period if applicable). Please note: While we implement safeguards (such as automatically filtering out potentially dangerous code patterns like eval() or script injection) to ensure the generated scripts are safe, the content of each Drop in is ultimately derived from your input. You should review each script before enabling it to ensure it meets your expectations.
• Website Usage Data: When you visit our website (including any landing pages, documentation pages, or web dashboards we provide), certain data is collected automatically:
• Server Log Files: Like most web services, our servers automatically record basic information about each request. This includes your IP address (in an anonymized or truncated form where possible), the date and time of access, the page or file requested, the browser type and version, and the operating system of your device. These server logs are used for debugging, security (e.g. preventing misuse), and analytics. We store log data securely and ensure it is not directly identifiable beyond technical needs. The legal basis for processing server logs is our legitimate interest in maintaining the security and integrity of our service (Art. 6(1)(f) GDPR).
• Cookies and Similar Technologies: We use cookies and similar tracking technologies (like web beacons or local storage) on our website. Cookies are small text files placed on your device to store information. Some cookies are essential for the website’s operation (for example, to keep you logged in or remember your language preferences). Other cookies are optional and help us understand how visitors use our site or help us improve it (see Section 5: Analytics and Tracking below for details on analytics cookies). You can find more details about cookies in Section 5, and you have choices in managing cookies (described in Section 8: “Your Rights and Choices”).
• Microsoft Clarity and User Interaction Data: If you consent via our cookie banner, we use Microsoft Clarity (an analytics tool) on our website. Clarity may record certain interactions on our site, such as page clicks, mouse movements, scrolling, and non-sensitive page content, to create playback sessions of user experience. This helps us improve the design and usability of our site by seeing how users interact with it. These recordings may collect information you enter on our site (except for password fields or other sensitive fields which Clarity should automatically mask). All Clarity data is anonymized and used in aggregate; we cannot directly identify you from these recordings. Clarity does set cookies to distinguish user sessions. Data collected via Clarity may be transmitted to and stored on Microsoft servers (which may be outside your country, e.g., in the United States). Microsoft is prohibited from using the data collected through Clarity for any purpose other than providing this service to us. If you do not wish to be tracked by Clarity, you can opt out by declining analytics cookies on our site’s cookie consent banner (or revoking consent later) – see Section 8 for how to manage cookies.
• Analytics Data (Google Analytics): If you consent, we use Google Analytics on our website to collect information about how visitors use our site. Google Analytics may collect data such as which pages you visit, how long you stay, how you arrived at our site, and general information about your device (like your browser and region). We have enabled IP anonymization for Google Analytics, meaning that Google truncates/anonymizes the last octet of your IP address within the European Economic Area or other states adhering to the GDPR before storing it. Google Analytics uses its own cookies to identify you (these cookies contain a unique ID, but no personal name or email, etc.). The information generated by the Google Analytics cookie about your use of our website is generally transmitted to Google servers in the United States and stored there. Google uses this information on our behalf to analyze usage of the website and compile reports on website activity. We use these reports to understand website traffic and improve our services. Important: Google Analytics data is used in aggregate form – we look at trends like total page views or user flows; this data is not used to personally profile individual visitors. You can opt out of Google Analytics by refusing analytics cookies (via our cookie consent banner) or by installing the official Google Analytics Opt-out Browser Add-on. For more information, see Google’s Privacy Policy. (See Section 5 below for details on how to manage these analytics tools.)
• Performance and Usage Metrics (Vercel Analytics & Speed Insights): We use Vercel Analytics and Vercel Speed Insights to collect aggregated usage and performance metrics about our website (for example, pageviews, referrer information, browser/device information, and Web Vitals). These tools are designed to be cookie-less and are used to understand and improve the speed, reliability, and user experience of our website, not to show ads or track you across different websites. The legal basis for this processing is our legitimate interest in measuring and improving our website (Art. 6(1)(f) GDPR).
• Payment and Transaction Data: If you choose to purchase a premium plan or any paid feature of Drop in (see Terms of Service for our premium model details), we (or our authorized payment processor) will collect information necessary to process the transaction. This may include your name, billing address, payment card details or PayPal/other payment account information, and transaction amount. Note: For security, we use third-party payment processors (e.g., Stripe, PayPal, or similar) to handle payment transactions. We do not store your full credit card numbers or sensitive payment details on our own servers. We may store a record of your purchase (e.g., the last four digits of your card, card type, expiration, and a transaction ID, along with your name and email) as provided by the payment processor, in order to maintain your subscription and for accounting/tax purposes. Payment processors are third parties and their use of your data is governed by their privacy policies. We ensure any processor we use is PCI-DSS compliant and will only share the minimum required information with them for completing the payment.
• Other Data You Provide: This might include feedback or survey responses, entries you make on our forums or community (if any), or any other information you voluntarily provide through our Service.
• We do not collect any special categories of personal data about you (such as race, political opinions, health information) unless you voluntarily provide it (for example, if you chose to include such information in a support request, which we do not recommend). We also do not intentionally collect information about your browsing beyond what is described above, and we do not collect any data from your use of the Extension that isn’t necessary for providing the Extension’s functionality.

4. How We Use Your Data

We use the collected data for the following purposes:

• Providing and Maintaining the Service: We use your information to operate Drop in and our website. This includes using your data to create and manage your account, authenticate you when you log in, provide the features of the Extension (such as generating and running your custom Drop in scripts), and maintain the core functionality. For example, we use your instructions and page content to generate the scripts you request, and we use your stored scripts to apply your desired customizations when you revisit the relevant websites.
• Personalizing Your Experience: User preferences and settings are used to tailor the Service to you. For instance, remembering which Drop ins you have enabled or disabled, or your chosen settings in the Extension’s dashboard, allows us to present a consistent and convenient experience. Additionally, if you are a premium subscriber, we may use your account status to unlock or limit certain features accordingly.
• Communication: We may use your contact information (email address) to send you service-related communications. These include:
• Transactional emails: e.g., account verification, login notifications, password reset emails, receipts or invoices for purchases, and important security or support communications about your use of the Service.
• Service updates: e.g., notifications about new features, updates to terms or policies (including this Privacy Policy), or relevant information about your usage (such as approaching a usage limit in a free plan).
• Marketing communications: We will only send you newsletters or promotional emails if you have opted in to receive them. If you are a subscriber or have created an account, we may occasionally send product updates or offers, but we will provide an easy way to unsubscribe from such marketing communications. Transactional and service-critical emails, however, may be sent even if you opt out of marketing, as they relate to core use of the Service.
• We do not sell your contact information to third parties for marketing. And if you contact us with a question or support request, we will use your provided information to respond and resolve your inquiry.
• Improving and Developing the Service: We analyze usage information (including aggregated Extension events and website analytics) to understand how our Service is used. This helps us troubleshoot problems, improve the Service’s performance, develop new features, and make informed decisions about product design. For example, understanding which web integrations or example Drop ins are most popular can guide us in providing more templates or support for those scenarios. Analytics and user feedback are also used to optimize our user interface and fix usability issues.
• Ensuring Security and Preventing Misuse: Data such as server logs, IP addresses, and certain Extension usage logs are used to monitor for suspicious or malicious activity. We use this data to protect the integrity of the Service, prevent unauthorized access, enforce our Terms of Service, and combat fraud or abuse. For instance, if we detect excessive failed login attempts or patterns that look like automated abuse of our API, we may use log data (including IP addresses and user agent info) to investigate and block malicious actors. Similarly, we might use audit logs of Drop in creation to detect and remove any content that violates our policies (for example, a script that was generated to perform harmful actions).
• Customer Support: If you reach out for support, we will use relevant data from your account and interactions (such as your account info, the content of your support query, and related usage logs or error messages) to assist you. This may involve reviewing your recent actions within the Service to diagnose an issue (for example, checking our backend logs to see why a particular Drop in generation might have failed). Our support team is bound to keep this information confidential and only use it to resolve your issue.
• Processing Payments: If you make a purchase or subscribe to a premium plan, we use your personal data to process the transaction, manage billing (including recurring billing, if you are on a subscription), and provide you with the paid features. This includes using third-party payment processors who will handle your payment data (as described above in Section 3). We may also use transaction data for internal accounting, auditing, and compliance (e.g., tax calculations).
• Compliance with Legal Obligations: In certain cases, we may need to process personal data to comply with laws or regulations. For example, maintaining transaction records for tax and accounting purposes, or responding to lawful requests by public authorities (such as court orders or valid subpoenas). We will also use and disclose personal data as required to enforce our agreements or to establish, exercise, or defend legal claims.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason that is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so, or seek your consent if required by law.

5. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases, as defined in Article 6 of the GDPR:

• Performance of a Contract (Art. 6(1)(b) GDPR): Much of our data processing is to fulfill our contract with you – that is, to provide you with the Drop in Service you have requested. When you create an account and agree to our Terms of Service, a contract is formed between you and us. We need to process your account data, authentication data, and user-generated content (scripts) to deliver the functionalities promised (e.g., generating and running your Drop ins, syncing them across devices, etc.). If you are a paying customer, processing payment and subscription details is also under the performance of contract. In short, we cannot provide the service without this data.
• Legitimate Interests (Art. 6(1)(f) GDPR): We process certain data as necessary for our legitimate interests, provided those are not overridden by your data protection rights. Our legitimate interests include: maintaining the security of our systems (e.g., using logs to prevent abuse), improving our services (e.g., analyzing aggregated usage data, debugging issues), and marketing our services to interested customers (e.g., sending you product updates if you are an existing customer, where permitted). When relying on this basis, we consider and balance any potential impact on you and your rights. For example, our use of server logs and minimal Extension usage data for security is limited and controlled such that it does not unduly impact your privacy, and it is in both our and our users’ interest to keep the service secure. If we process personal data based on legitimate interests, you have the right to object to that processing as described in Section 8 (“Your Rights and Choices”).
• Consent (Art. 6(1)(a) GDPR): We rely on your consent for certain types of data processing. In particular, we will obtain your consent before using non-essential cookies and analytics tools like Google Analytics and Microsoft Clarity on our website. Through our cookie consent banner, you can choose whether to allow these tracking/analytics cookies. We also rely on consent for sending marketing or promotional emails to you (where required by law). You have the right to withdraw your consent at any time (for example, by updating your cookie preferences or clicking “unsubscribe” in an email), which will not affect the lawfulness of processing based on consent before its withdrawal.
• Legal Obligation (Art. 6(1)(c) GDPR): In some cases, we may need to process and retain certain personal data to comply with a legal obligation. For instance, accounting and tax laws might require us to keep records of transactions (including personal data like name and address on invoices) for a certain period. If we receive a legally binding request (like a court order) that requires processing or disclosure of data, this would also fall under legal obligation.

We do not normally process any data under the “Vital Interests” basis, nor do we perform any tasks in the public interest as a basis for processing. If in the future we ever process special categories of personal data (currently we do not), we would ensure to have a lawful basis such as explicit consent.

6. Cookies and Tracking Technologies

Cookies: Cookies are small text files that are placed on your device (computer, smartphone, etc.) when you visit websites. We use the following types of cookies on our site:

• Essential Cookies: These cookies are necessary for the website to function and cannot be switched off. They are usually only set in response to your actions, such as logging in, setting your privacy preferences, or filling out forms. Without these cookies, some parts of our site (or service functionality) may not work properly. For example, if our site has a login area or user dashboard, an essential cookie might keep you logged in as you navigate between pages.
• Preference Cookies: These cookies allow our site to remember choices you make (such as your language or region, or other preferences) to provide a more personalized experience. For instance, if you set certain preferences in your account or on a cookie banner, a cookie may save those settings so you don’t have to repeat them each time.
• Analytics and Performance Cookies: These cookies collect information about how visitors use our website, which pages are popular, or if any errors occur. We use this information in aggregate to improve how our website works. For example, we might use a cookie to count the number of visitors to different pages or to see how users move around the site. The analytics cookies we use include Google Analytics cookies (_ga, _gid, etc.) which help distinguish unique users and throttle request rates, and Microsoft Clarity cookies (_clck, _clsk, etc.) which help link user sessions for analytics.
• Advertising Cookies: Important: We do not use any advertising or targeting cookies on our site at this time. We do not show third-party ads on our site, so we currently have no cookies meant for advertising. If this ever changes, we will update this policy and ask for your consent where required.

When you first visit our site, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies (like analytics cookies). You can always change your cookie preferences later by using our “Cookie Settings” link (typically available in the footer of our site) or by clearing cookies in your browser.

Managing Cookies: Most web browsers also allow you to control cookies through their settings preferences. You can set your browser to refuse cookies or delete certain cookies. However, please note that if you disable essential cookies, some features of our Service may not function properly. For example, blocking all cookies might prevent you from logging in or using features that rely on cookies. For more information on how to manage browser cookies, you can refer to your browser’s help documentation. Additionally, you can learn more about cookies and how to manage or disable them at www.allaboutcookies.org.

Do-Not-Track Signals: Some browsers have a “Do Not Track” (DNT) feature that lets you tell websites you do not want to be tracked across different sites. Our website currently does not respond to DNT signals explicitly. However, we only use your data as described in this policy (and we provide you control over analytics cookies), so we do not collect or share information beyond the limits of this policy whether or not a DNT signal is received.

7. Analytics and Third-Party Services

As mentioned, we use certain third-party services to help us operate and improve our Service. Here are the key third-party services and what they do:

• Vercel Analytics and Speed Insights: We use Vercel Analytics and Vercel Speed Insights (provided by Vercel) to collect aggregated usage and performance metrics about our website (for example, pageviews, referrer information, browser/device information, and Web Vitals). These tools are designed to be cookie-less and are used to understand and improve our website’s performance and user experience.
• Google Analytics: Provided by Google Ireland Limited (for EU users) and Google LLC (USA), this tool helps us analyze website traffic. Google Analytics places cookies on your device to collect data about your website usage (see Section 3 and 6). Google uses this data on our behalf to compile reports like which pages are visited, how long users stay, what browsers are used, etc. We have configured Google Analytics with IP anonymization and do not enable any features that would allow Google to personally identify you (such as we do not send Google your name, email, or any user IDs in Analytics). We also do not use Advertising Features in Google Analytics. The data Google Analytics collects may be transferred to and stored on Google servers in the United States or other countries. Google is certified under the EU-U.S. Data Privacy Framework (as of the latest update) which provides a legal mechanism for EU data to be transferred to the U.S., and we have also entered into the appropriate Data Processing Addendum and Standard Contractual Clauses with Google to protect data. For more information on Google’s privacy practices, you can visit Google’s Privacy & Terms site. If you wish to opt out of Google Analytics, you can do so by not consenting to it on our site, or later via our cookie settings. You can also use Google’s opt-out tools (such as the Google Analytics Opt-out Browser Add-on).
• Microsoft Clarity: As described in Section 3, we use Microsoft Clarity for session recording and heatmap analytics on our website, subject to your consent. Microsoft Clarity may process data in the United States. Microsoft has committed to GDPR compliance and Clarity does not collect personally identifiable information (PII) in recordings (and we ensure sensitive fields are masked). The information collected is used to analyze user interaction with our site (e.g., where users click or get stuck) so we can improve the user experience. You can learn more about how Microsoft handles data in Clarity by visiting the Microsoft Privacy Statement (Clarity will fall under that umbrella). If you opt out of analytics cookies, Clarity will be disabled. You can also use browser-based blocking (like certain ad blockers or privacy tools) to block Clarity scripts if desired.
• Cloud Hosting and Backend Service Providers: Our servers and databases are hosted by third-party cloud infrastructure providers. For example, we might use services like Amazon Web Services (AWS), Google Cloud Platform, or other reputable hosting providers to store and process data. These providers may have access to personal data stored on their infrastructure, but only for purposes of storage and maintenance. We retain control of the data and have agreements in place to ensure your data is protected. We choose hosting providers that maintain high standards of security and compliance. If our cloud servers are located outside of your country (for instance, if we host in the EU but you access from the US, or vice versa), we ensure that appropriate legal safeguards are in place for any international data transfer (see Section 10 on International Transfers).
• Authentication and User Account Services: If we offer social logins or single sign-on (for example, “Sign in with Google” or similar), those services would collect your authentication data and share basic profile information with us (like your email and name). Currently, our service uses a direct sign-up with email and password (and possibly Magic links or similar). If in the future we integrate a third-party identity provider, we will update this policy accordingly. In any case, your credentials (password) are stored securely – passwords are hashed and salted, meaning we do not store them in plain text.
• Payment Processors: As mentioned in Section 3, we use third-party payment processors to handle any financial transactions. If we use Stripe, Inc., for example, when you enter your payment details those are transmitted directly to Stripe’s systems; we do not see or store your full credit card information. Stripe (or any processor we use) will act as an independent data controller for your payment data, as they have to process and possibly retain it for legal obligations (e.g., anti-fraud, KYC, regulatory reasons). We share only necessary information for completing the transactions (like your name, email, and purchase amount). These processors are PCI-compliant and have their own privacy policies which we will reference in our purchase flow. We also ensure any data we get back from them (like a payment confirmation and the last four digits of your card) is stored securely.
• Customer Support and Communications: If we use a third-party service for managing customer support inquiries or email communications (for example, a ticketing system like Zendesk or an email service provider for newsletters like MailChimp or SendGrid), we may share your contact information and correspondence through those platforms. They would process that data only on our instructions to help us manage communications with you. We will ensure any such providers are GDPR-compliant and have appropriate safeguards.
• Machine Learning / AI Services: A unique aspect of our Service is that the Drop in scripts are generated via natural-language instructions. This generation likely involves advanced algorithms or machine learning models running on our backend. In some cases, we might utilize third-party AI services or APIs to assist in generating the script from your instructions and page content. For example, it’s possible we use a service like OpenAI’s API or a similar machine learning provider. If we do so, the content you provide (your instructions and relevant page data) would be sent to that third-party AI service solely for the purpose of processing and returning the script output. We do not allow any AI service to use your data for training their models or for any purpose except giving us the immediate result. We also do not store the input or output at the AI provider beyond what is necessary for the API call. Any such provider would act as our data processor, and we would have agreements in place (such as OpenAI’s Data Processing Terms, which commit not to use API data for training by default, or similar terms with any provider) to protect your data. We will treat any page content and instructions sent for AI processing as confidential and handle it according to this Policy (i.e., not storing beyond the immediate need). If you have concerns about this, please contact us for more details on our AI generation process.

We do not share or disclose your personal data to third parties except in the following cases: (1) to service providers and partners who process data on our behalf and under our instructions (as described above, for hosting, analytics, payment, etc.), (2) if required by law or governmental authority (see Section 9 on data disclosure), or (3) in the event of a business transfer (also see Section 9). We do not sell your personal information to data brokers or advertisers. We also do not share it with third parties for their own marketing purposes.

8. Your Rights and Choices

User Controls: We strive to give you control over your personal data. These are the ways you can manage or request changes to your data:

• Access and Portability: You have the right to request a copy of the personal data we hold about you, and to obtain it in a common, machine-readable format. This includes data you have provided to us directly (like account information and content) as well as data we have collected about your usage. If you have an account, you can view certain data directly (for example, you can see your profile information and the list of Drop in scripts in your dashboard). For a full export, you can contact us at any time (see Contact section) and we will provide you with a file of your data, typically in a JSON or CSV format, where feasible.
• Correction (Rectification): If any of your personal data we have is inaccurate or incomplete, you have the right to ask us to correct it. You can update some of your account information directly (for instance, you can change your email or profile details by logging into your account settings, if our interface provides that). For any other corrections, just reach out to us and we will rectify the information on your behalf.
• Deletion (Right to be Forgotten): You have the right to request deletion of your personal data. You can delete certain information yourself: for example, you can remove or disable individual Drop in scripts through the Extension, and you can delete your entire account through the Extension’s side panel (“Delete Account” option) or by contacting us. When you delete your account, we will erase or anonymize all personal data associated with your account, including your profile information and any stored scripts, except for data we are required to retain by law or for legitimate business purposes (see Section 9 on Data Retention for details on what we might retain). If you have just deleted specific scripts or content, we remove those from our systems as well. Please note, due to how cloud backups work, it’s possible that some deleted data might persist in encrypted backups for a short period until those backups are cycled out; however, we will not restore or use deleted data except if required for security or legal reasons (e.g., to investigate fraud before final deletion).
• Restriction of Processing: In certain circumstances, you have the right to ask us to restrict or suspend processing of your personal data. For example, if you contest the accuracy of data or have objected to processing (see below) and we are evaluating your request, you can ask that we hold the data but not process it further. Another example is if you believe our processing is unlawful but you do not want a full deletion. If you request restriction, we will mark the affected data and ensure we only process it for certain purposes (like storing it securely or as necessary for legal compliance) until the issue is resolved.
• Object to Processing: You have the right to object to our processing of your personal data when that processing is based on legitimate interests (Art. 6(1)(f) GDPR) or for direct marketing purposes. This includes profiling based on those provisions. For instance, if we are processing your data for analytics or improvement under the basis of legitimate interest, and you feel this impacts your rights, you may object. If you do, we will re-evaluate the balance of interests and either stop or modify the processing, or explain compelling legitimate grounds we may have to continue (if applicable). If you object to processing for direct marketing, we will cease such processing immediately. You can easily opt-out of marketing emails by clicking “Unsubscribe” in any email or adjusting your account communication preferences.
• Withdraw Consent: Where we rely on your consent (for example, for optional analytics cookies or for receiving a newsletter), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal. If you wish to withdraw consent for cookies, you can adjust your cookie settings on our site (by rejecting cookies or using a cookie management tool) or clear your cookies. For email/newsletter consent, you can unsubscribe as noted above. If we ever seek your consent for any new processing, you are free to decline or later withdraw.
• Data Portability: As noted under Access, you can request a copy of your data in a portable format. This is particularly relevant for data that you provided to us and that we process by automated means on the basis of contract or consent. For example, you might want a copy of all the Drop in instructions you’ve given and the scripts generated, to take to another service or just for your own archive. We will provide this as a structured, commonly used format (likely JSON or CSV).
• Right not to be subject to automated decisions: We do not perform any fully automated decision-making (including profiling) that has legal or similarly significant effects on you. The generation of scripts via AI is automated, but it’s a service you request and does not negatively affect your rights or have a legal effect on you; you always have the choice to use or not use a generated script. If in the future we consider implementing any automated decision that significantly affects you, we will ensure compliance with GDPR Article 22 and inform you of your rights.

To exercise any of your rights, you can contact us at privacy@dropin.example or by mail to the address provided in Section 1. Please clearly state your request and provide information that will help us verify your identity (we need to ensure we’re modifying or disclosing data to the real owner of that data). We will respond to your request as soon as possible, and at the latest within the legally required time frames (under GDPR, that’s usually one month, extendable by two further months for complex requests – but we aim to be faster).

Your Choices – Managing Your Data

• In-app settings: The Extension and our website (if it has a user account dashboard) provide various settings. For example, you may be able to edit your profile, change preferences, or toggle certain features. The Extension’s side panel allows you to manage each Drop in (view code, disable, delete). Using these self-service options will immediately update the data we have on you in our systems as well.
• Cookie Controls: As mentioned, you have control over whether analytics cookies are placed. When you first visit, you can choose “Accept” or “Decline” for different cookie categories. If you later change your mind, look for a “Cookie Settings” or “Privacy Preferences” link on our site (often in the footer) to adjust your selections. Additionally, your browser settings let you remove or block cookies. Keep in mind that blocking all cookies might log you out or disable some site features.
• Do Not Track: While we don’t respond to DNT signals (as noted), the extent of tracking we do is limited and within your control via cookies. If you have DNT enabled, we interpret that as you likely preferring less tracking, so by default we wouldn’t load analytics scripts unless you explicitly opt in via our cookie banner.
• Opting Out of Analytics: Besides using our cookie controls, you can opt-out of Google Analytics by using the add-on provided by Google. For Microsoft Clarity, not using the site or blocking cookies will effectively opt you out, since we run Clarity only if consented. You can also use browser extensions or privacy modes that block these scripts.
• Opting Out of Marketing: If we send promotional content, we will include an unsubscribe link. Click that, and you will be opted out of future marketing emails. You can also contact us directly to request removal from marketing lists.
• Account Deletion: If you wish to stop using our Service entirely and want your account and data removed, you can use the “Delete Account” function in the Extension’s side panel (under settings) which will initiate the deletion process. Alternatively, contact support and we will manually handle the deletion. Note that deleting your account will remove access to premium features if you had any, and any active subscriptions will be cancelled. (We may retain minimal info like a record of the transaction for legal reasons, but not your personal content or scripts.)

Verification and Timing: When you make a rights request, for your security, we may need to verify your identity (especially for requests to access or delete data). If you have an account, we might ask you to send the request from the email associated with your account or to complete a verification step. We do not charge a fee for processing your rights request, except in cases where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse, as allowed by law, but we have never done this and hope we never have to).

Complaints: If you believe we have infringed your privacy rights or data protection laws, you have the right to lodge a complaint with a supervisory data protection authority. Our lead supervisory authority is likely the Bavarian State Office for Data Protection Supervision (BayLDA) in Germany, since we are headquartered in Munich, Germany. You can find their contact details online. However, we sincerely encourage you to contact us first, and we will do our best to address your concerns directly.

9. Data Sharing and Disclosure

We treat your personal data with care and confidentiality. We do not sell or rent your personal information to third parties for their own marketing or other purposes. We only share your data in the ways and for the reasons described below:

• Service Providers (Processors): We share data with third-party vendors and service providers who need to process the data on our behalf to provide the Service. These include the categories of providers listed in Section 7 (e.g., cloud hosting providers, payment processors, analytics services, email service providers, etc.). For all such providers, we ensure that: (a) we disclose only the minimum personal data necessary for them to perform their specific services; (b) they are contractually obligated to protect your data and use it only for the purposes we specify (for example, through Data Processing Agreements that include GDPR-standard clauses and confidentiality obligations); and (c) they provide sufficient guarantees in terms of technical and organizational measures to safeguard the data (we vet their security measures and certifications).
• Within Our Corporate Group: If Fluid Software Labs UG in the future has affiliates, parent, or subsidiary companies (for example, if we establish a US branch or another entity controlling or controlled by us), we may share data within that corporate group, on a need-to-know basis, to facilitate the service or corporate functions. Any such group entities will abide by the same privacy commitments and, if any intra-group transfers occur (e.g. between an EU entity and a non-EU entity), we will have appropriate intra-group data protection agreements in place.
• Business Transfers: If we are involved in a merger, acquisition, investment, reorganization, or sale of all or a portion of our business or assets, personal data may be transferred to the involved party as part of that transaction. We will ensure that any such party is bound to respect your personal data in a manner consistent with this Privacy Policy. If a transfer materially changes how your personal data will be used, we will provide notice and any choices you might have. (For example, if another company acquires us, you would likely have the opportunity to review their privacy policy or opt out of the data transfer if required by law.)
• Legal Obligations and Safety: We may disclose personal data if required to do so by law or in the good-faith belief that such action is necessary to (a) comply with a legal obligation, such as a lawful subpoena, court order, or regulatory demand; (b) respond to requests from government authorities, including public and government bodies outside your country of residence, if we believe disclosure is required by applicable law; (c) enforce our Terms of Service or other agreements, or investigate potential violations thereof; (d) detect, prevent, or otherwise address fraud, security, or technical issues; or (e) protect the rights, property, or safety of Fluid Software Labs UG, our users, or the public. This includes exchanging information with other companies and organizations for the purposes of cybersecurity protection and fraud prevention.
• With Your Consent: In situations where you explicitly consent to or request data sharing, we will share your data in accordance with that consent. For example, if we ever implement a feature that allows integration with a third-party service (such as exporting your Drop ins to another platform or sharing a Drop in script with a friend), we would do so only with your knowledge and request. Another example: if we wanted to use a customer testimonial that contains personal data (like your name or photo), we would ask for your consent before publishing it.
• Aggregated or De-Identified Data: We may share information that has been aggregated or anonymized, so it does not identify you personally, with third parties for any legitimate purpose. For instance, we might publish blog posts or research using aggregated usage data (e.g., “X% of Drop in users create more than 5 custom features for Gmail”). Such data would not contain any personal information and cannot be linked back to you.

Rest assured, outside of the scenarios above, your personal data is not disclosed to anyone. We particularly do not share any of your browsing content or the specifics of your Drop in scripts with any third party, except as needed to provide the service (for example, sending the page content to our AI generation server, or if using a cloud function). Our use of your data is tightly aligned with delivering the functionality you expect and nothing more.