Privacy Policy

We collect only what the product needs to function.

Account information

When you sign up or join the beta waitlist we store your email address, display name, and any profile details you choose to provide. If you authenticate with a third-party identity provider, we receive the identifiers that provider sends back — typically a provider user ID and a verified email.

Recordings and workflow content

When you record a workflow in Dropplit we capture the screen frames, cursor movements, clicks, keystrokes, and optional microphone audio needed to reconstruct the steps. This content is scoped to the window or application you choose and is encrypted before it leaves your device. Recordings are your data; we do not sell them, share them with advertisers, or use them to train third-party models.

Connected-service data

Workflows that act on your behalf — in Gmail, Slack, Google Sheets, Notion, Calendar, Drive, or any other tool you connect — require OAuth tokens and the minimum read/write scopes to do the thing you asked for. We store these tokens encrypted and use them only to execute the workflow you authorised. We do not browse, index, or mine connected accounts for any other purpose.

Usage and diagnostics

We log product events (workflow created, run succeeded, run failed), crash reports, and performance traces so we can keep the service reliable. These logs include account identifiers and error context, but not recording contents.

Technical information

Our servers receive the standard request metadata sent by any browser or client: IP address, user-agent, approximate region, and timestamps. We retain this for a short window for abuse prevention and debugging.

• To provide the core product: record a workflow, analyse the steps, and re-execute them against your connected accounts.
• To keep the service reliable: investigate outages, diagnose bugs, and improve performance.
• To communicate with you: respond to support requests, send product updates relevant to your account, and, if you opted in, share occasional release notes.
• To enforce our terms and prevent abuse: detect fraud, rate-limit suspicious activity, and protect the service and the accounts our users connect to it.
• To comply with legal obligations we are subject to.

Recordings and OAuth tokens are encrypted in transit (TLS) and at rest. Access within Dropplit is scoped to engineers who need it for operations or support, is logged, and is reviewed periodically. Production keys are managed through a dedicated secret manager and rotated on a regular cadence.

We select sub-processors — cloud hosting, email delivery, analytics — who offer contractual protections equivalent to the standards described here. We do not sell or rent personal information.

We will only disclose personal information in response to valid legal process, to protect the safety of any person, or to investigate fraud and violations of our terms. When the law allows, we will notify affected users.

We do not use your recordings, workflow content, or connected-service data to train foundation models or any models that are shared outside your account. When Dropplit analyses a recording to extract steps, that inference runs to serve your workflow and the result belongs to you. If we ever introduce an optional feature that would use your data to improve product-wide models, it will be off by default and clearly disclosed.

The marketing site and product use a small set of cookies: a session cookie to keep you signed in, a preferences cookie for things like reduced-motion and scrollbar style, and an analytics cookie described below. You can clear or block cookies through your browser; doing so may sign you out or prevent certain preferences from persisting.

We use privacy-respecting analytics to understand aggregate usage — which pages people land on, where sign-ups come from, which flows convert. Our analytics provider does not build cross-site profiles, and we do not send recording contents to them.

Dropplit connects to services you authorise (email, chat, storage, calendars, spreadsheets, notes). Once a workflow reaches those services, the data you send is also subject to those providers’ privacy policies. The marketing site may link out to Discord, documentation, and partner pages; we are not responsible for the practices of sites we link to.

Dropplit is built for work and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has created an account, please contact us and we will delete it.

We are based in the United States and store most data on US-hosted infrastructure. If you access Dropplit from outside the US, your information will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to cover transfers from the EEA, the UK, and Switzerland.

Account metadata is kept for the life of the account. Recordings follow the retention window you configure in workflow settings — delete a recording at any time and we remove it from storage within 30 days. When you close your account we delete the associated recordings, OAuth tokens, and personal metadata within 30 days, except where a shorter deletion window conflicts with a legal obligation we must satisfy.

You can ask us to access, correct, export, or delete the personal information we hold about you. Residents of the EEA, the UK, and California have additional rights under GDPR, UK GDPR, and the CCPA/CPRA respectively. To exercise any of these, email support@dropplit.app from the address on your account and we will respond within the time frame required by applicable law.

We update this policy as the product changes. Material changes are announced in-product or by email at least seven days before they take effect. The “last updated” date at the top of this page always reflects the current version. Continued use of Dropplit after a change goes into effect means you accept the revised policy.

Questions, requests, and privacy-related reports can be sent to support@dropplit.app. We read every message.