Droplybeta
Connect MCP

Privacy Policy

Effective date: March 22, 2026

1. Overview

Droply (droply.run) is built with a minimal-data philosophy. We collect only what is necessary to operate the service. We do not sell your data. We do not run ads.

This policy explains what data we collect, why, how long we keep it, and your rights over it. It covers droply.run and the published pages hosted at *.run.droply.run.

2. What We Collect

2a. Automatically collected (all visitors)

All traffic to droply.run and *.run.droply.run passes through Cloudflare, which processes:

  • IP addresses (used for routing and abuse prevention)
  • HTTP request metadata (URL, method, user-agent, referrer, timestamps)
  • Cloudflare performance and security metrics

This data is governed by Cloudflare's Privacy Policy. We do not receive raw IP addresses in application logs.

2b. When you publish a page (token-based, no account)

  • The HTML/CSS/JavaScript content you submit
  • The page slug (URL path you chose or we generated)
  • A SHA-256 hash of your access token (one-way; we cannot reverse it)
  • Creation timestamp and page count

We do not collect your name, email address, or any personally identifying information when you use a token without signing in.

2c. When you sign in with Google (optional)

If you choose to sign in via Google OAuth, we receive from Google:

  • Your Google account ID (opaque identifier)
  • Your display name
  • Your profile picture URL
  • Your email address

Google's own Privacy Policy governs what Google collects during the sign-in flow. We store only what is needed to identify your session and link it to your pages.

3. How We Use Your Data

  • To publish and serve your pages at *.run.droply.run
  • To enforce free-tier limits (3 pages per token)
  • To auto-delete pages after 30 days
  • To detect and prevent abuse, spam, and policy violations
  • To link signed-in accounts to their published pages

We do not use your data for advertising, profiling, or any purpose beyond operating the service described above.

4. Data Retention

  • Free-tier page content: deleted automatically 30 days after creation
  • Token hashes: retained while the token is active; deleted when you revoke your token
  • Signed-in account data: retained while your account exists; deleted on account deletion request
  • Cloudflare infrastructure logs: subject to Cloudflare's own retention schedule

After a free-tier page expires, its content is permanently removed from our storage (Cloudflare R2 and D1) and cannot be recovered.

5. Data Sharing

We do not sell, rent, or broker your data. We share data only with:

  • Cloudflare — our infrastructure provider (hosting, CDN, database, object storage)
  • Google — only during the OAuth sign-in flow, if you choose to sign in
  • Law enforcement — if legally required by a valid court order or applicable law

There are no analytics vendors, advertising networks, or data brokers involved.

6. Cookies & Tracking

Droply uses a single session cookie set by NextAuth.js (next-auth.session-token) to maintain your login state if you sign in. This cookie is:

  • First-party (set by droply.run, not a third party)
  • Strictly necessary for authentication
  • Deleted when you sign out

We do not use tracking cookies, advertising cookies, or third-party analytics scripts. Anonymous (token-only) users receive no cookies from us.

7. Your Rights (GDPR / CCPA)

Depending on where you live, you may have the following rights over your personal data:

  • Right to access — request a copy of the data we hold about you
  • Right to rectification — ask us to correct inaccurate data
  • Right to erasure — ask us to delete your data ("right to be forgotten")
  • Right to portability — receive your data in a machine-readable format
  • Right to object — object to certain types of processing
  • Right to opt out of sale — we don't sell data, but you have this right regardless

To exercise any of these rights, email legal@droply.run. We will respond within 30 days.

EU/EEA users: if you believe your rights under the GDPR have been violated, you have the right to lodge a complaint with your local supervisory authority.

8. Children's Privacy

Droply is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at legal@droply.run and we will delete it promptly.

9. Security

We take reasonable technical measures to protect your data:

  • Access tokens are stored as one-way SHA-256 hashes — even we cannot read your token
  • All traffic is encrypted in transit via HTTPS/TLS (enforced by Cloudflare)
  • Data is stored in Cloudflare's infrastructure, which maintains SOC 2 and ISO 27001 certifications

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to legal@droply.run.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will make a reasonable effort to notify you (for example, via a notice on the homepage).

Continued use of Droply after changes constitutes acceptance of the revised policy.

11. Contact

Questions, requests, or concerns about this Privacy Policy? Reach us at legal@droply.run.

See also our Terms of Service.