Dropify ("Dropify", "we", "us", "our") is operated by Peak Bot LLC, a limited liability company organized under the laws of the State of Florida, USA. This Privacy Policy applies to the website at dropify.cloud, the authenticated application at app.dropify.cloud, the backend API at production.dropify.cloud, our iOS application, and our Discord bot (collectively, the "Service").

For privacy questions or to exercise any right described in this Policy, contact us at experience@peakbot.com. Postal mail: Peak Bot LLC, [registered address on file with the Florida Department of State]. For security vulnerability disclosures, email the same address with the subject line "SECURITY".

For purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws, Peak Bot LLC is the controller of personal data processed about Dropify users. Where we process personal data on behalf of an enterprise customer (e.g. an artist or label using Dropify to run their own alert channels), we act as a processor for that data and a separate Data Processing Agreement governs that processing.

We collect the following categories of personal data:

• Account identifiers — Discord user id, Discord email, Discord username, Discord avatar; Whop user id, Whop email, Whop username, Whop avatar; primary email; assigned account role.
• Subscription & billing — Whop membership id, plan id, billing period, plan status (active / trialing / cancelled / past due), renewal date. We do not receive, store, or have any ability to access your full payment card number, CVV, or bank account information — that data flows directly between you and Whop.
• Product activity — artists you follow, sources you subscribe to, alerts you have opened, alert delivery preferences, iOS device push token (only if you enable iOS push notifications), in-app chat messages you post.
• Technical & log data — IP address, user-agent string, referrer URL, request path, response status, request timestamp, geolocation derived from IP at the country level (no precise geolocation).
• Cookies and similar technologies — a single first-party session cookie named dropify.sid used solely to keep you signed in. No third-party advertising or tracking pixels are set by us.
• Communications — when you contact support by email or Discord, we retain the correspondence and any attachments to provide support and maintain records.

We do not collect Special Categories of personal data (race, religion, health, biometric, sexual orientation, political opinions, trade-union membership). Do not submit any such data to the Service.

We collect personal data:

• From you — directly when you sign in via Discord or Whop OAuth, when you configure subscriptions, when you post in chat, and when you contact support.
• From third parties — Discord and Whop forward the minimum profile information listed above as part of OAuth; Whop sends webhooks regarding your subscription state.
• Automatically — server logs and the session cookie are generated automatically by the technical operation of the Service.

We process the personal data above for the following purposes, on the legal bases noted (GDPR Art. 6 / UK GDPR equivalent):

• Performance of the contract with you (Art. 6(1)(b)) — providing the Service, delivering alerts, gating premium features to active subscribers, processing your subscription changes, providing customer support.
• Compliance with a legal obligation (Art. 6(1)(c)) — retaining billing records for tax purposes, responding to law-enforcement requests with valid legal process, complying with court orders.
• Legitimate interests (Art. 6(1)(f)) — preventing fraud and abuse, securing the Service, debugging, aggregate analytics, defending legal claims, evaluating product improvements. Our legitimate interests do not override your rights and freedoms; we balance the two and you may object as described in Section 11.
• Consent (Art. 6(1)(a)) — where you have opted into iOS push notifications, marketing emails, or any non-essential processing. You can withdraw consent at any time without affecting the lawfulness of processing before the withdrawal.

We do not sell, rent, lease, or trade personal data to third parties; we do not engage in cross-context behavioral advertising; we do not use personal data to train artificial intelligence models; and we do not engage in automated decision-making (including profiling) that produces legal or similarly significant effects concerning you.

We share personal data with the following categories of recipients only as needed:

• Authentication providers — Discord, Inc. (USA) and Whop, Inc. (USA) — we share authentication tokens to verify your identity.
• Payment processor — Whop, Inc. (USA) — processes all subscription billing.
• Cloud infrastructure providers — Salesforce (Heroku, USA) for application hosting; MongoDB, Inc. (MongoDB Atlas, USA) for primary database; Apple, Inc. (USA) for iOS Apple Push Notification service.
• Communications — Discord (USA) for community channels; X / Twitter (USA) for optional auto-tweets that you, as a source owner, enable.
• Professional advisors — outside legal counsel, accountants, and auditors under binding confidentiality obligations, as needed.
• Regulators and law enforcement — when compelled by valid legal process or when we have a good-faith belief disclosure is required to protect rights, property, or safety.
• Successors — in connection with a merger, acquisition, financing, or asset sale, in which case the acquirer will be bound by this Policy with respect to your data or will notify you of any material change.

A current list of our subprocessors with their location and role is below. We require all subprocessors to implement appropriate technical and organizational security measures.

The following subprocessors process personal data on our behalf:

• MongoDB Atlas (MongoDB, Inc., USA — AWS us-east-1) — application database.
• Heroku (Salesforce, Inc., USA) — application hosting and runtime.
• Whop (Whop, Inc., USA) — authentication and payment processing.
• Discord (Discord, Inc., USA) — authentication and message delivery.
• Apple Push Notification service (Apple Inc., USA) — iOS push delivery.
• Webshare (Webshare, USA) — outbound proxy network used by our crawler.

We will provide at least 30 days' notice of any new subprocessor that processes personal data of enterprise customers; you may object to that addition by emailing us within the notice period.

Our infrastructure is located primarily in the United States. If you access the Service from outside the United States, your personal data will be transferred to, stored in, and processed in the United States and other countries where our subprocessors operate. For transfers from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (Module 1, controller-to-controller; Module 2, controller-to-processor) as adopted June 4, 2021, supplemented by the UK Addendum where applicable, and on supplementary technical measures including encryption in transit, encryption at rest, and access controls. Copies of these transfer mechanisms are available on request.

We keep personal data only as long as needed for the purposes set out in this Policy:

• Active account data — for the lifetime of your account.
• Closed-account data — up to 90 days after deletion to allow recovery, then permanently deleted from primary storage. Anonymized aggregates may be retained indefinitely.
• Billing records — 7 years for tax and accounting compliance.
• Server logs — 30 days, then automatically deleted.
• Backups — 30-day rolling retention; deleted backups overwritten in normal cycle.
• Support correspondence — 24 months after last contact.
• Audit / security incident records — 24 months.

We may retain data longer where required by law, to defend or assert legal claims, or to enforce our Terms of Service.

We implement appropriate technical and organizational measures designed to protect personal data, including:

• TLS 1.2+ for all data in transit, with HSTS enforced.
• AES-256 encryption at rest on the primary database and backups.
• Signed JWT authentication for the API; HMAC-SHA256 verification of inbound webhooks; replay-window protection on payment webhooks.
• Network isolation, IP allowlisting, and multi-factor authentication on administrative access.
• Least-privilege access controls; principle of minimum necessary access for engineering personnel.
• Continuous logging and monitoring with anomaly detection.
• Regular dependency updates and security patching.
• Annual review of security controls and policies.

No system is perfectly secure. If you have reason to believe your account has been compromised, contact us immediately at experience@peakbot.com so we can investigate.

In the event of a personal data breach affecting your data, we will notify supervisory authorities within 72 hours where required by GDPR and notify affected users without undue delay where required by law (including state-specific data breach statutes).

Subject to applicable law and verification of your identity, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectify — correct inaccurate or incomplete personal data.
• Erase ("right to be forgotten") — request deletion of your personal data. We will honor this except where retention is required by law (e.g. billing records).
• Restrict processing — ask us to limit how we use your data in certain circumstances.
• Object to processing carried out under our legitimate interests, including for direct marketing.
• Portability — receive your data in a structured, commonly used, machine-readable format (JSON), and have it transmitted to another controller where technically feasible.
• Withdraw consent at any time for processing based on consent.
• Not be subject to automated decision-making producing legal or similarly significant effects. We do not engage in such automated decision-making.
• Lodge a complaint with a supervisory authority — for the EU, your local Data Protection Authority; for the UK, the Information Commissioner's Office (ICO); for California, the Attorney General.
• CCPA / CPRA specific rights (California residents) — right to know categories and specific pieces collected; right to delete; right to correct; right to opt out of "sale" or "sharing" (we do neither); right to limit use of sensitive personal information (we don't process any); right to non-discrimination for exercising any of these rights.

To exercise any right, email experience@peakbot.com. We may request verification of your identity (such as confirming control of the account email) before taking action. We will respond within 30 days (45 days under CCPA, extendable by 45 more days for complex requests with notice). There is no charge for the first request in any 12-month period.

Authorized agents. California residents may use an authorized agent to make a request; we will require written permission from you and verification of your identity.

We may send you transactional emails (receipts, account notices, security alerts) that you cannot opt out of while you have an account, because they are necessary to deliver the Service. Marketing emails (product updates, feature announcements, occasional promotions) are sent only with your consent and you can opt out at any time via the unsubscribe link in any such email or by emailing us.

The Service is not directed at children under 13 (or under 16 where local law sets that threshold, including the UK and several EU member states). We do not knowingly collect personal data from children. If you are a parent or guardian and believe a child has provided personal data to us, contact experience@peakbot.com and we will delete the account and any personal data we have collected.

If required under Art. 27 GDPR / UK GDPR, we will appoint and publish an EU and UK representative. Until then, EU/UK data subjects may contact us directly at the address above and we will respond as if we had a designated representative.

Some browsers send a "Do Not Track" (DNT) or "Global Privacy Control" (GPC) signal. We do not engage in cross-context behavioral advertising and do not "sell" personal data as those terms are defined under CCPA/CPRA, so there is no practical effect of these signals on our processing. We will continue to honor whatever opt-out preferences you set through your account settings.

The Service may contain links to third-party websites (artist storefronts, Discord servers, Whop checkout, etc.). We are not responsible for the privacy practices of those sites and recommend you review their privacy policies before submitting personal data.

We may update this Policy from time to time. Material changes will be communicated to subscribers by email and via a prominent in-app banner at least 30 days before they take effect, unless an immediate change is required by law or to address a security issue. The "Effective" date at the top of this Policy will be updated to reflect any change. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

If any provision of this Policy is held invalid or unenforceable, the remainder will continue in full force. For any question, complaint, or to exercise any right, contact experience@peakbot.com.