Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller for drop-note is the operator of this service. For all data protection enquiries and data subject requests, contact us at legal@dropnote.com.

2. Personal Data We Collect

We collect and process the following categories of personal data:

  • Email address — used to identify your account and as the inbound address for drop-note's email ingestion service.
  • Content of emails — the body, subject, and any attachments you send to drop@dropnote.com are stored and processed to provide the service (summarisation, tagging, and display in your dashboard).
  • IP address — collected transiently for rate limiting and abuse prevention. Not stored long-term.
  • Payment details — billing information (card number, billing address) is collected and stored exclusively by Stripe. We do not store payment card data. See Section 7 for details.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the legal basis of contract performance (Article 6(1)(b) GDPR). Processing your email address and email content is necessary to deliver the drop-note service you have signed up for. Without this data we cannot provide summarisation, tagging, or dashboard access.

4. How We Use Your Data

  • Authenticate your account via magic-link sign-in
  • Receive and process emails you send to the ingest address
  • Generate AI summaries and tags using OpenAI GPT-4o-mini (your content is sent to OpenAI's API and is subject to their data processing terms)
  • Display saved items in your personal dashboard
  • Send transactional emails (sign-in links, account notifications) via Resend
  • Process subscription payments via Stripe

5. Data Retention

  • Active items — retained for as long as your account remains active.
  • Deleted items (Pro/Power tier) — moved to trash and retained for 30 days before permanent deletion.
  • Deleted items (Free tier) — permanently deleted immediately.
  • Account data — deleted within 30 days of a verified account deletion request.

6. Your Rights (GDPR Article 17)

You have the right to access, correct, or erase your personal data. Specifically:

  • Right of erasure (right to be forgotten) — you can delete your account and all associated data at any time via Settings > Delete Account in the dashboard. This is processed immediately and your data is removed within 30 days.
  • Other data subject requests — for access requests, portability, or rectification requests, email legal@dropnote.com. We will respond within 30 days.

7. Third-Party Processors

Stripe (payments)

Stripe processes all payment transactions and stores your payment card data. drop-note does not store payment card numbers or CVVs. Stripe's privacy policy is available at stripe.com/privacy.

Sentry (error monitoring)

We use Sentry to capture application errors. Error reports are configured to exclude personally identifiable information — we do not send email addresses, item content, or other PII to Sentry. Only technical error context (stack traces, browser/OS version) is transmitted.

OpenAI (AI processing)

Email content you ingest is sent to OpenAI's API for summarisation and tagging. By using drop-note you acknowledge this processing. OpenAI's data usage policies apply; see openai.com/policies/api-data-usage-policies.

8. Cookies

drop-note uses essential cookies solely to maintain your authenticated session. We do not use tracking, advertising, or analytics cookies. You can accept essential cookies via the banner displayed on first visit.

9. Contact

For any privacy-related questions or to exercise your data subject rights, contact us at legal@dropnote.com.

← Back to home