Droply Privacy Policy
Effective date: June 21, 2026 Last updated: June 21, 2026
This Privacy Policy explains how Droply ("Droply", "we", "us", or "our") collects, uses, shares, and protects personal data when you use our no-code static-site and file-hosting service, our websites, dashboard, API, browser and editor extensions, and related features (collectively, the "Service"). It also explains the rights you have over your personal data.
Please read this Policy together with our Terms of Service, Acceptable Use Policy, and DMCA / Copyright Policy.
1. Who we are and how to contact us
Droply operates a platform domain (the dashboard, marketing site, authentication, billing, API, and this Policy) at droply.host, and a separate hosting domain where customer sites are served at droply.id.
The data controller for personal data described in this Policy is:
[ASSUMPTION: Droply is operated by a legal entity to be confirmed — e.g., "Droply Ltd." Insert the full legal/registered company name and registered address here.]
For any privacy question, request, or concern — including data-protection enquiries, requests to exercise your rights, security reports, abuse reports, and copyright (DMCA) notices — contact us at:
You may also submit an abuse or content report through our public form at droply.host/abuse.
[TO CONFIRM: Whether Droply is required to appoint, and has appointed, a Data Protection Officer (DPO) and/or an EU/UK representative under GDPR Art. 27 / UK GDPR. If so, name them here. Until then, privacy enquiries are handled at the address above.]
Your role as a "site owner"
A core function of Droply is that you (a Droply account holder) can host websites and pages that your own visitors then access. For data you collect from your visitors (for example, through an email-capture form on a site you host), you are the controller of that personal data and Droply acts as your processor. See Sections 4(e) and 11.
2. Scope
This Policy applies to:
- Account holders and prospective customers of Droply (people who sign up, browse our marketing site, or contact us).
- Visitors to sites hosted on Droply, whose data we process on a hosted site owner's behalf (e.g., request logs, form submissions).
- People who submit abuse/copyright reports to us.
This Policy does not govern the content of sites our customers host. Each hosted site is operated by an independent account holder who is responsible for their own privacy practices and for any notice or consent their visitors require.
3. A note on "no anonymous publishing"
Every site hosted on Droply is tied to an identified, signed-in account — anonymous publishing and anonymous deploys are not permitted. We do this because static hosting can be abused for phishing and spam, and attribution to a known account is our primary abuse control. As a result, we always retain an account record associated with each hosted site, and we may use that record — together with signup IP and access logs — to identify the responsible party for abusive, infringing, or illegal content and, where warranted, to suspend or terminate the account, including the termination of repeat copyright infringers. See Section 5 (purpose 3), Section 10 (retention), the Acceptable Use Policy, and the DMCA / Copyright Policy.
4. Categories of personal data we collect
(a) Account and authentication data
- Account identifiers: a unique account ID (UUID), your email address, and your name (where provided).
- Credentials: a securely hashed password (for email/password accounts; social-only accounts may have no password until you set one). Passwords are hashed with bcrypt and never stored in plaintext.
- Two-factor authentication (2FA): if you enable app-based TOTP 2FA, we store your TOTP secret and recovery codes in hashed/encrypted form (managed by Laravel Fortify).
- Passkeys (WebAuthn): if you register a passkey, we store the public credential ID and the credential's WebAuthn data and a "last used" timestamp. These are device/authenticator identifiers, not your biometrics — your biometric data never leaves your device and is never sent to us.
- Account status and activity: your status (active / suspended / banned), the IP address captured at sign-up, and a "last active" timestamp updated on login.
- Passwordless email codes: for browser-extension sign-in, we send a short, single-use code to your email; the code is stored only in hashed form for a short window (currently 15 minutes) and is never stored in plaintext.
(b) Profile and social-login data
- Profile: name and avatar URL (where provided, including from a social provider).
- Social-login identifiers: if you sign in with or link Google, GitHub, or Microsoft, we store the provider name, the stable provider user ID, and (optionally) a provider avatar URL. Each provider identity can be linked to only one Droply account. We create an account from a social provider only when the provider attests that the email address is verified. For Google, we rely on the standard verified-email claim. For GitHub, which does not return a verification flag in the sign-in payload, we make a follow-up API call to GitHub using your authorization to confirm the email is verified. For Microsoft, whether we rely on a verified-email claim depends on the configured tenant policy: when a single workforce tenant is pinned we trust the tenant's email, and we require an explicit verified-email claim on the multi-tenant "common" configuration.
(c) Site, deployment, and content data
- Site configuration: project/subdomain names, custom-domain configuration (domain name, type, status, the DNS target we show you, a non-secret verification token, and TLS status), feature settings, spaces, and team membership/roles.
- User content: the files you upload or paste to deploy (HTML, ZIP archives, PDFs, images, documents) and the resulting immutable deployment records — including the original filename, storage object key, file manifest/checksums, size, file count, and the malware-scan result. Your live site content is whichever deployment is currently "live"; older superseded versions are retained only briefly (see Section 10).
- Online editor / workspace files: if you use the editor, your editable files are stored in our object storage.
- API tokens: Personal Access Tokens (name, a hashed token value, abilities, and creation/last-used/expiry timestamps) and OAuth tokens (e.g., for a ChatGPT integration). The plaintext token is shown to you only once at creation; we store only a hash.
(d) Hosted-site request/access logs and analytics
When a visitor accesses a site you host, our edge server records standard web-server access logs, which include the visitor's IP address, approximate location (inferable from IP), timestamps, the requested host and path, HTTP referrer, status code, bytes served, and user-agent string. We parse these logs to produce per-site, per-day aggregated metrics: visit counts and bandwidth used, plus top-pages and top-referrer breakdowns. Raw visitor IP addresses are not stored in our analytics database — they are used transiently (a short-lived hashed form is used for daily per-IP visit capping to prevent quota abuse). Aggregated metrics contain no raw IP addresses.
(e) Lead / email-capture data (collected on a site owner's behalf)
If a site owner enables email-capture forms (a paid feature), each visitor submission is stored as a "lead" containing the email address, any custom form fields submitted, the visitor's IP address, the HTTP referrer, and a timestamp. Droply is the processor and the site owner is the controller of this data; the site owner can view and export it. Site owners are responsible for giving their visitors any required notice and for obtaining any required consent. (We apply basic anti-bot measures, such as honeypot fields, which are discarded.)
(f) Usage and metering data
We meter account-wide usage against your plan's monthly limits (visits and bandwidth), derived from the aggregated logs described above. We also store deployment/processing status and operational metadata.
(g) Marketing and lead-capture (our own)
If you contact us, request information, or sign up for updates, we process the contact details and message you provide. [TO CONFIRM: Whether Droply runs a marketing newsletter / waitlist and the consent basis for it.]
(h) Payment and billing data
We use Stripe to process payments. Card details are entered directly into Stripe's components and are never stored on our servers — we do not receive or store full card numbers or CVCs. We store only tokenized billing references and metadata: a Stripe customer ID, subscription/plan status and history, payment-method type, the last four digits of your card, and the billing contact (name, email, country) that is synced to Stripe.
(i) Session and device data
For logged-in sessions we store a session record containing your account ID, IP address, user-agent, the session payload, and a last-activity timestamp. Sessions expire after a period of inactivity (currently a 120-minute default) and are then deleted.
(j) Administrative audit logs
We keep an append-only, immutable audit log of privileged staff actions (such as plan grants/revocations and account status changes). Each entry records the acting staff member's identity and email, the action, the affected subject, a snapshot of relevant properties, and the request IP and user-agent. The staff email is denormalized so the audit trail survives even if a staff account is later deleted.
(k) Abuse and copyright reports
When someone files an abuse or DMCA report, we store the reported URL/domain, the report type and details, and the reporter's email if provided. We associate these reports with the responsible account to support abuse handling and repeat-infringer enforcement (see Sections 5 and 10).
5. How and why we use personal data
We use personal data to:
- Provide and operate the Service — create and manage your account, authenticate you (including 2FA, passkeys, social login, and extension/email-code sign-in), process and serve your deployments, manage custom domains and TLS, run the dashboard and API, push live deploy-status updates to your dashboard in real time (see Section 8), and provide team collaboration.
- Meter usage and handle billing — measure account-wide visits and bandwidth against plan limits, apply over-limit behavior, and process subscriptions, renewals, plan changes, and invoices via Stripe.
- Secure the Service and prevent abuse, fraud, and infringement — malware-scan uploads, enforce ZIP-extraction limits and rate limits, detect and act on abuse/phishing/copyright reports, suspend or take down infringing or abusive sites and accounts, apply per-IP visit capping to prevent quota poisoning, and maintain audit logs. Because publishing is never anonymous, we may use account data, the signup IP, and access logs to identify the responsible party for abusive or illegal content, to cooperate with lawful requests, and — as required by our copyright safe-harbor obligations — to detect and terminate the accounts of repeat copyright infringers in line with our DMCA / Copyright Policy.
- Communicate with you — send transactional and service messages (password resets, login codes, plan/grant lifecycle notices, team invitations, billing notices, security and policy updates) and respond to your enquiries.
- Improve and understand the Service — using privacy-preserving, cookieless analytics on our own platform (see Section 7).
- Comply with law and enforce our terms — meet legal obligations, respond to lawful requests, and enforce our Terms and Acceptable Use Policy.
- Generate our own marketing/blog content — we use a third-party AI provider (Anthropic / Claude) only to generate first-party Droply blog and SEO content. We do not send your account data, your uploaded files, your hosted-site content, or your visitors' data to Anthropic or any AI model. See Section 8.
6. Legal bases (GDPR / UK GDPR)
Where the EU GDPR or UK GDPR applies, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Creating/operating your account; serving your sites; providing requested features | Performance of a contract (Art. 6(1)(b)) |
| Billing, taxes, and statutory record-keeping | Contract and legal obligation (Art. 6(1)(b), (c)) |
| Security, abuse/fraud prevention, audit logging, identifying responsible parties for abuse, and repeat-infringer termination | Legitimate interests (Art. 6(1)(f)) in keeping the Service safe and lawful, and legal obligation (Art. 6(1)(c)) where copyright safe-harbor rules apply |
| Cookieless analytics and Service improvement | Legitimate interests (Art. 6(1)(f)) |
| Transactional/service communications | Contract / legitimate interests |
| Optional marketing communications (if any) | Consent (Art. 6(1)(a)), withdrawable at any time |
| Responding to legal requests and complying with law | Legal obligation (Art. 6(1)(c)) |
For data we process as a processor on behalf of site owners (e.g., lead/form data and hosted-site request logs), the site owner determines the legal basis as controller, and we process under our agreement with them.
Where we rely on legitimate interests, you may object as described in Section 12.
7. Cookies and tracking
Droply uses only essential cookies on the platform domain:
- a session cookie (HTTP-only, SameSite=Lax) to keep you logged in;
- a CSRF/XSRF token cookie to protect against cross-site request forgery; and
- an optional "remember me" token — set only if you tick "Remember me" at login — to keep you signed in across browser sessions.
We do not use third-party advertising or cross-site tracking cookies, and we do not embed Google Analytics, Meta Pixel, or similar trackers.
For our own analytics we use a self-hosted, cookieless instance of Plausible Analytics, which measures aggregate traffic to the Droply platform/marketing site without setting cookies and without building cross-site profiles. Because this instance is self-hosted by Droply, no third party receives this analytics data. This analytics applies to the Droply platform domain only — sites you host on the hosting domain have no Droply-injected analytics or tracking.
Because we use only essential cookies and cookieless analytics, no cookie-consent banner is required for our own use. You can block or delete cookies in your browser, but the dashboard will not function correctly without the session and CSRF cookies.
8. Sharing and subprocessors
We do not sell your personal data and we do not share it with third parties for their own marketing. We share personal data only with the third-party service providers ("subprocessors") that help us run the Service, and only as needed:
| Subprocessor | Purpose | Data involved |
|---|---|---|
| Stripe | Payment processing, subscriptions, invoicing, billing webhooks | Billing contact, card details (held by Stripe; we store only type + last 4), customer/subscription IDs |
| Oracle Cloud Infrastructure (OCI) Object Storage | Durable storage of uploads, deployment artifacts, and editor workspaces | Your uploaded files/content and related object keys |
| Cloudflare | DNS for the wildcard certificate covering our hosting subdomains | DNS records (no account personal data) |
| Email/SMTP provider | Delivery of transactional email (password resets, login codes, notices, invitations) | Recipient email address and message content [TO CONFIRM: which provider — e.g., Postmark, Resend, or Amazon SES] |
| Google / GitHub / Microsoft | Optional social sign-in (only if you choose to use it) | OAuth identifiers and verified-email signal |
| Anthropic (Claude) | Generating first-party Droply blog/SEO content only | No user personal data, files, or hosted content — only Droply's own brand/SEO prompts |
| Search engines (IndexNow; optionally Google Search Console) | SEO indexing of our own first-party blog pages only | Public Droply blog URLs — no user data and no customer-site URLs |
| Malware-scanning engine (ClamAV) | Scanning uploads for malware before they go live | The bytes of your uploaded files, processed transiently for scanning |
Self-hosted infrastructure (not third-party subprocessors). Some components that process your data are operated by Droply itself and do not send your data to any third party:
- Real-time dashboard updates (Laravel Reverb / WebSockets). To show you live deploy status, the control-plane dashboard maintains a WebSocket connection to a self-hosted Laravel Reverb server operated by Droply. Deploy-status events are delivered over a private, authenticated per-user channel (and per-site channels limited to the site's owner and authorized teammates), carrying identifiers such as your account/user ID and site/deployment IDs and status. This runs only on the platform domain, is authorized behind your logged-in session, and never serves hosted-site visitor traffic (all visitor bytes are served by our edge web server, Caddy).
- Edge serving (Caddy). Our own edge web server serves hosted sites, terminates TLS (including on-demand certificates for custom domains via an authorization gate), and produces the access logs described in Section 4(d).
- Cookieless analytics (self-hosted Plausible). As described in Section 7, our Plausible instance is self-hosted by Droply; aggregate, non-cookie analytics data is not shared with a third party.
Integrations you authorize: if you connect a third-party integration (for example, ChatGPT, Zapier, the Chrome extension, or the VS Code extension), that tool acts on your behalf via the Droply API or OAuth and is governed by its own provider's privacy policy. You can review and revoke API tokens or OAuth access at any time.
We may also disclose personal data: (i) to comply with law, legal process, or lawful requests; (ii) to enforce our terms and protect the rights, safety, and security of Droply, our users, and the public; and (iii) in connection with a merger, acquisition, financing, or sale of assets (subject to this Policy).
[TO CONFIRM: Maintain an up-to-date subprocessor list and confirm Data Processing Agreements (DPAs)/SCCs are in place with each third-party subprocessor named above.]
9. International data transfers
Our subprocessors include providers located in, or operating from, the United States and other countries (for example, Stripe and Anthropic are US-based; OCI Object Storage is hosted in the region we configure). This may involve transferring personal data outside your country, including outside the EEA/UK.
Where we transfer personal data internationally, we rely on appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, and/or the EU–US Data Privacy Framework where a provider is certified.
[ASSUMPTION: Primary hosting/data region to be confirmed (e.g., OCI region such as eu-frankfurt-1 for EU customers, or us-ashburn-1). Confirm the storage region for OCI Object Storage and the control-plane database, and the transfer mechanism (SCCs/DPF) relied on for each subprocessor.]
10. Data retention
We keep personal data only as long as needed for the purposes in this Policy, then delete or anonymize it.
- Account data: retained while your account is active and for a reasonable period afterward to handle disputes, billing, and legal obligations. [ASSUMPTION: account and associated records deleted/anonymized within 90 days after account closure, subject to legal holds.]
- User content / deployments: your live deployment is retained while your site exists. Older, superseded versions are garbage-collected — we keep only the most recent few non-live deployments per site (currently the 3 most recent), and older artifacts are deleted from the edge and from object storage. Deleting a site reclaims its files from the edge and object storage; soft-deleted sites are kept briefly to allow restoration before permanent removal. [ASSUMPTION: soft-delete restoration window — e.g., 30 days — to be confirmed.]
- Lead / form-capture data: retained while the owning site exists and deleted when the site is deleted; site owners may also delete/export this data. [TO CONFIRM: any default maximum lead retention period.]
- Hosted-site raw access logs: raw edge access logs (which contain visitor IPs and user-agents) are rotated by our log-management configuration; aggregated analytics (which contain no raw IPs) are retained longer. [ASSUMPTION: raw access logs retained for 30 days, then deleted/rotated.] Aggregated visit/bandwidth and per-site statistics are currently retained for the life of the account (the running system does not yet enforce a fixed expiry). [TO CONFIRM: whether to implement and commit to a shorter cap, e.g., 24 months, before relying on a numeric window here.]
- Sessions: deleted after expiry (120-minute inactivity default). Email login codes expire within 15 minutes; password-reset tokens within 60 minutes.
- Billing records: retained as required for tax and accounting law. [ASSUMPTION: 6–10 years per applicable law.]
- Audit logs: the audit log is append-only and immutable; entries (including a denormalized staff email) are retained for as long as the account exists, plus a legal-defense period thereafter, for accountability and security. [ASSUMPTION: legal-defense retention of up to 7 years after account closure; the current system does not auto-purge audit entries.]
- Abuse and DMCA / copyright records: abuse and copyright-report data, together with the responsible account's identity, signup IP, and relevant access logs, are retained to support legal defense and to detect and terminate repeat copyright infringers under our DMCA / Copyright Policy. [ASSUMPTION: abuse/DMCA records retained for up to 7 years, tied to the repeat-infringer enforcement and legal-defense purpose; to be confirmed.]
11. Controller / processor relationship and DPA for business customers
For personal data you submit or collect through the Service that relates to your visitors or contacts (for example, lead/form submissions and hosted-site request logs), you are the controller and Droply is the processor. We process that data only on your documented instructions, as set out in our terms and any Data Processing Addendum.
If you are a business customer subject to the GDPR/UK GDPR (or similar laws) and require a Data Processing Addendum (DPA) — including the Standard Contractual Clauses — contact us at [email protected] and we will make one available.
[TO CONFIRM: Publish a standard DPA and subprocessor list, and confirm onward DPAs/SCCs with each third-party subprocessor in Section 8.]
12. Your rights
Depending on where you live, you have some or all of the following rights. We honor these rights regardless of where you are located, to the extent the law requires.
GDPR / UK GDPR (EEA, UK, and similar)
- Access — obtain a copy of your personal data.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion, subject to legal-retention exceptions.
- Portability — receive certain data in a portable, machine-readable format.
- Restriction and Objection — restrict or object to certain processing, including processing based on legitimate interests.
- Withdraw consent — where we rely on consent, withdraw it at any time (without affecting prior processing).
- Lodge a complaint with your local supervisory authority.
California (CCPA/CPRA) and similar US state laws
- Right to know what personal information we collect and how we use and share it.
- Right to delete personal information, subject to exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" of personal information and of targeted advertising. We do not sell or share your personal information for cross-context behavioral advertising, and we do not use third-party advertising trackers.
- Right to non-discrimination for exercising your rights.
How to exercise your rights
We do not currently offer a self-service account-deletion or data-export tool in the product. Until we do, we fulfil all access, correction, export, and deletion (DSAR) requests manually. Send your request to [email protected]. We will verify your identity before acting and will respond within the timeframe required by law — generally within one month under GDPR/UK GDPR, or within 45 days under CCPA/CPRA (each extendable where the law permits and we will tell you if an extension is needed). You may use an authorized agent where the law allows.
When you ask us to delete your data, our manual deletion procedure covers your account, sites, deployments, custom domains, leads/form submissions you collected, and active sessions. As stated in Sections 4(j) and 10, certain records are retained even after deletion where we are legally entitled or required to keep them — in particular the append-only audit log (including the denormalized staff email) and abuse/DMCA records, which we keep for accountability, legal-defense, and repeat-infringer-enforcement purposes.
If your request concerns data we process as a processor on behalf of a site owner (for example, lead/form data on a hosted site), please contact that site owner directly; we will assist them as their processor and will forward your request where appropriate.
[TO CONFIRM: Build and roll out self-service account-deletion and data-export (DSAR) flows; until then the manual procedure above applies.]
13. Children
The Service is not directed to children and is intended only for users who can form a binding contract. We do not knowingly collect personal data from children below the applicable age threshold. [ASSUMPTION: minimum age 16 (or 13 in the United States); confirm the threshold for your target markets.] If you believe a child has provided us personal data, contact [email protected] and we will delete it.
14. How we protect your data
We use technical and organizational measures appropriate to the risk, including:
- Encryption in transit (HTTPS/TLS) for the dashboard, API, real-time WebSocket connections, and hosted sites, including automatically provisioned certificates for custom domains via an authorization gate.
- Hashed and protected credentials — account passwords are hashed with bcrypt; two-factor (TOTP) secrets and recovery codes are stored hashed/encrypted via Laravel Fortify; API tokens are stored only as hashes (the plaintext is shown once at creation); and short-lived email login codes and password-reset tokens are stored hashed, never in plaintext.
- Malware scanning of uploads before they go live, with a fail-closed policy (infected or unscannable uploads do not go live), plus strict ZIP-extraction limits (file counts, size, and compression-ratio guards) to defend against malicious archives.
- Access controls — staff administrative access is restricted, privilege is granted only through controlled processes, and admin areas are protected; real-time dashboard channels are private and authorized against your logged-in session.
- Immutable audit logging of privileged staff actions.
- Rate limiting and abuse defenses on authentication and deploy endpoints, and per-IP visit capping to resist quota-poisoning attacks.
No system is perfectly secure. If we become aware of a personal-data breach that legally requires notification, we will, without undue delay and within the timeframes required by applicable law (for example, within 72 hours of becoming aware where GDPR Art. 33 applies), notify the relevant supervisory authority and, where the law requires, the affected individuals, describing the nature of the incident and the steps we are taking.
[TO CONFIRM: At-rest encryption is NOT asserted above because it is not yet verified as enabled in production — confirm and, where appropriate, enable at-rest encryption for the OCI Object Storage bucket, the control-plane (PostgreSQL) database, and session payloads (note that
SESSION_ENCRYPTdefaults to off). Document the incident-response/breach-notification runbook. Update this section to state any at-rest encryption only once it is confirmed enabled.]
15. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate or legally required, notify you (for example, by email or an in-product notice). Your continued use of the Service after an update takes effect constitutes acceptance of the revised Policy.
16. Contact
For any question about this Policy or your personal data, or to exercise your rights, contact us at:
You may also report abusive or infringing content at droply.host/abuse, or via our DMCA / Copyright Policy.
Assumptions & items to confirm
The following items require a business or legal decision and are marked inline above:
- [ASSUMPTION] Legal entity name and registered address (Section 1).
- [TO CONFIRM] Whether a DPO and/or EU/UK Art. 27 representative is appointed (Section 1).
- [TO CONFIRM] Marketing/newsletter program and its consent basis (Sections 4(g), 6).
- [TO CONFIRM] Email/SMTP provider identity (Section 8).
- [TO CONFIRM] Up-to-date subprocessor list and DPAs/SCCs with each third-party subprocessor (Sections 8, 11).
- [ASSUMPTION/TO CONFIRM] Hosting region(s) for OCI Object Storage and the control-plane database, and the international-transfer mechanism relied on per subprocessor (Section 9).
- [ASSUMPTION] Retention windows for accounts, raw access logs, leads, billing records, and audit/abuse records, and whether to implement a fixed cap for aggregated analytics rather than life-of-account (Section 10).
- [TO CONFIRM] Publication of a standard DPA and subprocessor list (Section 11).
- [TO CONFIRM] Roll-out of self-service account-deletion and data-export (DSAR) flows; manual fulfilment applies until then (Section 12).
- [ASSUMPTION] Minimum age threshold for the Service (Section 13).
- [TO CONFIRM] At-rest encryption settings (OCI bucket, control-plane database, session payloads —
SESSION_ENCRYPTdefaults off) and the breach-response runbook (Section 14).
Note: This document is a template and does not constitute legal advice. Have a qualified lawyer review and adapt it for your jurisdiction(s), business model, and actual data-processing practices before publishing or relying on it.