TiniDrop — Privacy Policy

1. INTRODUCTION

This privacy notice for TiniDrop ("TiniDrop", "we", "us", or "our") describes how and why we collect, store, use, and share ("process") your information when you use our services ("Services"), such as when you: visit our website at tinidrop.com or any website of ours that links to this privacy notice; create an account or upload files; or engage with us in other related ways, including any sales, marketing, or support interactions. Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services.

2. WHAT INFORMATION DO WE COLLECT?

We collect information you provide directly to us, information we collect automatically when you use the Services, and information derived from your use of the Services. Information you provide to us includes: (a) Account data — your email address and a cryptographically hashed password when you create an account; (b) Profile data — a display name or username if you choose to set one; (c) File content — files you upload are stored to enable the Service; we do not read, analyse, or process the contents of your files for any purpose other than storage and delivery; (d) Communications — email correspondence you send to our support team; (e) Billing information — plan type and subscription status; card numbers and payment details are collected and stored exclusively by our third-party payment processor; we receive only non-sensitive billing summaries such as the last four digits of a card, expiry month, and country. Information we collect automatically includes: (f) File access analytics — when a shared file link is visited, we record a timestamp, the approximate geographic region of the visitor (at country level only), and a one-way cryptographic hash of the visitor's IP address; the raw IP address is never stored in plain text and cannot be reconstructed; (g) Log data — standard web server logs including request timestamps, HTTP method, and response codes, retained for up to thirty (30) days for security and debugging; (h) Session cookies — an authentication cookie set when you log in; it contains a session token rather than personal data and is strictly necessary to operate the Service.

3. HOW DO WE PROCESS YOUR INFORMATION?

We process your information to provide, improve, and administer our Services; to communicate with you; for security and fraud prevention; and to comply with applicable law. More specifically, we use the information we collect to: (a) create, maintain, and deliver your account and the Services; (b) serve the files you have uploaded when someone accesses your shared link; (c) provide you with usage analytics for your own files; (d) process subscription payments and send receipts and billing notifications; (e) send transactional emails such as password-reset links or file-expiry warnings — we do not send unsolicited marketing emails without your explicit prior consent; (f) detect, investigate, and prevent abuse, fraud, and security incidents; (g) comply with legal obligations and respond to lawful requests from authorities; and (h) improve the Services through anonymised, aggregated usage statistics. We process your information only when we have a valid legal reason to do so.

4. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

If you are located in the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR require us to explain the legal bases for our processing activities. We rely on the following legal bases: (a) Contract performance — processing is necessary to deliver the Services you have signed up for, including storing and serving your files and managing your subscription; (b) Legitimate interests — security monitoring, abuse prevention, fraud detection, and improving the Services, balanced against your privacy rights; (c) Legal obligation — complying with applicable laws, court orders, and law-enforcement requests; and (d) Consent — where we rely on your consent, such as for optional marketing communications, you may withdraw that consent at any time without affecting the lawfulness of processing that occurred before withdrawal. If you are located in Canada, we may process your information if you have expressly given us permission or if processing can be reasonably inferred from the context. We will not process your information without a valid reason.

5. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We do not sell, rent, or broker your personal data to any third party. We may share information in the following specific situations and with the following specific categories of third parties: (a) Service providers — we engage carefully vetted third-party providers to help us operate the Services, including cloud infrastructure providers, authentication services, and payment processors; these providers are contractually bound to use your data only on our behalf and in strict accordance with this Policy and applicable data-protection law; (b) Legal requirements — we may disclose your information when required by law, valid legal process, subpoena, or governmental authority, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of TiniDrop, our users, or the public; (c) Business transfers — in the event of a merger, acquisition, financing, or sale of all or a material portion of our assets, your data may be transferred as part of the transaction; we will notify you via a prominent notice on our website and/or by email prior to or promptly following such a transfer; (d) With your consent — we will share your data with any third party when you have expressly authorised us to do so. We do not share your data with advertisers, data brokers, or analytics companies for their own commercial or marketing purposes.

6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We use cookies and similar tracking technologies to access or store information. Specifically, we set a single authentication cookie (prefixed "sb-") that is strictly necessary to maintain your login session. This cookie contains a session token, not personal data. We do not use advertising cookies, third-party tracking pixels, behavioural analytics cookies, or any cookie-based retargeting technologies. We do not use Google Analytics or similar third-party analytics services. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent; however, if you do not accept the authentication cookie you will not be able to remain logged in to the Service.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

We retain different categories of data for different periods: (a) free plan files are automatically deleted seven (7) days after upload; (b) paid plan files are retained while your subscription is active; upon cancellation or expiry, files are retained for a thirty (30) day grace period after which they are permanently deleted; (c) account data is retained until you close your account; following account deletion, your data is purged within thirty (30) days, except where we are required by law to retain it longer (for example, billing records for tax-compliance purposes, which we retain for up to seven years); (d) file access analytics, including anonymised visit counts, are retained for up to twenty-four (24) months; hashed IP address logs are purged after ninety (90) days; (e) support correspondence is retained for up to three (3) years for quality assurance and legal-compliance purposes. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it.

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process. These measures include: (a) encryption of all data in transit via HTTPS/TLS; (b) encryption of all stored files and database records at rest; (c) row-level access control on database records, ensuring each user can only access their own data; (d) one-way cryptographic hashing of visitor IP addresses — we are technically unable to reverse them; (e) regular security reviews, dependency updates, and responsible disclosure processes. However, no electronic transmission over the internet or information-storage technology can be guaranteed to be 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and applicable regulators within 72 hours as required by applicable law.

9. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly solicit, collect, or process personal data from or about children under the age of 16. The Services are not directed to children under 16. If you are a parent or guardian and you believe your child has provided us with personal information, please contact us immediately at hello@tinidrop.com and we will take steps to delete that information.

10. WHAT ARE YOUR PRIVACY RIGHTS?

Depending on where you are located geographically, applicable privacy law may grant you certain rights regarding your personal information. These rights may include: (a) the right to access and obtain a copy of the personal data we hold about you; (b) the right to request correction of inaccurate or incomplete personal data; (c) the right to request deletion of your personal data ("right to be forgotten"), subject to certain legal retention obligations; (d) the right to data portability — to receive your data in a structured, commonly used, machine-readable format; (e) the right to restrict our processing of your data in certain circumstances; (f) the right to object to processing based on our legitimate interests; and (g) the right to withdraw consent at any time where our processing is consent-based, without affecting the lawfulness of processing carried out prior to withdrawal. To exercise any of these rights, please email hello@tinidrop.com with the subject line "Privacy Request". We will respond within thirty (30) days of receiving a verified request. If you are not satisfied with our response, you have the right to lodge a complaint with your local data-protection authority. For EEA residents, this is typically the supervisory authority in the EU member state of your habitual residence.

11. INTERNATIONAL DATA TRANSFERS

TiniDrop operates globally. Your data may be stored and processed in countries other than your own, including countries that may have data-protection standards different from those in your home country. Where international transfers of personal data take place, we use appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, to ensure adequate protection. By using the Services you acknowledge and consent to the potential transfer of your information to countries outside your jurisdiction.

12. THIRD-PARTY SERVICES WE USE

We use a limited number of third-party services to operate TiniDrop. Each has its own privacy policy and data-processing practices. These services fall into the following categories: (a) payment processing — our payment processor handles all card transactions on our behalf; we never store full card numbers or CVVs; (b) cloud infrastructure and CDN — our cloud infrastructure providers store and serve files and database records under contractual data-processing agreements; (c) authentication — our authentication provider manages session tokens and OAuth flows; and (d) bot protection — we use an automated challenge service to distinguish human users from automated bots; this service processes minimal request metadata and does not build personal profiles. We do not disclose the specific names of all infrastructure providers in this policy, as these may change without material impact on how your data is handled. All providers are selected for their strong privacy and security posture, and we maintain data-processing agreements with each of them as required by applicable law.

13. CHANGES TO THIS PRIVACY NOTICE

We may update this privacy notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and notify registered users by email at least fourteen (14) days before the change takes effect. Your continued use of the Services after notification constitutes your acceptance of the updated Policy. We encourage you to review this notice periodically to stay informed about how we are protecting your information.

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, or if you wish to exercise any of your privacy rights, you may contact us by email at hello@tinidrop.com (subject line: "Privacy Request"). We aim to respond to all requests within thirty (30) days.