Drop'n'See Business Platform Privacy Policy
Effective Date: January 25, 2026
This Privacy Policy explains how Drop'n'See, Inc. ("Drop'n'See", "we", "us", or "our") collects, uses, discloses, and safeguards personal information in connection with the Drop'n'See Business Platform (the "Platform"). It applies to Organization owners, administrators, and users (collectively, "Business Users") who access the Platform, as well as to end customers whose interactions are processed through the Platform on behalf of their respective Organizations. This Privacy Policy does not apply to consumer-facing Drop'n'See products unless expressly stated otherwise.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, do not access or use the Platform.
1. Who We Are
Drop'n'See, Inc. operates the Platform to help Organizations manage locations, create and measure marketing campaigns, and process customer engagement data. We act as a Data Controller for personal information that we determine the purposes and means of processing. When we process end-customer data strictly on behalf of an Organization under their instructions, we act as a Data Processor (or sub-processor) and the Organization remains the primary Data Controller. Our rights and obligations as a processor are described in the Drop'n'See Data Processing Agreement ("DPA").
2. Personal Information We Collect
2.1 Information You Provide Directly
- Organization and account details: Organization name, business address, industry, tax IDs (if provided), subscription tier, and plan selections.
- Business User credentials: Name, email address, preferred username, role designations (owner, member), profile photo (optional), authentication status, and password reset confirmations.
- Support and communications: Messages you send to us via email, in-product feedback, or support tickets, including attachments or diagnostic logs you choose to share.
- Billing information: Payment instrument details are processed by Stripe on our behalf. We receive limited billing metadata such as Stripe customer ID, subscription plan, payment status, and invoice history.
2.2 Third-Party Integration Data
If you connect third-party services (such as social media Pages), we may process:
- Account identifiers: Page IDs, Page names, account IDs (such as Meta user ID), and linked account identifiers (e.g., Instagram business account ID).
- Access credentials: OAuth access tokens and granted permissions (stored encrypted at rest).
- Page metadata: Profile image URLs, categories, and integration status.
- Publishing content: Post text and related metadata you ask us to publish on your behalf.
2.3 Information Collected Automatically
- Usage and log data: IP address, device type, browser information, operating system, time zone, language settings, pages viewed, and actions taken within the Platform. We gather this data using server logs, ALB logs, and AWS CloudFront logs for diagnostics, security, and performance monitoring.
- Cookies and similar technologies: Authentication cookies, session identifiers, and other device signals that keep you signed in, maintain settings, or help detect misuse.
- Audit logs: We maintain records of significant actions taken within your Organization, including who performed the action, what changed, and when. These logs help us provide security, troubleshoot issues, and maintain compliance.
2.4 Information Processed on Behalf of Organizations
When Organizations use the Platform features, we may process:
- Campaign and promotion data: Titles, descriptions, imagery (including assets fetched from Unsplash), scheduling parameters, associated business locations, and for events: full venue addresses including street, city, state, postal code, and country.
- End-customer interaction data: Coupon claims, redemptions, scan history, timestamps, redemption status, location identifiers (e.g., place ID, time zone), and metadata that Organizations configure.
- Operational context: Internal identifiers (business IDs, campaign element IDs, user IDs) and audit logs needed to enforce permissions, quota checks, and subscription limits.
Organizations are responsible for ensuring that their end customers have been provided with any required privacy notices and consents before submitting data to the Platform.
2.5 AI-Generated Content Data
When you use AI-powered features (such as campaign content generation), we store:
- The prompts and context sent to our AI provider (OpenAI)
- The AI-generated suggestions and responses
- Your approval or rejection of suggestions
- Generation settings and preferences
This data helps us improve AI quality and allows you to review past generations. You may request deletion of your AI generation history by contacting privacy@dropnsee.com.
3. How We Use Personal Information
We use personal information for the following purposes:
- Account provisioning and authentication: To create and secure Business User accounts and verify Organization ownership.
- Service delivery: To enable campaign management, QR code generation, analytics dashboards, scan history, and other core Platform capabilities.
- Integration services: To connect third-party services you authorize and to publish or sync content as requested.
- Subscription management and billing: To provision plan entitlements, enforce quotas, process payments, and send transactional notices.
- Security and fraud prevention: To monitor suspicious activity, protect accounts, respond to incidents, and ensure compliance with applicable use policies.
- Analytics and product improvement: To understand how the Platform is used, improve performance, and develop new features.
- Support and communications: To respond to inquiries, provide training or onboarding materials, and send status updates or policy notices.
- Compliance with law: To comply with legal obligations and enforce agreements.
4. Legal Bases for Processing (EEA/UK/Switzerland)
If you are located in the EEA, UK, or Switzerland, our legal bases include:
- Performance of a contract: Providing, maintaining, and supporting the Platform.
- Legitimate interests: Securing the Platform, preventing fraud, improving our services, and communicating with you about updates.
- Consent: Where you have affirmatively granted consent (e.g., optional cookies, marketing communications).
- Legal obligations: Meeting record-keeping, tax, or regulatory requirements.
Organizations are responsible for establishing a lawful basis when they transfer end-customer data to us for processing.
5. How We Share Personal Information
We do not sell personal information. We may share personal information:
- With service providers and subprocessors: We rely on vetted third parties to host, store, and process data needed to provide the Platform. A current list of subprocessors is available upon request.
- With third-party platforms you connect: If you connect social or other integrations, we share data required to provide that integration (for example, publishing content to a social media Page).
- With professional advisors: Accountants, auditors, legal counsel, and insurers who assist us and are bound by confidentiality obligations.
- For business transfers: In connection with any merger, financing, acquisition, or dissolution, personal information may be transferred as part of business assets.
- For legal compliance: When required by law or to protect the rights, property, or safety of Drop'n'See, our users, or others.
5.1 Subprocessors (current as of the Effective Date)
- Amazon Web Services (AWS): Hosting, storage, databases, CDN, authentication, logging, messaging, and location services (including S3, RDS, CloudFront, Cognito, CloudWatch Logs, Location Service, and SQS).
- Stripe: Payment processing and billing lifecycle management.
- OpenAI: AI-powered content generation features (when enabled).
- Expo: Push notification delivery to end customers (when enabled).
- Unsplash: Optional stock image integration used in campaign creation.
- HERE Technologies: Location categorization and mapping data.
- Meta Platforms (Facebook/Instagram): Social media integration and content publishing (when connected).
When acting as a processor, we only share end-customer data with subprocessors as instructed by the Organization or permitted under the DPA.
6. International Transfers
We store and process personal information primarily in the United States. If you access the Platform from outside the U.S., your information may be transferred to, stored in, and processed in the U.S. or other countries where we or our service providers operate. We use appropriate safeguards (such as Standard Contractual Clauses) when transferring personal information from the EEA, UK, or Switzerland.
7. Data Retention
We retain personal information as long as needed to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods include:
| Data category | Typical retention | Notes |
|---|---|---|
| Organization & Business User account data | Active subscription + a reasonable period after closure | Includes organization profile, roles, subscription history, and account metadata. |
| Campaign, redemption, and analytics data | While the account is active | Deleted upon request or account closure, subject to legal obligations and backup retention. |
| Media assets (profile images, drop images, campaign imagery) | Until deleted by the Organization | Stored in secure object storage; no automatic expiration unless configured by the Organization. |
| Support communications | As needed for support and auditing | Retained according to our internal retention schedule. |
| Integration credentials | Until disconnected or deletion is requested | Stored encrypted at rest; backup retention may apply for a limited period. |
| Security and access logs (ALB, CloudFront, WAF, CloudWatch, VPC flow logs) | Typically 30 days | Retention is configured in infrastructure log buckets and log groups; longer retention may apply if required by law or service defaults. |
| Database backups | 7 days (rolling) | Automated backups for recovery and continuity. |
| Webhook processing queues | 4–14 days | Event payloads are retained for processing and troubleshooting. |
Some information may be retained in backups for a limited period or as required by law.
8. Your Privacy Rights
8.1 Rights for EEA, UK, and Swiss Individuals
- Access your personal information and obtain a copy.
- Correct inaccurate or incomplete personal information.
- Delete personal information in certain circumstances.
- Restrict or object to processing.
- Port personal information to another controller.
- Withdraw consent where processing is based on consent.
To exercise these rights, contact us at privacy@dropnsee.com. When we act as a processor, we will forward requests to the relevant Organization.
8.2 California Privacy Rights (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act, as amended by the CPRA. This section provides a Notice at Collection and explains how to exercise your rights.
8.2.1 Notice at Collection
The categories of personal information we collect are described in Section 2 and typically include:
- Identifiers: Name, email address, organization details, account IDs, and social media Page or account identifiers.
- Commercial information: Subscription plan details, billing metadata, and invoice history.
- Internet or network activity: Device data, usage logs, and interactions with the Platform.
- Geolocation data: Approximate location such as time zone or business location identifiers (not precise GPS).
- Professional information: Your role and business affiliation.
- Sensitive personal information: Account login credentials and OAuth access tokens for connected integrations (stored encrypted at rest).
We use personal information for the business purposes described in Section 3 and retain it as described in Section 7. We do not sell personal information or share it for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than providing the Platform, securing accounts, and meeting legal obligations.
8.2.2 Your Rights
- Right to know/access the personal information we collect and disclose.
- Right to delete personal information, subject to legal exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information (we do not sell or share).
- Right to limit the use of sensitive personal information (not used beyond permitted purposes).
- Right to non-discrimination for exercising privacy rights.
To exercise these rights, email privacy@dropnsee.com or have an authorized agent submit a request on your behalf. We will verify your identity before fulfilling requests. If we act as a processor for end-customer data, we will route requests to the relevant Organization.
8.3 Other Jurisdictions
You may have similar rights depending on applicable law. Contact us at privacy@dropnsee.com, and we will guide you through the available options.
9. Cookies and Similar Technologies
We use necessary cookies and similar technologies to:
- Authenticate users and maintain session integrity.
- Enforce security and detect account misuse.
- Remember preferences such as selected organizations and filters.
Optional analytics cookies may be used from time to time to improve the Platform; where required, we will seek your consent. You can manage cookie settings through your browser. Disabling certain cookies may affect functionality.
10. Third-Party Links and Integrations
The Platform may link to third-party resources, documentation, or embedded services. We are not responsible for the privacy practices of third parties. Review their policies before providing personal information. When you authorize integrations or use third-party assets (e.g., Unsplash imagery), your use is subject to their respective terms and privacy practices.
11. Security
We implement technical and organizational measures designed to protect personal information, including encryption in transit, access controls, monitoring, and regular security reviews. No method of transmission or storage is completely secure; immediately notify us at security@dropnsee.com if you believe your account has been compromised.
12. Children's Privacy
The Platform is intended for business use by individuals aged 18 or older. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child without appropriate consent, we will delete it promptly.
13. Data Deletion Requests
You can disconnect social integrations directly in the Platform. For full revocation, remove the app in the third-party platform's settings. To request deletion of Platform data, email privacy@dropnsee.com with your organization name, account email, and the specific data you want deleted. We may require verification before processing the request. Some data may be retained for legal, security, or billing reasons or within backup systems for a limited period.
If you are an end customer of a business using Drop'n'See, please contact that business directly. We act as a processor for end-customer data and will route requests to the relevant Organization when required.
14. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify Business Users of material changes via email or in-product notice at least 30 days before the new policy takes effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.
15. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, contact us at:
Drop'n'See, Inc.
17 Stonebridge Crossing Dr
Maryville, IL 62062, USA
Email: privacy@dropnsee.com
Support: support@dropnsee.com
For security inquiries, email security@dropnsee.com. For legal notices, email legal@dropnsee.com.
If you are an Organization subject to EU/UK privacy law, please review and execute the Drop'n'See Data Processing Agreement to ensure compliance with controller/processor obligations.