Privacy Policy

Last Updated: January 2, 2026

At DropForge, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

1.1 Information You Provide

• Account Information: Email address, password (encrypted), and subscription plan
• Service Configuration: API keys and credentials for Stripe, AWS S3, and Resend (encrypted)
• Product Information: Product names, prices, file keys, and customer email addresses
• Payment Information: Processed through Stripe (we do not store credit card details)
• Contact Information: When you contact us through our contact form

1.2 Automatically Collected Information

• Usage Data: Download counts, email delivery statistics, API usage
• Log Data: IP addresses, browser type, access times, pages viewed
• Device Information: Device type, operating system, unique device identifiers
• Cookies: Session cookies for authentication and functionality

2. How We Use Your Information

We use the collected information for:

• Service Delivery: To provide, maintain, and improve DropForge
• Transaction Processing: To process payments and deliver digital products
• Communication: To send service updates, security alerts, and support messages
• Analytics: To understand usage patterns and improve our service
• Security: To detect, prevent, and address fraud and security issues
• Compliance: To comply with legal obligations and enforce our Terms of Service

3. Third-Party Services

DropForge integrates with third-party services. Each has its own privacy policy:

3.1 Stripe

• Processes all payment transactions
• Handles customer payment information
• Privacy Policy: stripe.com/privacy

3.2 Amazon Web Services (S3)

• Stores your digital product files
• You control your own S3 bucket and data
• Privacy Policy: aws.amazon.com/privacy

3.3 Resend

• Delivers emails to your customers
• Processes email addresses and content
• Privacy Policy: resend.com/legal/privacy-policy

4. Data Storage and Security

4.1 Security Measures

We implement bank-level security measures to protect your data:

• Encryption in Transit: All data transmitted over HTTPS/TLS 1.3 encryption
• Password Security: Passwords are hashed using bcrypt with salt
• API Key Protection: Your Stripe, S3, and Resend API keys are encrypted using AWS Key Management Service (KMS) with FIPS 140-2 Level 2 validated hardware security modules (HSMs)
• Separation of Concerns: Encryption keys are stored separately from our database in AWS KMS infrastructure
• Automatic Key Rotation: Encryption keys are automatically rotated annually
• Audit Trails: All API key access is logged and monitored via AWS CloudTrail
• Access Controls: Multi-factor authentication and role-based access controls
• Regular Security Audits: Continuous monitoring and security updates
• Compliance: Our encryption meets PCI-DSS, SOC 2, and HIPAA standards

What this means: Even if our database is compromised, your API keys remain secure because they're encrypted with AWS KMS hardware security modules that are physically separate from our infrastructure.

4.2 Data Location

• Our servers are hosted on AWS and railway.com (cloud infrastructure)
• Database backups are encrypted and stored securely
• Your S3 files remain in your own AWS account

5. Data Sharing and Disclosure

We do not sell your personal information. We may share data in these circumstances:

5.1 Service Providers

• With Stripe, AWS, and Resend to provide our service
• With hosting providers (Railway) for infrastructure
• Only the minimum necessary data is shared

5.2 Legal Requirements

• To comply with legal obligations or court orders
• To protect our rights, property, or safety
• To prevent fraud or security threats

5.3 Business Transfers

• In the event of a merger, acquisition, or sale of assets
• You will be notified of any change in data ownership

6. Your Data Rights

You have the following rights regarding your data:

6.1 Access and Portability

• Request a copy of your personal data
• Export your product and transaction data
• Access your data through the dashboard

6.2 Correction and Update

• Update your account information at any time
• Correct inaccurate data through the dashboard

6.3 Deletion

• Request deletion of your account and data
• Some data may be retained for legal compliance
• Backups are deleted according to our retention schedule

6.4 Objection and Restriction

• Object to certain data processing activities
• Request restriction of data processing

7. Data Retention

• Active Accounts: Data retained while your account is active
• Closed Accounts: Most data deleted within 30 days of account closure
• Transaction Records: Retained for 7 years for tax and legal compliance
• Backups: Automatically deleted after 90 days

8. Cookies and Tracking

8.1 Essential Cookies

• Authentication and session management
• Security and fraud prevention
• Required for the service to function

8.2 Analytics

• We use minimal analytics to improve our service
• No third-party advertising or tracking cookies

9. Children's Privacy

DropForge is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe we have collected information from a child, please contact us immediately.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

11. GDPR Compliance (EU Users)

If you are in the European Union, you have additional rights under GDPR:

• Right to data portability
• Right to object to automated decision-making
• Right to lodge a complaint with a supervisory authority
• Legal basis for processing: Contract performance and legitimate interests

12. California Privacy Rights (CCPA)

California residents have additional rights:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we don't sell data)
• Right to deletion of personal information
• Right to non-discrimination for exercising privacy rights

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending an email notification for material changes

14. About DropForge

DropForge is a product of Oxi Studios, a software development company specializing in secure digital product delivery solutions.

15. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us:

• Contact Form: dropforge.dev/contact
• Oxi Studios: oxistudios.com