Privacy Policy

Last updated: March 31, 2026

DropBot ("we", "us", "our") operates the dropbot.me website and the DropBot chatbot widget service. This Privacy Policy explains how we collect, use, and protect your information.

1. Information We Collect

Account Information: When you sign up, we collect your name, email address, and profile picture through Google OAuth. We do not store your Google password.

Bot Configuration: The Q&A content, widget settings, fallback preferences, and bot avatar you configure within the service.

Conversation Data: Messages exchanged between your website visitors and your DropBot chatbot, including timestamps and token usage metadata.

Lead Capture Data: When a fallback is triggered and your visitor submits their contact information (name, email, phone, message), this data is stored and forwarded to you via email or webhook.

Usage Data: We collect analytics such as conversation counts, fallback rates, and token usage to provide you with dashboard insights and to operate the service.

2. How We Use Your Information

  • To provide, maintain, and improve the DropBot service
  • To process chatbot conversations through our AI provider (OpenRouter)
  • To send fallback notification emails via our email provider (Resend)
  • To display analytics and usage data on your dashboard
  • To process billing through our payment provider (Polar)
  • To communicate with you about your account or service updates

3. Data Sharing

We do not sell your data. We share data only with the following service providers, strictly for operating the service:

  • OpenRouter: Conversation messages are sent to AI models for generating responses. OpenRouter does not retain conversation data beyond processing.
  • Resend: Email addresses and lead data are processed to deliver fallback notification emails.
  • Supabase: Our database and authentication provider, where all data is stored with encryption at rest.
  • Vercel: Our hosting provider for the application and serverless functions.
  • Polar: Our billing provider for subscription management.

4. Data Security

We implement industry-standard security measures:

  • All data is encrypted in transit (TLS) and at rest
  • Database access is protected by row-level security — each user can only access their own data
  • API keys and secrets are stored as environment variables, never exposed to clients
  • User input is sanitized to prevent injection attacks
  • Rate limiting is applied to prevent abuse

5. Data Retention

Account data and bot configuration are retained for as long as your account is active. Conversation data (messages, metadata, lead captures) is retained permanently unless you delete it from your dashboard or request account closure.

When your account is closed, all associated data — including conversations, Q&A content, bot settings, and lead captures — is permanently deleted within 30 days.

6. Your Website Visitors

When visitors interact with your DropBot chatbot on your website:

  • A notice is displayed on the chat widget: "Messages may be recorded to improve service"
  • We do not collect visitor IP addresses
  • We do not use cookies or tracking pixels in the widget
  • Conversation content is only accessible to you (the bot owner) and our system for processing
  • Lead capture data (name, email, phone, message) is only collected when the visitor voluntarily submits it

7. Your Rights

You can:

  • Access all your data through your dashboard
  • Delete individual conversations or lead captures from your dashboard
  • Contact us at support@dropbot.me to request account deletion or any data-related actions

8. Children's Privacy

DropBot is not intended for use by individuals under 16. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice on the service.

10. Contact

If you have questions about this Privacy Policy, contact us at support@dropbot.me.