Privacy & GDPR

Privacy Policy

This policy explains what data Droplink processes, why we process it, and what rights you have under GDPR.

Last Updated: February 19, 2026

1. Controller Information

Controller (Art. 4(7) GDPR)

Company Name: Droplink
Address: Alleenstraße 29, 74321 Bietigheim-Bissingen, Germany
Email: support@drop-link.io

Data Protection Officer

If required under applicable law, a Data Protection Officer (DPO) will be appointed and listed here.

2. Categories of Personal Data We Process

2.1 Account and Registration Data

When you create an account, we process:

  • Full name
  • Email address
  • Password (encrypted)
  • Subscription plan
  • Account status
  • Billing information

Legal Basis: Art. 6(1)(b) GDPR (performance of a contract)

2.2 Shopify Store Integration Data

When you connect your Shopify store via OAuth, we process:

  • Store name and URL
  • Product data
  • Order data
  • Customer shipping information
  • Order status and fulfillment data

This data is processed solely for providing the Droplink service, including order synchronization and forwarding orders to third-party fulfillment providers.

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

2.3 Order and Fulfillment Data

For fulfillment purposes, we process:

  • Customer name
  • Shipping address
  • Order details
  • Product SKU
  • Tracking numbers

This information is transmitted to third-party fulfillment providers (e.g., CJ Dropshipping) strictly for order processing.

Legal Basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR (legitimate interest in operating an automated fulfillment infrastructure)

2.4 Payment and Billing Data

Payments are processed via third-party payment providers such as Stripe or PayPal.

We do not store full credit card numbers. We may store:

  • Payment method type
  • Last four digits (where provided by processor)
  • Transaction ID
  • Billing status
  • Threshold balance
  • Credit usage data

Automatic threshold charging may occur when accumulated order costs reach a predefined amount.

Legal Basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(c) GDPR (legal obligations for accounting)

2.5 Referral Program Data

If you participate in our referral program, we process:

  • Referral link identifier
  • Invited user email
  • Referral status
  • Referral credit balance
  • Fraud prevention indicators (e.g., IP comparison, payment method matching)

Legal Basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR (fraud prevention and abuse protection)

2.6 Usage and Technical Data

When you access our Service, we may process:

  • IP address
  • Browser type and version
  • Device type
  • Operating system
  • Log files
  • Feature usage (search queries, filter usage, credit consumption)

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in platform stability, fraud prevention, and optimization)

3. Purposes of Processing

We process personal data for the following purposes:

  • Providing and maintaining the Droplink platform
  • Enabling Shopify integration and order synchronization
  • Processing subscription billing
  • Managing credit systems and thresholds
  • Forwarding orders to fulfillment partners
  • Fraud detection and prevention
  • Technical troubleshooting
  • Compliance with legal obligations

4. Data Sharing and Third-Party Processors

We may share personal data with:

  • Shopify (store integration)
  • CJ Dropshipping (order fulfillment)
  • Payment providers (e.g., Stripe, PayPal)
  • Cloud hosting providers
  • Analytics services
  • Technical infrastructure providers

We only share data that is strictly necessary for the provision of the Service. All processors are contractually bound by Data Processing Agreements where required by law.

5. International Data Transfers

Personal data may be transferred to countries outside the European Economic Area (EEA), including:

  • United States (hosting or payment providers)
  • China (fulfillment partners)

Where required, such transfers are safeguarded through Standard Contractual Clauses (SCCs) or other legally recognized mechanisms.

6. Data Retention

We retain personal data:

  • For the duration of the contractual relationship
  • As required under commercial and tax law retention periods
  • Until deletion is requested (where legally permissible)

Billing data may be retained for up to 10 years in accordance with applicable tax regulations.

7. Security Measures

We implement appropriate technical and organizational measures, including:

  • Encrypted communication (HTTPS/TLS)
  • Access control mechanisms
  • Role-based permissions
  • Secure API authentication
  • Payment tokenization via third-party processors
  • Server-level monitoring and logging

Despite these measures, no system can guarantee absolute security.

8. Your Rights Under GDPR

You have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (“right to be forgotten”) (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Lodge a complaint with a supervisory authority

To exercise your rights, contact: support@drop-link.io

9. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Authentication
  • Session management
  • Security
  • Performance analysis

Where required by law, we obtain user consent via a cookie consent mechanism.

10. Automated Decision-Making

Droplink does not conduct automated decision-making within the meaning of Art. 22 GDPR that produces legal or similarly significant effects on users.

11. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy at any time. Changes will be published on this page with an updated effective date.