Legal

Privacy Policy

Last updated: May 10, 2026 · Smit Group d.o.o.

We take your privacy seriously. This policy explains what data we collect, why we collect it, and how we protect it. We never sell your personal data to third parties.

1. Who We Are

Droppilot is operated by Smit Group d.o.o., a company registered in Slovenia. When we refer to "we", "us" or "our" in this policy, we mean Smit Group d.o.o.

For any privacy-related questions, contact us at: privacy@getdroppilot.com

2. Data We Collect

We collect different types of data depending on how you use Droppilot:

Data Type	What We Collect	Why
Account data	Name, email address, hashed password	To create and manage your account
Business data	Revenue, orders, ad spend, profit figures from your stores	To power your P&L dashboard
Shopify data	Order details, line items, revenue — via Shopify OAuth	To calculate COGS and profit automatically
Meta Ads data	Ad spend by campaign — via Meta API	To show accurate ROAS and profit
Gmail data	Customer support emails (subject, body, sender) — via Gmail OAuth	To power AI customer support replies
Usage data	Pages visited, time spent, features used	To improve the product
Device data	Browser type, IP address (hashed), device type	For security and analytics
Payment data	Subscription plan, billing status — processed by Stripe	To manage your subscription

We do not store your full credit card details. All payment processing is handled by Stripe, which is PCI-DSS compliant.

3. How We Use Your Data

We use your data exclusively to provide and improve the Droppilot service:

Displaying your real-time profit and loss dashboard
Generating AI-powered customer support replies
Sending daily business reports and push notifications
Processing subscription payments via Stripe
Improving product features based on usage patterns
Ensuring the security and integrity of our platform
Complying with legal obligations

We never use your data to train AI models for third parties, sell it to advertisers, or share it with any party not listed in this policy.

4. AI Processing

Droppilot uses AI services (Claude by Anthropic) to generate customer support email replies and business insights. When you use AI features:

Email content is sent to Anthropic's API for processing
We send only the minimum data needed (email subject and body)
Anthropic processes this data under their own privacy policy
No data is stored permanently by Anthropic for this purpose

You can disable AI features at any time in your account settings.

5. Third-Party Services

Droppilot integrates with the following third-party services:

Shopify — for order and revenue data. Governed by Shopify's Privacy Policy
Meta (Facebook) — for ad spend data. Governed by Meta's Privacy Policy
Google (Gmail) — for customer email management. Governed by Google's Privacy Policy
Stripe — for payment processing. Governed by Stripe's Privacy Policy
Anthropic — for AI features. Governed by Anthropic's Privacy Policy
ElevenLabs — for voice assistant features. Governed by ElevenLabs' Privacy Policy

6. Data Storage and Security

Your data is stored on servers located in Germany (Hetzner Cloud, Frankfurt). We implement the following security measures:

All data in transit is encrypted using TLS 1.3
Passwords are hashed using bcrypt with salt rounds
API access tokens are stored encrypted in our database
Access to production systems is restricted to authorized personnel only
Regular backups are performed to prevent data loss

7. Data Retention

We retain your data for as long as your account is active. Specifically:

Account data — retained until account deletion
Business/financial data — retained for 3 years for accounting purposes
Email data — customer support emails are retained for 90 days then deleted
Usage/analytics data — retained for 12 months

When you delete your account, we delete your personal data within 30 days, except where we are required to retain it for legal or regulatory reasons.

8. Your Rights (GDPR)

As a user in the European Union, you have the following rights under GDPR:

Right of access — request a copy of all data we hold about you
Right to rectification — correct any inaccurate data
Right to erasure — request deletion of your personal data
Right to portability — receive your data in a machine-readable format
Right to object — object to processing of your data
Right to restrict processing — request we limit how we use your data

To exercise any of these rights, contact us at privacy@getdroppilot.com. We will respond within 30 days.

9. Cookies and Tracking

Droppilot uses minimal cookies and tracking:

Authentication — JWT tokens stored in localStorage for keeping you logged in
Preferences — local storage for UI preferences (currency, date range)
Analytics — we collect anonymized page visit data to improve the product. No third-party analytics tools (e.g. Google Analytics) are used.

We do not use advertising cookies or cross-site tracking.

10. Push Notifications

If you enable push notifications, we store your browser's push subscription token to send you alerts. You can revoke this permission at any time in your browser settings or in the Droppilot settings page.

11. Children's Privacy

Droppilot is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service at least 14 days before they take effect. Your continued use of Droppilot after changes take effect constitutes your acceptance of the new policy.

13. Contact and Complaints

For any privacy-related questions or to exercise your rights:

Email: privacy@getdroppilot.com
Company: Smit Group d.o.o., Slovenia

If you are not satisfied with our response, you have the right to lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec): www.ip-rs.si