Privacy Notice

Last updated: February 2026

Drompl (“we”, “the service”) is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR).

1. Data We Collect

Account data: email address, display name, password hash (if set)
Authentication metadata: login timestamps, authentication method (email/Google)
Technical data: IP address and User-Agent string during authentication (for security/fraud prevention)
Device identifiers: a randomly generated device UUID stored in your browser
Project data: mockup project settings you create in the service

Contract performance (Art. 6(1)(b)): processing necessary to provide the service you signed up for
Legitimate interest (Art. 6(1)(f)): IP logging for security, fraud prevention, and abuse detection; aggregated and session-level analytics for service improvement (Tiers 1–2)
Consent (Art. 6(1)(a)): behavioral analytics linked to your account (Tier 3), collected only with your explicit opt-in

We collect analytics data in three tiers to improve the service:

Tier 1 — Aggregated analytics: anonymous counters such as template popularity, export format statistics, and module usage. No personal data is collected. Legal basis: Legitimate Interest (Art. 6(1)(f)).
Tier 2 — Session analytics: events linked to an anonymized session identifier (a one-way hash, not your user account). Used to understand usage patterns. You can opt out in your profile settings. Legal basis: Legitimate Interest (Art. 6(1)(f)) with balancing test. Data retained for 90 days.
Tier 3 — Behavioral analytics: detailed usage data linked to your user account, collected only with your explicit consent. You can withdraw consent at any time in your profile settings, and all Tier 3 data will be deleted immediately. Legal basis: Consent (Art. 6(1)(a)). Data retained for up to 365 days or until consent is withdrawn.

Our Legitimate Interest Assessment for Tier 2 analytics is documented and available upon request.

Account data: retained while your account is active; deleted upon account deletion request
Authentication tokens (magic links): expired unused tokens deleted immediately; used tokens deleted after 30 days
Invite records: expired revoked invites deleted after 90 days
Session cookies: expire after 12 hours of inactivity
Aggregated analytics (Tier 1): automatically deleted after 365 days
Session analytics (Tier 2): automatically deleted after 90 days
Behavioral analytics (Tier 3): deleted after 365 days, or immediately upon consent withdrawal or account deletion

You have the following rights regarding your personal data:

Right of access (Art. 15): export all your data via GET /api/auth/export-data
Right to erasure (Art. 17): permanently delete your account and all data via DELETE /api/auth/account
Right to rectification (Art. 16): update your profile information in account settings
Right to data portability (Art. 20): download your data in machine-readable JSON format
Right to object (Art. 21): opt out of session analytics (Tier 2) in your profile settings
Right to withdraw consent (Art. 7(3)): withdraw Tier 3 analytics consent at any time; all associated data will be deleted immediately

We do not sell or share your data with third parties. Data is shared only:

With Google (if you use Google OAuth for sign-in) — only authentication tokens, not your project data
Via SMTP provider (for sending sign-in emails) — only your email address

We use essential cookies and one functional cookie for analytics preferences:

Session cookie (HttpOnly, SameSite=Lax): maintains your login session
CSRF token cookie: protects against cross-site request forgery
Beta gate cookie (during beta period): remembers beta access approval
Analytics consent cookie: stores your analytics preferences (opt-out/opt-in choices). Duration: 1 year.

We do not use advertising or third-party tracking cookies. Tier 3 behavioral analytics requires your explicit consent via a consent banner.

For privacy-related questions or to exercise your rights, contact: info@whitepaper.world