Privacy Policy
Overview
Last updated: June 20, 2026. This Privacy Policy explains how Dropr ("Dropr", "we", "us") handles information when a merchant installs and uses the Dropr app on Shopify, and when anyone visits our website at heydropr.com. Dropr is operated by an independent software developer based in Mexico.
Dropr is a business-to-business tool for Shopify merchants. Each merchant remains responsible for the privacy notices it shows to its own shoppers.
Our role
For the store data we process to provide the app — product catalog, recommendations, and widget events — we act as a processor or service provider on the merchant's behalf and follow the merchant's instructions.
For our own account, support, security, and website-analytics data, we act as an independent controller. These roles can vary by jurisdiction and configuration.
Information we collect through the Shopify app
Store information: your myshopify.com domain, Shopify shop ID, plan, active theme ID, app settings, and install and uninstall timestamps.
Merchant staff information from your Shopify session: a user ID, first and last name, email, locale, and whether the user is the account owner. We use this to authenticate and operate the app.
An encrypted Shopify access token, encrypted at the application layer before it is stored.
Product catalog data: titles, handles, descriptions, tags, image URLs, prices, availability, and variant IDs, plus derived data such as vector embeddings, product pairings, recommendation scores, and widget configuration.
Widget performance events: impressions, clicks, conversions, the product IDs involved, and revenue amounts. These are not linked to individual shopper identities.
Order line-item data from paid orders: the products purchased, their quantities and prices, the order total, and whether a line was added through a Dropr recommendation (via a hidden cart line-item flag). We use this to attribute revenue to recommendations and improve product pairings. We access this under Shopify Protected Customer Data (Level 1) and do not receive or store customer names, emails, addresses, or phone numbers.
Information we do not collect in this version
Dropr does not collect or store your shoppers' names, emails, phone numbers, addresses, customer tags, Shopify customer identifiers, or Shopify protected customer fields.
Dropr does not import or store customer records or Shopify customer identifiers. From orders, Dropr reads only line-item data (products, quantities, and prices) to attribute revenue to recommendations — see "Information we collect through the Shopify app" above — never customer-identifying fields.
Information from our website
On heydropr.com we use Google Analytics 4 to understand site traffic. It may set first-party cookies (such as _ga) and collect page views, approximate location, device and browser details, referrer, and a client identifier. The website has no shopper accounts.
How we use information
To install, authenticate, and operate the app; to generate and render cross-sell widgets and recommendations; to configure widgets and theme placement; to measure widget performance; to provide support; to manage Shopify-billed plans; for security, debugging, fraud prevention, and legal compliance; and to understand and improve our website.
Legal bases (EEA and UK)
Where the EU or UK GDPR applies, we rely on: performance of a contract to provide the app to a merchant; our legitimate interests in securing, supporting, and improving the service and our website, including basic website analytics; legal obligations; and, for merchant store data, processing on the merchant's documented instructions.
AI and automated processing
Dropr uses AI to power recommendations. Product text is sent to OpenAI to create embeddings and to Anthropic (Claude) for bundle detection and brand-style generation, routed through the Vercel AI Gateway. We send product and configuration text, not shopper protected fields.
These features do not make decisions that produce legal or similarly significant effects on individuals. We do not use your store data to train, fine-tune, or improve third-party AI models except as permitted by Shopify and with the consent required for your store.
Service providers
We share data with providers that help us run Dropr: Shopify (platform, OAuth, billing, and compliance webhooks), Vercel (hosting and AI gateway), Neon (database), Upstash (cache), Inngest (background jobs), OpenAI and Anthropic (AI features), Resend (transactional email), and Google Analytics (website analytics).
We do not sell personal information.
International transfers
Our providers may process data in the United States and other countries. Where required, transfers rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, available through each provider.
Data retention and deletion
We keep store data while the app is installed and needed to provide the service. When you uninstall Dropr, storefront requests stop immediately and we delete your store's data within 30 days, subject to limited backups and legal obligations. The encrypted access token is removed on uninstall.
We honor Shopify's mandatory privacy requests, including customers/data_request, customers/redact, and shop/redact.
Security
We protect data with application-layer encryption of access tokens, encryption in transit (TLS), least-privilege Shopify scopes, signed-webhook verification, and access controls. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
Your rights
Depending on your location, you may have rights to access, correct, delete, port, or object to the processing of your personal data, and to withdraw consent. Email support@heydropr.com to make a request; we may need to verify your identity or authority.
Where Dropr acts as a processor for a merchant, shopper requests are directed to that merchant, and Shopify's privacy webhooks are used to fulfill them.
Cookies and analytics
Our website uses necessary cookies and Google Analytics cookies to understand site traffic. You can opt out at any time using your browser controls or Google's opt-out browser add-on. We do not enable Google advertising features.
Children
Dropr is a business tool and is not directed to children. We do not knowingly collect personal data from anyone under 18.
Changes to this policy
We may update this policy and will change the date above when we do. Material changes will be reflected on this page.
Contact
Questions can be sent to support@heydropr.com.