DROPS.ST legal
Privacy Policy
How DROPS.ST handles personal information across platform services.
Effective date: March 25, 2026 Last updated: May 15, 2026
1. Our Approach to Privacy
The short version: We collect minimal data. We do not track you. We do not sell or share your information with advertisers. We self-host our analytics and payment systems. You can delete your own data at any time -- no request, no approval, no waiting.
The full version is below.
DROPS is built on a simple principle: collect only what we need, explain everything we do, and give you real control over your information. Privacy is not an afterthought here -- it is a foundational design decision. We have built self-service privacy controls directly into the platform so that you can exercise your rights yourself, instantly, without depending on us to act on your behalf.
All core services -- analytics, email, and payment processing -- are operated on infrastructure we control. We do not rely on third-party advertising platforms, behavioural tracking networks, or data brokers. Where others default to collection, we default to restraint.
This Privacy Policy describes how DROPS handles personal information. Use of the platform is governed separately by the Terms of Use. This Privacy Policy is informed by Canadian privacy law, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec's Act respecting the protection of personal information in the private sector (Law 25).
For privacy inquiries, contact our designated privacy officer at contacts@drops.st.
2. Information We Collect
Automatically Collected
- Anonymous analytics -- aggregated page-view counts and general geographic data (country level). Our analytics are self-hosted, use no cookies, collect no personally identifiable information, and send no data to external parties. This data cannot be linked to any individual visitor.
We do not collect or store server logs, IP addresses, browser fingerprints, or browsing histories of our visitors. When you access this platform, your device transmits standard technical information (such as your IP address and browser type) as part of the normal operation of internet protocols. This transmission is inherent to how the internet works and is initiated by your device, your browser, and your internet service provider -- not by DROPS. You are solely responsible for the information your device transmits when accessing any website, and for taking appropriate measures (such as using a VPN or privacy-focused browser) to protect your own privacy in transit. DROPS accepts no liability for data transmitted by your device or intercepted by intermediary networks in the course of your access to this platform.
Information You Provide
- Contact form submissions -- if you contact us, you may voluntarily provide your name, email, or a message. This is used solely to respond to your inquiry and is retained for 12 months.
- Account data -- if you register on app.drops.st, we store your email address, username, and a securely hashed password. Account data is retained while your account remains active.
- Session cookie -- app.drops.st uses a single session cookie strictly required for authentication. It is not used for tracking.
What We Do NOT Collect
We want to be explicit about what we deliberately choose not to collect:
- No server logs -- we do not log, store, or retain IP addresses, user-agent strings, or browsing activity of visitors
- No tracking cookies -- we do not deploy cookies, pixels, beacons, or fingerprinting scripts for tracking purposes
- No advertising identifiers -- we do not participate in any advertising network or data exchange
- No social media trackers -- we do not embed tracking widgets from social platforms
- No government-issued identification -- we never request or store ID documents
- No biometric data of any kind
- No precise geolocation -- we do not use GPS or similar technology to determine your physical location
- No purchase of third-party data -- we do not buy data about you from brokers or other sources
3. How We Use Your Information
We use collected information strictly for these purposes:
- Platform operation -- to deliver, maintain, and ensure the proper functioning of our services
- Security -- to detect, prevent, and respond to potential threats, unauthorized access, or abuse
- Improvement -- to understand general usage patterns through anonymized analytics and improve the platform over time
- Communication -- to respond to inquiries you have directed to us, through the channel you chose
We do not use your information for profiling, automated decision-making, behavioural advertising, or any purpose not listed above. If we ever need to use information for a new purpose, we will notify you and obtain consent before doing so.
4. Disclosure and Sharing
We do not sell, rent, or trade your personal information to anyone.
We may disclose personal information only in these narrow circumstances:
- When required by Canadian law, regulation, or valid legal process (such as a court order)
- To protect the safety of our users or the public where there is an imminent threat
- To enforce these terms of use where necessary to protect our legitimate interests
No third-party advertising or analytics services receive any data from us. Transactional emails are sent from our own mail server -- no external email marketing platform is involved.
5. Cryptocurrency Payments
DROPS accepts cryptocurrency -- including Bitcoin (BTC) and Monero (XMR) -- as a form of payment. Here is what you should understand:
- Self-hosted processing -- payments are processed through payment infrastructure we operate on our own servers. Your payment data is not sent to external payment companies.
- Blockchain is public -- when you send cryptocurrency, the transaction is recorded on a public ledger (the blockchain). For Bitcoin, anyone can see the transaction amount and wallet addresses. This is inherent to how cryptocurrency works -- it is not something we control. Monero transactions are recorded on a blockchain designed to obscure transaction details.
- What we store -- we retain transaction identifiers, timestamps, and Canadian-dollar equivalent values as required for legal and accounting purposes. We treat cryptocurrency wallet addresses associated with identifiable accounts as personal information.
- What we do not store -- we do not store your private keys, seed phrases, or wallet passwords. We do not provide custodial wallet services.
- Retention -- transaction records are retained as required by the Income Tax Act (Canada) and the Excise Tax Act, typically for a minimum of six years.
- Blockchain permanence -- we can delete your personal information from our systems upon request, but we cannot modify or delete records on public blockchains. Our privacy obligations apply to information within our custody and control.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Anonymous analytics | Indefinite (cannot identify individuals) |
| Contact form submissions | 12 months from last communication |
| Account data | While account is active; deleted instantly on your request |
| Transaction records | Minimum 6 years (legal requirement) |
When retention periods expire, data is securely deleted or irreversibly anonymized. We do not retain personal information without a defined purpose.
7. Security
We implement appropriate technical and organizational measures to protect information against unauthorized access, alteration, disclosure, or destruction:
- All connections to our platform use industry-standard transport encryption
- Data stored on our servers is protected using full-disk encryption
- Access to infrastructure and stored data is restricted to authorized personnel on a need-to-know basis
- We employ firewalls, intrusion detection, and regular security monitoring
- By collecting minimal data, we limit the scope and impact of any potential breach -- data that does not exist cannot be stolen
No system is perfectly secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security and encourage you to protect your own credentials and wallet keys.
Breach Notification
In the event of a security breach involving personal information that creates a real risk of significant harm, we will:
- Notify the Office of the Privacy Commissioner of Canada (OPC) as required by PIPEDA
- Notify the Commission d'acces a l'information du Quebec (CAI) where applicable under Law 25
- Notify affected individuals with information about the breach and steps they can take
- Maintain a record of all breaches for a minimum of 24 months
8. Your Rights
Under Canadian privacy law, you have a number of rights regarding the personal information we collect, use, and disclose. DROPS has gone beyond the legal minimum by building self-service privacy controls directly into the platform, so that you can exercise most of these rights yourself, immediately, without waiting for a response from us.
Right of Access and Portability
You have the right to know what personal information we hold about you and to obtain a copy in a structured, commonly used, and machine-readable format. You may exercise this right at any time by using the data export function available in your account profile. This produces a complete, downloadable copy of all personal information associated with your account -- including profile data, order history, saved addresses, and activity records. No approval from DROPS or any shop operator is required.
Right of Erasure (Right to Deletion)
You have the right to request the deletion of your personal information. You may exercise this right at any time by using the account deletion function in your account profile. When you initiate deletion:
- Your request is processed automatically -- no approval from DROPS or the shop operator is required
- All personal information associated with your account is permanently erased from our active systems
- Where deletion would compromise the integrity of transactional records (such as completed order histories), the platform applies automatic anonymization, which irreversibly removes all personally identifiable information while preserving the non-identifying transactional record
- You may cancel a pending deletion during the processing period if you change your mind
You are not required to submit a written request, wait for a response, or provide justification. The control is in your hands.
Right of Rectification
You have the right to correct inaccurate or incomplete personal information. You may update your profile information, saved addresses, and contact details directly through your account settings at any time.
Right to Withdraw Consent
You may withdraw your consent to the collection, use, or disclosure of your personal information at any time. You may exercise this right by deleting your account through the self-service function described above, or by contacting us for specific processing activities. Withdrawing consent does not affect the lawfulness of any processing that occurred before withdrawal.
Right to File a Complaint
If you believe that your privacy rights have been violated, you may file a complaint with:
- Office of the Privacy Commissioner of Canada -- priv.gc.ca -- 1-800-282-1376
- Commission d'acces a l'information du Quebec -- cai.gouv.qc.ca (for Quebec residents)
We encourage you to contact us first at contacts@drops.st so we may attempt to resolve your concern directly. We will respond within 30 days. There is no fee to exercise any of your rights.
How These Rights Compare to Legal Requirements
Under PIPEDA, organizations are required to respond to access and erasure requests within 30 calendar days. DROPS does not rely on these timelines. The self-service controls described above allow you to exercise your rights of access, portability, and erasure instantly. We believe that a right you can exercise yourself, immediately, is more meaningful than a right that requires you to ask, wait, and hope for a timely response.
9. Self-Service Privacy Controls
Privacy Built Into the Platform
DROPS is designed with privacy controls embedded directly into the platform's architecture. These are not add-on features -- they are core components of the system, reflecting our commitment to privacy by design and by default as required under Quebec's Law 25 and consistent with the expectations of the Office of the Privacy Commissioner of Canada.
What You Can Do as a Customer
As a registered customer, you have the following self-service privacy controls available through your account profile:
| Control | What It Does | Approval Required | Timing |
|---|---|---|---|
| Export your data | Download a complete copy of all personal information we hold about you, in a machine-readable format | None | Immediate |
| Delete your account | Permanently erase your account and all associated personal information from our systems | None | Automatic |
| Delete saved addresses | Permanently remove individual shipping addresses from your profile | None | Instant |
| Update your information | Correct, update, or modify your personal information and preferences | None | Instant |
| Sign out | Destroy your active session and all session data | None | Instant |
No written request is required. No justification is required. These controls are available to you at all times while your account is active.
What Shop Operators Can Do
DROPS operates as a multi-tenant platform, meaning that individual shop operators use our platform to operate their own online stores. Shop operators have the following privacy controls available through their administrative panel:
- Customer data erasure -- shop operators may erase customer personal information directly from their shop's records, without requiring platform-level approval from DROPS. This enables shop operators to respond promptly and to meet their own obligations under applicable privacy legislation.
- Customer data anonymization -- shop operators may anonymize customer records rather than delete them outright, preserving the integrity of business records while irreversibly removing all personally identifiable information.
- Customer data export -- shop operators may export a complete copy of a customer's data for portability or compliance purposes.
These controls ensure that privacy compliance does not depend on DROPS acting as an intermediary or bottleneck. The shop operator -- who is closest to the customer relationship -- has the tools needed to act promptly and independently.
Anonymization vs. Deletion
DROPS uses two distinct methods of removing personal information:
- Deletion means the permanent and irreversible removal of data from our systems. Deleted data cannot be recovered.
- Anonymization means the irreversible removal of all personally identifiable elements from a record, so that the remaining data can no longer reasonably be used to identify you. Anonymized records may be retained for transactional integrity and business reporting.
When you delete your account, the platform applies the appropriate method to each category of data: profile information, contact details, and directly identifying information are deleted; transactional records are anonymized to preserve record integrity. In all cases, the result is the same from your perspective: your personal information is permanently and irreversibly removed and cannot be used to identify you.
Anonymized data is not considered personal information under PIPEDA or Quebec's privacy legislation and is not subject to further access, correction, or erasure requests.
Irreversibility Warning
Once your account is deleted or your personal information is erased, the action cannot be undone. We do not maintain backup copies of erased data for the purpose of restoring deleted accounts. If you choose to use the platform again after deletion, you will need to create a new account, and your previous data will not be available.
We strongly recommend that you use the data export function to download a copy of your information before initiating account deletion.
Data Beyond Our Control
Erasure from DROPS systems does not affect:
- Blockchain transaction records -- cryptocurrency transactions recorded on public blockchains are immutable and cannot be altered or deleted by any party. DROPS can erase the association between your account and a blockchain transaction within our systems, but cannot modify the blockchain itself.
- Legal retention requirements -- certain records may be retained for a prescribed period under applicable tax and commercial law. Only the minimum information necessary will be retained, and it will be deleted or anonymized upon expiration of the retention period.
- Third-party data -- data previously transmitted to third parties (such as shipping providers or messaging platforms) is governed by those parties' own privacy policies and is outside our control.
10. Children's Privacy
This platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from someone under 18, we will take prompt steps to delete that information. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at contacts@drops.st.
11. Terms of Use
The Terms of Use govern access to and use of drops.st, app.drops.st, Tenant Shops, platform tools, payment features, crypto/manual payment risks, liability limits, indemnities, governing law, and other platform-use terms.
If there is a conflict between this Privacy Policy and the Terms of Use about how DROPS handles personal information, this Privacy Policy controls for that privacy issue. The Terms of Use control for platform-use, payment, commercial, liability, and dispute issues.
12. Contact
For privacy inquiries, rights requests, or complaints:
DROPS -- Privacy Officer Email: contacts@drops.st
The Privacy Officer is the designated person responsible for the protection of personal information under Quebec Law 25. We will acknowledge your inquiry and respond within 30 days.
This document is drafted in alignment with the ten fair information principles of PIPEDA and the requirements of Quebec's Law 25.