Privacy policy

How we handle your data.

Last updated 2026-04-17. Applies to nfc.heydrop.app.

Who we are

HeyDrop sp. z o.o. (“HeyDrop”, “we”) is the controller of your personal data for purposes of Regulation (EU) 2016/679 (GDPR) and the Polish Act on the Protection of Personal Data (ustawa o ochronie danych osobowych).

Contact: privacy@heydrop.app. We aim to answer data-subject requests within 7 days (GDPR allows up to 30).

What we collect and why
  • To fulfil your order — full name, email, shipping address, phone, and the personalisation details you put on the card (role, company, logo, profile link). Legal basis: contract performance (Art. 6(1)(b)).
  • To take payment — Paddle (our merchant of record) receives payment details. We only store the Paddle transaction id, never the card number. Legal basis: contract + legal obligation.
  • To notify you — we send you an order confirmation via Resend. Legal basis: contract.
  • To secure our service — admin sessions log IP + user agent; admin actions are audited. Legal basis: legitimate interest.
  • Analytics — Amplitude and Vercel Web Analytics only run after you accept the cookie banner. Legal basis: consent (Art. 6(1)(a)).
Who we share with

We use the following sub-processors. All are bound by data-processing agreements.

  • Neon — database hosting (AWS EU-Central-1, Frankfurt).
  • Vercel — app hosting and edge delivery.
  • Paddle — payment processing (EU, Ireland).
  • Resend — transactional email.
  • Upstash — rate-limit counters (stores only a hashed IP key, no PII).
  • Amplitude — product analytics (opt-in only; data transferred to the US under the EU-US Data Privacy Framework).
  • waan.co — our fulfilment partner in Poland. Receives the minimum data required to produce and ship your card: name, shipping address, personalisation fields. Never receives payment data, analytics, or admin logs.
How long we keep it
  • Abandoned drafts (draft, cancelled) and attached profile snapshots: 90 days.
  • Personal data on completed orders: automatically redacted 2 years after payment.
  • Financial fields (amounts, Paddle transaction id, currency, payment date): 5 years after payment — required by PL accounting law.
  • Admin security logs (sessions, audit): 1 year.
Your rights
Under GDPR you have the right to:
  • access your data (we will send you a JSON export within 7 days);
  • correct inaccurate data;
  • be forgotten — we will redact identifying fields from your order(s) while keeping the financial record required by law;
  • restrict or object to processing;
  • lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO).

Email privacy@heydrop.app and tell us which order(s) to action. We identify you by matching the email on file.

Cookies and similar technologies
  • Strictly necessary (always on): session cookie for the admin area, Paddle checkout overlay, CSRF protection. No tracking.
  • Analytics (opt-in): Amplitude and Vercel Web Analytics. You can change your choice any time by clearing site data for nfc.heydrop.app or contacting us.
Changes

Material changes are announced on this page. We keep a Git-tracked history of this policy in the repository so you can see what changed and when.

Questions? Email privacy@heydrop.app or read our terms.