Privacy Policy

0102 Lab. S.E.N.C is the controller of your personal information and acts as the person in charge of personal information for the purposes of the Quebec Privacy Act. You can reach our privacy contact at getdropkit@gmail.com.

We collect only what we need to run the service. Specifically:

• Account information. Your email address, your chosen artist handle, your display name, and a hashed password managed by our authentication provider.
• Drop content. Cover art, audio, files, links, titles, descriptions, and release dates that you upload to your drops.
• Buyer information. When a fan buys an offer, we receive their email address and the order metadata from Stripe. We do not see or store full credit card numbers. Card data lives with Stripe.
• Payments and payouts. Stripe stores your identity and bank details directly on your connected Stripe account under their own privacy policy. We see anonymized payment identifiers, amounts, and fee splits.
• Email delivery metadata. When we send a receipt or a sale notification, our email provider records delivery, bounce, and open events to keep deliverability healthy.
• Server logs. Standard request logs (IP address, user agent, page path, timestamps) for security and debugging, kept for a short period.

We do not run third-party advertising trackers and we do not sell personal information to anyone.

Each piece of information has a specific purpose:

• Account information lets you log in, claim a handle, and run your drops.
• Drop content lets us display the public page and deliver files to buyers.
• Buyer email + order metadata lets us send receipts and download links and lets the artist keep a relationship with their fans.
• Payment metadata lets us calculate the platform fee, run payouts, and produce dashboard stats.
• Email delivery metadata lets us troubleshoot bounced receipts.
• Server logs let us detect abuse, debug, and meet our security obligations.

Our legal basis for processing your information under PIPEDA is your consent, given when you create an account or buy an offer, and our legitimate interest in operating, securing, and improving DropKit.

DropKit relies on a small number of service providers (data processors). Each one only sees what it needs and is contractually bound to protect your information.

• Stripe (Stripe, Inc. and Stripe Payments Canada, Ltd.) for payment processing, Connect onboarding, and payouts.
• Supabase for our database, authentication, and file storage.
• Resend for sending transactional email (receipts, sale notifications).
• Vercel for hosting the application.

We may also share information when required by Canadian law, by a valid legal request, or to protect the rights and safety of our users or the public.

Our service providers (Stripe, Supabase, Resend, Vercel) are primarily based in the United States. Your personal information may be stored or processed in the United States or in other jurisdictions where our providers operate. The laws of those jurisdictions may differ from the laws of Canada and Quebec, and government and law enforcement authorities in those jurisdictions may, in certain circumstances, be entitled to access your information. By using DropKit, you consent to this transfer.

We keep your account information for as long as you have an active account. When you close your account, we delete or anonymize your personal information within ninety days, except for records we must keep for tax, accounting, fraud prevention, or other legal reasons (typically up to seven years for transaction records).

Buyers' download access tokens expire seven days after the purchase, after which the token is unusable.

Whether you are an artist or a buyer, you have rights over your personal information. Under PIPEDA and the Quebec Privacy Act, you can:

• Access the personal information we hold about you.
• Correct information that is inaccurate or incomplete.
• Withdraw your consent to our processing, subject to legal or contractual restrictions and reasonable notice.
• Request deletion of personal information that is no longer needed or where you withdraw consent (the right to be forgotten under Law 25).
• Request portability of personal information you gave us, in a structured, commonly used format.
• Lodge a complaint with the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec if you believe we have not handled your information properly.

To exercise any of these rights, email getdropkit@gmail.com from the address on your account. We respond within thirty days.

DropKit uses a small number of strictly necessary cookies to keep you logged in and to keep your session secure. We do not use advertising cookies or third-party trackers. You can clear cookies from your browser at any time, but doing so will sign you out.

We use industry-standard practices to protect your information: TLS for all data in transit, encrypted storage, role-based access in our database (Supabase row-level security), signed URLs for file delivery, and isolated payment handling through Stripe. No system is perfectly secure, but we treat your data with the care we would want for our own.

If we ever discover a confidentiality incident that risks serious harm, we will notify affected users and the Commission d'accès à l'information du Québec as required by Law 25.

DropKit is not intended for anyone under the age of eighteen. We do not knowingly collect personal information from minors. If you believe a minor has created an account, contact us and we will close it.

We may update this policy from time to time. If we make a material change, we will post a notice on this page and update the effective date above. Significant changes that affect how we process your information will be announced by email.

0102 Lab. S.E.N.C
Quebec, Canada
getdropkit@gmail.com