← Back to home

Privacy Policy

Last Updated: January 2026

This Privacy Policy explains how Supadrop ("Supadrop", "we", "us", "our") collects, uses, shares, and protects your personal information when you use our website at https://supadrop.host and our static website hosting services (collectively, the "Service").

We are committed to protecting your privacy and handling your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

Data Controller:
Supadrop
Brussels, Belgium
Email: privacy@supadrop.host

1. Information We Collect

1.1 Information You Provide to Us

When you create an account or use the Service, you may provide us with:

Data Type Examples When Collected
Account Information Email address, name, password Registration
Profile Information Display name, profile picture Account settings
Payment Information Payment method, billing address Subscription purchase
Content Website files you upload Using the Service
Communications Support requests, feedback Contacting us

Note on Payment Data: We do not store your full credit card number. Payment processing is handled by our payment processor (Polar), which maintains its own privacy practices. We only receive limited payment information necessary to manage your subscription.

1.2 Information Collected Automatically

When you access the Service, we automatically collect:

Usage Data:

  • Pages visited and features used
  • Date and time of access
  • Actions taken (uploads, deletions, etc.)
  • Referral URLs

Device and Technical Data:

  • IP address
  • Browser type and version
  • Operating system
  • Device type (desktop, mobile, tablet)
  • Screen resolution
  • Language preferences

Location Data:

  • Country and city (derived from IP address)
  • We do NOT collect precise GPS location

1.3 Information from Third Parties

If you choose to sign in using a third-party service (Google, GitHub), we receive:

Provider Data Received
Google Email, name, profile picture
GitHub Email, username, profile picture

We only receive information you have made public or authorized the provider to share with us.

1.4 Information We Do NOT Collect

  • Sensitive personal data (race, religion, health, sexual orientation)
  • Financial account numbers (handled by payment processor)
  • Precise geolocation (GPS)
  • Biometric data
  • Data from children under 18

2. How We Use Your Information

2.1 To Provide the Service

  • Create and manage your account
  • Host and serve your websites
  • Generate subdomains and QR codes
  • Process payments and manage subscriptions
  • Provide customer support

2.2 To Improve the Service

  • Analyze usage patterns and trends
  • Identify and fix bugs and errors
  • Develop new features
  • Optimize performance and user experience

2.3 To Communicate With You

  • Send service-related notifications (account updates, security alerts)
  • Respond to your inquiries and support requests
  • Send transactional emails (payment confirmations, subscription reminders)
  • Send marketing communications (only with your consent)

2.4 To Ensure Security and Prevent Abuse

  • Detect and prevent fraud, spam, and abuse
  • Enforce our Terms of Use
  • Protect the rights and safety of our users
  • Comply with legal obligations

2.5 To Comply With Legal Obligations

  • Respond to legal requests (subpoenas, court orders)
  • Maintain records as required by law (tax, accounting)
  • Report illegal content to authorities when required

3. Legal Bases for Processing (GDPR)

Under the GDPR, we must have a legal basis to process your personal data. We rely on the following:

Legal Basis When We Use It Examples
Contract When processing is necessary to provide the Service you requested Account creation, hosting your sites, processing payments
Consent When you have given explicit permission Marketing emails, optional cookies
Legitimate Interest When we have a business need that doesn't override your rights Security, fraud prevention, service improvement
Legal Obligation When required by law Tax records, responding to legal requests

Your Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time by:

  • Updating your account settings
  • Clicking "unsubscribe" in marketing emails
  • Contacting us at privacy@supadrop.host

Withdrawing consent does not affect the lawfulness of processing before withdrawal.

4. How We Share Your Information

We do NOT sell your personal information. We share data only in the following circumstances:

4.1 Service Providers (Sub-processors)

We use trusted third-party services to operate Supadrop:

Provider Purpose Location
Supabase Authentication, database EU (Frankfurt)
Cloudflare CDN, file storage (R2), security Global (EU data)
Polar Payment processing EU
Mailgun Transactional emails EU
Google OAuth authentication USA

All service providers are contractually obligated to:

  • Process data only on our instructions
  • Implement appropriate security measures
  • Assist us in responding to your rights requests
  • Delete or return data when the relationship ends

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

  • Court orders or subpoenas
  • Government or regulatory requests
  • Legal proceedings involving Supadrop

4.3 Business Transfers

If Supadrop is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

4.4 Public Content

Websites you host on Supadrop are publicly accessible by default. Any content you upload becomes publicly available at your subdomain or custom domain. We are not responsible for the privacy of content you choose to make public.

5. International Data Transfers

Supadrop is based in Belgium (European Union). However, some of our service providers operate outside the EU/EEA.

When we transfer personal data outside the EU/EEA, we ensure appropriate safeguards are in place:

Destination Safeguard
USA Standard Contractual Clauses (SCCs)
Other countries Adequacy decisions or SCCs

Cloudflare: While Cloudflare is a US company, we configure our services to store data in EU data centers where possible.

Content Delivery Network (CDN)

To ensure fast loading times worldwide, websites you host on Supadrop are served through Cloudflare's global CDN.

What this means:

  • Storage: Your website files are stored on Cloudflare R2 servers located in the European Union
  • Distribution: When visitors access your site, copies may be temporarily cached on Cloudflare edge servers around the world
  • Nature of data: This applies only to the static files you upload and choose to make publicly accessible

Important: By uploading content to Supadrop, you acknowledge that this content will be publicly accessible and distributed globally via CDN.

6. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy.

6.1 Retention Periods

Data Type Retention Period Reason
Account data Until account deletion + 30 days Service provision
Website files Until site deletion (or 90 days after archiving) Service provision
Payment records 7 years after transaction Legal obligation (tax)
Support communications 3 years Service improvement
Server logs 90 days Security and debugging
Analytics data 26 months Service improvement

6.2 After Account Deletion

When you delete your account:

  • Your websites are immediately taken offline
  • Your personal data is deleted within 30 days
  • Backup copies are deleted within 90 days
  • We may retain anonymized/aggregated data indefinitely

6.3 Free Trial Expiration

At the end of the 15-day free trial, if you do not subscribe to a paid plan:

  • Your site remains online but is displayed with a visual overlay and a message prompting you to subscribe
  • You will receive email reminders over a 7-day grace period
  • After the grace period, your site and all associated files are permanently deleted
  • Your account remains accessible to subscribe and start fresh

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

7.1 Technical Measures

  • Encryption in transit: All data transmitted via HTTPS/TLS
  • Encryption at rest: Database encryption
  • Access controls: Role-based access, principle of least privilege
  • Authentication: Secure password hashing, optional 2FA
  • Infrastructure: Hosted on secure, certified platforms

7.2 Organizational Measures

  • Limited employee access to personal data
  • Confidentiality agreements with staff and contractors
  • Regular security reviews and updates
  • Incident response procedures

7.3 Your Responsibility

You are responsible for:

  • Keeping your password secure
  • Not sharing your account credentials
  • Logging out on shared devices
  • Reporting suspicious activity

7.4 No Guarantee

Despite our efforts, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. In case of a data breach affecting your personal data, we will notify you and the relevant authorities as required by law.

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us provide and improve the Service.

8.2 Types of Cookies We Use

Cookie Type Purpose Required?
Essential Authentication, security, basic functionality Yes
Functional Remember your preferences No
Analytics Understand how you use the Service No

8.3 Managing Cookies

You can control cookies through:

  • Browser settings: Most browsers allow you to block or delete cookies
  • Our cookie banner: Accept or reject non-essential cookies when you first visit

Note: Blocking essential cookies may prevent you from using the Service.

8.4 Do Not Track

We do not currently respond to "Do Not Track" browser signals, as there is no industry standard for this feature.

9. Social Logins

9.1 Available Options

You can create an account or log in using:

  • Google
  • GitHub

9.2 What We Receive

When you use social login, we receive basic profile information (email, name, profile picture) that you authorize the provider to share.

9.3 What We Don't Do

  • We don't post anything on your behalf
  • We don't access your contacts or friends
  • We don't receive your password

9.4 Managing Social Connections

You can disconnect social logins in your account settings. This doesn't delete your Supadrop account — you can set a password to continue accessing it.

10. Your Privacy Rights

10.1 Rights Under GDPR (EU/EEA Users)

If you are in the European Union or European Economic Area, you have the following rights:

Right Description
Access Request a copy of your personal data
Rectification Request correction of inaccurate data
Erasure Request deletion of your data
Restriction Request limited processing of your data
Portability Receive your data in a portable format
Objection Object to processing based on legitimate interests
Withdraw Consent Withdraw consent at any time
Complaint Lodge a complaint with a supervisory authority

10.2 How to Exercise Your Rights

You can exercise your rights by:

  1. Self-service: Access, update, or delete data in your account settings
  2. Email: Contact us at privacy@supadrop.host
  3. Written request: Send a letter to our address

We will respond to your request within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you.

10.3 Right to Complain

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority.

Belgian Data Protection Authority:
Autorité de protection des données (APD)
Rue de la Presse 35
1000 Brussels
www.autoriteprotectiondonnees.be

11. Children's Privacy

Supadrop is not intended for children under 18 years of age.

We do not knowingly collect personal information from children under 18. If we discover that we have collected data from a child under 18, we will delete it promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@supadrop.host.

12. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties.

This includes:

  • Websites you host on Supadrop (you control their content)
  • Payment processors
  • Social login providers
  • Any external links

We encourage you to review the privacy policies of any third-party services you use.

13. Changes to This Policy

13.1 How We Notify You

  • Minor changes: Updated "Last Updated" date at the top of this policy
  • Material changes: Email notification and/or prominent notice on the Service

13.2 Your Acceptance

Your continued use of the Service after changes become effective constitutes acceptance of the revised policy. If you do not agree with the changes, you should stop using the Service and delete your account.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Supadrop
Brussels, Belgium

Email: privacy@supadrop.host
General support: support@supadrop.host

We aim to respond to all inquiries within 30 days.

Summary of Key Points

For your convenience, here is a summary (this summary is not legally binding):

Topic Summary
What we collect Email, name, usage data, uploaded content
Why we collect To provide the Service, improve it, and communicate with you
Legal basis Contract, consent, legitimate interest
Who we share with Service providers only (Supabase, Cloudflare, Polar, Mailgun)
Data location Primarily EU, some US providers with safeguards
Retention Until account deletion + 30 days
Your rights Access, correct, delete, port your data
Cookies Essential + optional analytics
Children Not allowed under 18
Contact privacy@supadrop.host

This Privacy Policy is effective as of January 2026.