Privacy Policy

Information you provide:

• Name, email address, and password when you create an account
• Billing information (processed by Stripe — we do not store card details)
• Product images you upload
• Any communications you send us

Information collected automatically:

• IP address and approximate location
• Device type, browser, and operating system
• Usage data — pages visited, features used, time spent
• Cookies and similar tracking technologies (see Section 8)

We use your information to:

• Provide, maintain, and improve the Service
• Process payments and manage your subscription
• Send transactional emails (account, billing)
• Detect fraud and enforce our Terms of Service
• Comply with legal obligations

We do not sell your personal data.

When you upload product images, we act as a data processor on your behalf — we process those images solely to provide the Service as you instruct. We do not use your uploaded images or generated outputs to train our own AI models. Your data may be processed by third-party AI providers as part of delivering the Service, and their use of data is governed by their own terms and privacy policies.

We do not intentionally collect or use biometric identifiers for identification purposes.

Drop Candy uses third-party AI services to generate images. Your uploaded content and prompts are processed by these providers. We prefer to work with providers who do not use customer data for model training, but we cannot guarantee their practices.

A current list of our AI providers and all sub-processors is available in Section 5 below. We will update this list when our providers change.

We share data with the following third-party service providers to operate the Service:

We also work with the following categories of service providers, whose specific vendors may change from time to time as we evaluate cost, performance, and privacy posture:

• Cloud hosting, database, file storage, and authentication infrastructure providers that store your account data, uploaded content, and generated images
• Third-party AI image generation services for routing model requests and producing generated outputs
• Embedding and similarity search providers for content discovery
• Transactional email delivery for account, billing, and support notifications
• Captcha and abuse prevention services at signup and on sensitive flows
• Off-site backup and storage providers for disaster recovery of uploaded content
• Error monitoring and rate-limit infrastructure for operational reliability

Each provider is subject to their own privacy policy and data practices. We require all sub-processors to handle data only as needed to deliver the Service to you.

Images you generate through Drop Candy are private by default — they are not shared publicly or visible to other users. You control who sees your generated content.

Drop Candy generates images using artificial intelligence. These images do not depict real people. Any resemblance to actual individuals is coincidental and not intended.

AI-generated images may occasionally contain unintended elements, including content that resembles third-party logos, trademarks, or brand identifiers. Users are responsible for reviewing all generated outputs before commercial or public use.

We retain your personal data only as long as necessary to provide the Service and meet our legal obligations. If you cancel your account, you may request deletion of your data by emailing support@dropcandy.ai.

Response time: we respond to deletion and access requests within 30 days of receipt. Where additional time is required (for example, to verify your identity or to address a complex request), we will let you know within those 30 days and complete the request as soon as reasonably possible.

Some data may be retained beyond this window where required for legal, security, fraud-prevention, or billing purposes, including financial records required by applicable tax law and security audit logs.

We use a small number of cookies and browser storage technologies to operate the Service. You can control these through your browser settings, though disabling them may affect Service functionality.

We use:

• Essential cookies — authentication, security, and basic UI state required for the Service to function (for example, your logged-in session)
• Browser local storage — for non-sensitive preferences such as your saved favorites and view settings; stored only on your device

We also collect first-party usage data (such as page views, feature usage, and aggregated job metrics) directly to our own database to operate and improve the Service. This data is not shared with third-party analytics or advertising platforms.

We do not use third-party advertising cookies, behavioural tracking, retargeting pixels, or cross-context advertising trackers.

All users:

• Request access to the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Withdraw consent where processing is based on consent

To delete your account and all associated data: email support@dropcandy.ai from the address on file. We will complete the deletion within a reasonable timeframe and confirm once done. To cancel your subscription without deleting your account, visit Account → Plan → "Manage subscription."

EU/EEA and UK users (GDPR / UK GDPR):

You have additional rights including data portability, restriction of processing, and the right to object. We respond to verified requests within 30 days of receipt; where an extension is necessary we will let you know within those 30 days. You may lodge a complaint with your national data protection authority. EU/EEA users may contact their local supervisory authority; UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk. Our legal basis for processing is contractual necessity and legitimate interests.

Drop Candy is based in the United States. When we transfer your personal data to the US, we do so through service providers who have implemented Standard Contractual Clauses (SCCs) or other appropriate safeguards as required under GDPR and UK GDPR. A list of our service providers is in Section 5.

California users (CCPA / CPRA):

You have the right to know what personal information we collect, request deletion, request correction of inaccurate data, and opt out of the sale or sharing of personal information. We do not sell personal information or share it for cross-context behavioral advertising. You also have the right to limit our use of sensitive personal information to what is necessary to provide the Service. Submit requests to support@dropcandy.ai. We will respond within 45 days.

Virginia, Colorado, Connecticut, Texas, and other US state users:

Depending on your state of residence, you may have rights to: access, correct, delete, and obtain a portable copy of your personal data; opt out of targeted advertising and profiling used to make decisions with legal or similarly significant effects; and appeal our decision if we decline your data request. To submit a request or appeal, email support@dropcandy.ai. We will respond within the timeframe required by your state's law and confirm in writing once complete.

Drop Candy is not intended for users under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at support@dropcandy.ai.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Service. Continued use after changes constitutes acceptance.

For privacy-related questions, data requests, or deletion requests:

support@dropcandy.ai

For EU/EEA users, you may also contact your local data protection authority.