Privacy Policy

• We collect the minimum we need to run the quiz, the widget, and your account.
• We never sell your personal data.
• You can delete your account and data at any time by emailing us.
• We use trusted third parties (hosting, analytics, email, AI) to operate the Service — listed below.

This Privacy Policy describes how ShiporDrop ("we", "us", "our") collects, uses, and shares information when you use shipordrop.com and the embeddable widget (the "Service"). For the purposes of GDPR, we are the data controller of personal data we collect through the Service.

Contact: team@shipordrop.com.

a. Information you provide

• Quiz responses: the 16 answers you submit, your idea description, and any optional context.
• Account info: if you sign in (e.g., to create a widget or dashboard), your name, email, and avatar from your auth provider.
• Project & widget data: project titles, descriptions, configuration, and votes received.
• Communications: messages you send us by email or feedback forms.

b. Information collected automatically

• Device & usage data: IP address, browser type, operating system, referring URL, pages viewed, and timestamps.
• Cookies & similar tech: small files used for authentication, security, preferences, and analytics (see Section 7).
• Widget interactions: when someone votes or interacts with an embedded widget, we record an anonymous vote tied to the project and a coarse timestamp.

c. What we don't collect

We do not knowingly collect government IDs, payment card numbers (we don't charge anything), precise location, biometric data, or data from children under 13.

• To deliver, operate, secure, and improve the Service.
• To compute and display your quiz score, scorecard, and recommendations.
• To create and manage your account and authenticate sign-ins.
• To send transactional emails (e.g., your scorecard, password resets, account notifications).
• To send occasional product updates if you opt in. You can unsubscribe at any time.
• To detect, prevent, and respond to fraud, abuse, and security incidents.
• To comply with legal obligations and enforce our Terms.
• To analyze aggregated, de-identified usage so we can improve the quiz and content.

If you are in the EU/UK, we rely on the following legal bases:

• Contract: to provide the Service you requested (the quiz, your account, the widget).
• Legitimate interests: to secure the Service, prevent abuse, and improve the product — balanced against your rights.
• Consent: for non-essential cookies, marketing emails, and any optional features that ask for it. You may withdraw consent at any time.
• Legal obligation: when we must process data to comply with law.

We do not sell your personal data. We share information only with:

• Service providers that help us run the Service under contracts requiring confidentiality — including hosting and database (Lovable Cloud / Supabase), edge hosting (Cloudflare), analytics (Google Analytics), email delivery, and AI model providers (e.g., Google, OpenAI) used to power optional features.
• Authentication providers (e.g., Google) when you choose to sign in with them.
• Legal & safety: to comply with valid legal process, enforce our Terms, or protect the rights, property, or safety of our users or the public.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to affected users.
• With your direction: e.g., if you make a project public via the widget or leaderboard.

Note: data submitted to AI providers is governed by their policies; we configure those calls so they are not used to train third-party models where that option is available.

We use cookies and similar technologies for three purposes:

• Strictly necessary: authentication, session integrity, security, and load balancing.
• Preferences: to remember things like quiz progress.
• Analytics: we use Google Analytics to understand how visitors find and use the site so we can improve it. Analytics cookies are set with privacy-respecting defaults.

You can control cookies in your browser settings. Disabling necessary cookies may break parts of the Service.

We keep personal data only as long as needed for the purposes described in this Policy:

• Quiz scorecards: retained while your account is active.
• Account data: retained until you delete your account.
• Widget projects & votes: retained while the project exists.
• Server logs and security events: typically up to 90 days, longer if required to investigate an incident.
• Anonymized, aggregated analytics may be kept indefinitely as it no longer identifies you.

We use industry-standard administrative, technical, and physical safeguards — including encryption in transit, hashed credentials, role-based access, row-level security on our database, and audit logging. No method of transmission or storage is 100% secure, so we cannot guarantee absolute security. Report any vulnerability to team@shipordrop.com.

We and our service providers may process data in countries other than your own, including the United States. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses to protect cross-border transfers.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data ("right to be forgotten").
• Restrict or object to certain processing.
• Receive a portable copy of your data.
• Withdraw consent at any time.
• Lodge a complaint with your local data-protection authority (EEA/UK) or state attorney general (US).

To exercise any of these rights, email team@shipordrop.com. We will respond within the time required by law (typically 30 days). We will not discriminate against you for exercising your rights.

California residents have the rights described above, plus the right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it (all described in this Policy). We do not sell or "share" personal information for cross-context behavioral advertising as those terms are defined under the CPRA.

The Service is not directed to children under 13 (or the minimum digital-consent age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

The Service may link to third-party websites and tools we don't control. We are not responsible for their privacy practices. Review their policies before sharing information.

We may update this Policy from time to time. When we do, we'll change the "Last updated" date above and, for material changes, give additional notice (such as an in-app banner or email). Continued use of the Service after the changes take effect means you accept the updated Policy.

Questions, requests, or concerns about your privacy? Email team@shipordrop.com.

See also our Terms of Service.