SpotDrops Privacy Policy

1. Introduction

This Privacy Policy describes how Seven Pillar House LLC (“Company,” “we,” “us,” or “our”), operating as SpotDrops (spotdrops.app), collects, uses, stores, and shares your personal information when you use our platform and services.

By using SpotDrops, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use our platform.

2. Information We Collect

We collect different types of information depending on how you interact with SpotDrops.

2.1 Information You Provide Directly

Operator Accounts:

• Business name, email address, phone number, website URL
• Business logo (uploaded image file)
• URL slug (your chosen SpotDrops URL identifier)
• Service area and geographic information
• Stripe Connect account information (account ID and onboarding status — we do not store your bank account details, which are held solely by Stripe)

Advertiser Accounts:

• Business name, contact name, email address, phone number
• Street address, city, state, zip code
• Website URL, Instagram handle, Facebook handle
• Business logo (uploaded image file)
• Special offer details (offer type, value, description, fine print)
• Business category

All Users:

• Account credentials managed through Clerk (our authentication provider)
• Communications you send to us via email or support channels

2.2 Information Collected Automatically

When You Visit SpotDrops (Platform Users):

• Browser type and version
• Device type and operating system
• Pages visited and features used
• Referring URL
• Date and time of access

When Someone Scans a QR Code or Visits a QR Landing Page (Visitors):

This is an important distinction. QR landing pages are public pages linked from printed mail cards. When someone scans a QR code or visits a QR landing page, we collect:

• IP address — We hash (one-way encrypt) your IP address using SHA-256 immediately upon receipt. We do not store your raw IP address. The hash is used solely to estimate uniqueness of visitors and for approximate geographic location.
• IP-based geolocation — We derive approximate city, region (state/province), and country from your IP address. This data is approximate (typically accurate to the city level) and is not precise enough to identify a specific individual or street address.
• Device signals — Screen width, screen height, device pixel ratio, browser language, timezone, and platform (operating system). These signals are combined and hashed into a single fingerprint hash using SHA-256 to help distinguish unique visitors from repeat visits. We do not store these individual signals in a way that identifies you personally.
• User agent string — Your browser's identification string
• Referrer — The URL that directed you to the landing page (if any)
• Scan source — Whether the visit originated from a QR code scan on a printed card or from an organic/shared link

Click Event Tracking on QR Landing Pages:

When you interact with action buttons on a QR landing page (such as “Visit Website,” “Call Now,” “Email,” “Get Directions,” or “Claim Offer”), we record:

• The type of action taken
• A timestamp
• A hashed IP address (for uniqueness estimation)

We do not record the content of phone calls, emails, or any information you provide to the advertiser's business after clicking through.

2.3 Information from Third-Party Services

• Stripe: Payment transaction metadata (checkout session IDs, payment intent IDs, email address used at checkout). We do not receive or store full credit card numbers, bank account numbers, or other sensitive financial data — Stripe handles all payment data directly.
• Clerk: Authentication data (user ID, email, authentication method). Clerk manages password storage and security; we do not have access to your passwords.
• USPS (via public GIS data): Carrier route demographic data (residential counts, median income, median age, household size by route). This is aggregate census-level data, not individual-level data.

3. How We Use Your Information

We use the information we collect for the following purposes:

To Operate the Platform:

• Create and manage your account
• Process spot purchases and payments through Stripe
• Display operator profiles and drop listings
• Display advertiser business information on QR landing pages
• Facilitate communication between operators and advertisers
• Generate and link QR codes to landing pages

To Provide Engagement Analytics:

• Track QR code scans and page visits (using hashed identifiers, not personal data)
• Record click events on landing pages
• Provide operators and advertisers with aggregate engagement metrics (total scans, unique visitors, click counts, geographic distribution)
• Distinguish between QR code scans from printed cards and organic web visits

To Improve the Platform:

• Analyze usage patterns to improve features and user experience
• Identify and fix bugs or technical issues
• Develop new features based on aggregate usage data

To Communicate With You:

• Send transactional emails (purchase confirmations, intake form notifications, drop status updates)
• Respond to support requests
• Send platform announcements or policy updates

To Protect the Platform and Users:

• Detect and prevent fraud, abuse, or violations of our Terms of Service
• Enforce our Acceptable Use Policy and Content Policy
• Comply with legal obligations

4. How We Share Your Information

We do not sell your personal information to third parties. We share information only in the following circumstances:

4.1 Between Operators and Advertisers

When an advertiser purchases a spot, the operator receives the advertiser's submitted business information (name, contact details, logo, offer details) to fulfill the card printing and mailing. This is the core function of the platform.

Operators receive aggregate engagement data (scan counts, click counts, geographic summaries) for spots on their drops. They do not receive raw IP addresses, device fingerprints, or personally identifiable information about QR code scanners.

4.2 Service Providers

We share information with third-party service providers who help us operate the platform:

These providers process data on our behalf and are contractually obligated to use it only for the services they provide to us.

4.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of SpotDrops, our users, or the public.

4.4 Business Transfers

If Seven Pillar House LLC is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide you with our services. Specific retention periods:

• Account data (operators and advertisers): Retained for the life of the account plus 2 years after termination for compliance and dispute resolution purposes
• Spot and drop data: Retained for 3 years after drop completion for analytics and record-keeping
• QR scan and page visit data: Retained for 2 years after the associated drop is completed. This data contains only hashed identifiers, not personal information.
• Click event data: Retained for 2 years after the associated drop is completed
• Stripe transaction records: Retained as required by applicable tax and financial reporting laws (typically 7 years)
• EDDM route cache data: Automatically purged after 7 days (this is publicly available USPS data)

After the applicable retention period, data is deleted or anonymized.

6. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your information:

• All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
• IP addresses are hashed using SHA-256 before storage — we do not retain raw IP addresses from QR scans or page visits
• Device fingerprint data is hashed before storage
• Payment data is handled entirely by Stripe, which is PCI-DSS Level 1 certified
• Authentication is managed by Clerk with industry-standard security practices
• Access to production data is restricted to authorized personnel

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you become aware of a security incident, please contact us immediately at support@spotdrops.app.

7. Your Rights and Choices

7.1 Access and Portability

You may request a copy of the personal information we hold about you by contacting support@spotdrops.app. We will respond within 30 days.

7.2 Correction

You can update your account information at any time through your SpotDrops dashboard. For corrections to data you cannot edit directly, contact support@spotdrops.app.

7.3 Deletion

You may request deletion of your account and associated personal data by contacting support@spotdrops.app. Please note:

• We may retain certain information as required by law (e.g., tax records, transaction history)
• Data that has been shared with operators or advertisers as part of completed transactions cannot be recalled
• Hashed data (IP hashes, fingerprint hashes) cannot be linked back to you and may be retained in aggregate analytics

7.4 Opt-Out of Communications

You can opt out of non-essential communications at any time. Transactional emails related to your account activity (purchase confirmations, refund notifications) cannot be opted out of while your account is active, as they are necessary for platform operation.

7.5 Do Not Track

Our platform does not currently respond to “Do Not Track” browser signals, as there is no industry-standard interpretation of this signal. However, our tracking on QR landing pages uses only hashed, non-personally-identifiable data as described in Section 2.2.

8. State-Specific Privacy Rights

8.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information (subject to exceptions)
• Opt out of the “sale” of personal information — we do not sell personal information
• Not be discriminated against for exercising your privacy rights

To exercise these rights, contact support@spotdrops.app with the subject line “California Privacy Request.”

8.2 Other State Privacy Laws

Several states have enacted comprehensive privacy laws (including Virginia, Colorado, Connecticut, Texas, and others). If you are a resident of a state with applicable privacy legislation, you may have similar rights to access, correct, delete, and opt out of certain processing of your personal information. Contact support@spotdrops.app to exercise any applicable rights.

We will respond to verified requests within the timeframes required by applicable law (typically 30-45 days).

9. Children's Privacy

SpotDrops is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, contact us at support@spotdrops.app.

10. Third-Party Links and Services

SpotDrops may contain links to third-party websites, services, or applications (e.g., advertiser websites linked from QR landing pages, Stripe payment pages, Mapbox maps). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service you interact with through our platform.

11. Cookies and Similar Technologies

SpotDrops uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and platform functionality (provided by Clerk and our hosting infrastructure)
• Analytics: We may use lightweight, privacy-friendly analytics to understand aggregate usage patterns. These tools are configured to respect user privacy and minimize data collection.

We do not use advertising cookies, retargeting pixels, or third-party tracking cookies. We do not serve ads on our platform.

You can control cookie settings through your browser preferences. Disabling essential cookies may prevent you from using certain platform features.

12. International Users

SpotDrops is operated from the United States and is intended for use within the United States. If you access SpotDrops from outside the United States, you acknowledge that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or platform features. We will notify you of material changes by email (to the address on file) or by posting a prominent notice on the platform at least 14 days before the changes take effect.

The “Last Updated” date at the top of this policy indicates when it was most recently revised. Your continued use of SpotDrops after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us:

SpotDrops Privacy Inquiries
Email: support@spotdrops.app
Website: spotdrops.app

Operated by: Seven Pillar House LLC (Wyoming)

See also our Terms of Service.