Privacy Policy

Last Updated: April 7, 2026

Dropleather Inc. ("Dropleather," "we," "us," or "our") values your privacy and is committed to protecting the Personal Data of all users of our websites and services.

This Privacy Policy explains how we collect, use, disclose, and safeguard your Personal Data when you visit or use our platform available at dropleather.com, app.dropleather.com, and related subdomains.

By using our Services, you agree to the practices described in this Privacy Policy.

1. PERSONAL DATA WE COLLECT

We collect and process the following types of Personal Data:

1.1 Account and Order Information

When you create an account, request a quotation, or place an order, we collect:

  • Name and surname

  • Business name

  • Email address and phone number

  • Billing and shipping addresses

  • Payment information (via third-party processors such as Stripe or PayPal)

  • Product designs, brand logos, packaging specifications, and content you upload

  • Order and invoice history

1.2 Communication Data

When you contact our team or Customer Support, we collect:

  • Your contact details

  • Message contents and attachments

  • Support ticket history

1.3 Automatically Collected Data

When you use our websites or platform, we may collect:

  • IP address, device ID, browser type, and operating system

  • Pages visited, time spent, and referring URLs

  • Cookie and analytics identifiers (on dropleather.com, managed via cookie consent banner)

  • Anonymized usage events such as sign-up, login, and purchase activity — these contain no personally identifiable information and are automatically deleted after 90 days.

You may manage or disable cookies at any time via your browser settings or our Cookie Policy.

1.4 Data Collected via Third-Party Platform Integrations (Shopify,
WooCommerce, etc.)

When you connect your e-commerce store to Dropleather through our integration
features, we collect and process:

  • Store domain and authentication credentials (OAuth access tokens — stored
    securely, never shared)

  • Product information (titles, descriptions, prices, images, SKUs, inventory levels)

  • Order information (order numbers, customer names, email addresses, phone numbers, shipping addresses, payment status)

  • Fulfillment and tracking information (tracking numbers, carrier details,
    shipment status)

This data is collected solely to:

  • Synchronize products between your store and Dropleather

  • Process and fulfill orders placed through your store

  • Provide tracking updates and shipping notifications to your customers

  • Display order analytics and reports in your Dropleather dashboard

Data Retention for Integrations: Integration data (access tokens, synced
product records) is deleted when you disconnect your store from Dropleather.
Order data is retained for financial and legal compliance purposes but
customer personal data can be anonymized upon request.

Customer Data Requests: If a customer of your store requests access to or
deletion of their personal data, Shopify will notify us via mandatory
compliance webhooks. We will respond to data access requests by providing the
stored customer information within 30 days, and respond to data deletion
requests by anonymizing the customer's personal information in our records
within 30 days.

Shop Uninstall: When a merchant uninstalls the Dropleather app from their
store, we delete all integration data, synced product records, and webhook
configurations within 48 hours. Order records are retained in anonymized form
for financial compliance.

2. PURPOSE OF PROCESSING

We process your Personal Data for the following purposes:

  • To register and manage your account

  • To produce, package, and fulfill your custom leather orders

  • To process payments and manage invoices

  • To communicate regarding orders and customer support

  • To improve our products, logistics, and digital platforms

  • To comply with applicable legal and regulatory obligations

  • To send marketing communications (only with your consent or legitimate interest)

  • To synchronize products and orders with connected third-party platforms (Shopify, WooCommerce, etc.)

  • To provide fulfillment tracking and shipping notifications

We may also create anonymized data for research, analytics, or service improvement.

3. HOW WE SHARE YOUR PERSONAL DATA

We do not sell or rent your Personal Data. We may share it only as follows:

3.1 Service Providers

We share limited Personal Data with trusted third parties who perform functions on our behalf, such as:

  • Payment processors (Stripe, PayPal, Adyen)

  • Cloud storage & hosting (Amazon Web Services, Supabase)

  • 3D printing and fulfillment partners (for custom logo stamps, embossing, and manufacturing)

  • Shipping carriers (for global delivery)

  • Marketing providers (e.g., HubSpot, Meta Ads) and analytics tools on dropleather.com (e.g., Google Analytics)

  • E-commerce platforms (Shopify, WooCommerce) — only when you connect your store via our integration

Each provider is bound by strict confidentiality agreements and GDPR-compliant Data Processing Agreements.

3.2 Business Transfers

In the event of a merger, acquisition, or asset sale, your Personal Data may be transferred to the acquiring entity, subject to the same privacy obligations.

3.3 Legal and Compliance Disclosures

We may disclose your information if required by law, subpoena, court order, or to protect the rights, property, or safety of Dropleather, our users, or the public.

3.4 International Transfers

Your Personal Data may be transferred to and processed in the United States, Morocco, and the European Union. We ensure that such transfers comply with applicable privacy laws through:

  • Standard Contractual Clauses (SCCs)

  • EU–US Data Privacy Framework (for certified partners)

  • Signed Data Processing Agreements

4. SECURITY OF YOUR DATA

We employ appropriate technical and organizational measures to protect your data, including:

  • SSL/TLS encryption for data transmission

  • Encrypted password storage

  • Role-based internal access

  • Regular security audits and backup systems

  • OAuth 2.0 with asymmetric JWT (ES256) for authentication

  • HMAC-SHA256 signature verification for all webhook communications

No system is completely secure; however, we take all reasonable precautions to prevent unauthorized access or misuse.

5. DATA RETENTION

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal and tax obligations, and resolve disputes or enforce agreements. For third-party platform integrations, data is retained as follows: integration credentials and OAuth tokens are deleted within 48 hours of store disconnection or app uninstall; synced product records are deleted within 48 hours of store disconnection or app uninstall; order data containing customer personal data (name, email, phone, shipping address) is retained for 7 years from order creation to satisfy German tax-keeping obligations under HGB §257 (commercial records) and AO §147 (tax records), after which customer personal fields are automatically anonymized while order totals, dates, and product references are kept for financial reporting and audit; on-demand deletion ensures that customer personal data is anonymized within 30 days of receiving a deletion request via the Shopify customers/redact webhook (GDPR Article 17), regardless of the 7-year tax-keeping window; and backups are automatically deleted 30 days after creation (Supabase Pro point-in-time recovery window). After these periods, data is securely deleted or anonymized.

6. YOUR RIGHTS

Depending on your jurisdiction, you have the right to:

  • Access and obtain a copy of your Personal Data

  • Request correction or deletion of inaccurate or outdated information

  • Withdraw consent or restrict processing

  • Object to marketing communications

  • Request data portability

To exercise your rights, contact us at privacy@dropleather.com. We will respond within the legally required timeframe.

7. MARKETING COMMUNICATIONS

As an active business client, Dropleather may send you communications about new products, offers, or updates relevant to your account. You can unsubscribe anytime through your account settings or by clicking the "Unsubscribe" link in our emails.

Administrative or transactional messages (such as order confirmations and invoices) will still be sent.

8. COOKIE POLICY

On dropleather.com, we use cookies and similar technologies for analytics, marketing, and personalization. You can manage your cookie preferences through the consent banner displayed on the site or via your browser settings.

On app.dropleather.com, we use only essential cookies required for authentication and platform functionality. No third-party tracking cookies are used, and no cookie consent banner is required.

For details, refer to our Cookie Policy available on dropleather.com.

9. DATA PROCESSING AGREEMENT (DPA)

9.1 Applicability

This DPA applies when Dropleather processes Personal Data on behalf of a business customer (e.g., a brand or retailer using our white-label platform).

In these cases:

  • The Customer is the Data Controller.

  • Dropleather Inc. acts as the Data Processor.

9.2 Processor Obligations

Dropleather agrees to:

  • Process Personal Data only in accordance with the Customer's documented instructions.

  • Implement appropriate technical and organizational measures to ensure data security.

  • Ensure that all personnel authorized to process data are bound by confidentiality.

  • Assist the Customer in fulfilling their data subject requests and compliance obligations.

  • Notify the Customer without undue delay in the event of a data breach.

  • Upon termination of services, delete or return all Personal Data, unless required by law to retain it.

  • Maintain records of processing activities as required by GDPR Article 30.

9.3 Sub-Processors

Dropleather may engage sub-processors (e.g., payment, cloud, or logistics providers). A current list of sub-processors is available upon request at privacy@dropleather.com. Dropleather remains fully responsible for the performance of each sub-processor.

9.4 Data Transfer Mechanisms

Dropleather ensures that international data transfers are conducted under:

  • Standard Contractual Clauses (EU Commission)

  • Data Privacy Framework certifications (where applicable)

  • Signed sub-processor agreements ensuring equivalent data protection.

9.5 Audit Rights

The Customer may audit Dropleather's data processing compliance upon reasonable notice, limited to once per year, and under strict confidentiality.

10. CHANGES TO THIS PRIVACY POLICY

Dropleather reserves the right to update this Privacy Policy at any time. If changes are material, we will notify you via email or a notice on our website at least 30 days prior to the change taking effect. The updated version will be posted with a revised "Last Updated" date.

11. CONTACT INFORMATION


Dropleather Inc.

254 Chapman Rd, Ste 208 #25587, Newark, Delaware 19702, United States

privacy@dropleather.com

If you are located in the EU, you have the right to file a complaint with your national data protection authority.