Dropleather Privacy Policy

1. PERSONAL DATA WE COLLECT

We collect and process the following types of Personal Data:

1.1 Account and Order Information

When you create an account, request a quotation, or place an order, we collect:

• Name and surname
• Business name
• Email address and phone number
• Billing and shipping addresses
• Payment information (via third-party processors such as Stripe or PayPal)
• Product designs, brand logos, packaging specifications, and content you upload
• Order and invoice history

1.2 Communication Data

When you contact our team or Customer Support, we collect:

• Your contact details
• Message contents and attachments
• Support ticket history

1.3 Automatically Collected Data

When you use our websites or platform, we may collect:

• IP address, device ID, browser type, and operating system
• Pages visited, time spent, and referring URLs
• Cookie and analytics identifiers

You may manage or disable cookies at any time via your browser settings or our Cookie Policy.

2. PURPOSE OF PROCESSING

We process your Personal Data for the following purposes:

• To register and manage your account
• To produce, package, and fulfill your custom leather orders
• To process payments and manage invoices
• To communicate regarding orders and customer support
• To improve our products, logistics, and digital platforms
• To comply with applicable legal and regulatory obligations
• To send marketing communications (only with your consent or legitimate interest)

We may also create anonymized data for research, analytics, or service improvement.

3. HOW WE SHARE YOUR PERSONAL DATA

We do not sell or rent your Personal Data. We may share it only as follows:

3.1 Service Providers

We share limited Personal Data with trusted third parties who perform functions on our behalf, such as:

• Payment processors (Stripe, PayPal, Adyen)
• Cloud storage & hosting (Amazon Web Services, Supabase)
• 3D printing and fulfillment partners (for custom logo stamps, embossing, and manufacturing)
• Shipping carriers (for global delivery)
• Analytics and marketing providers (e.g., Google Analytics, HubSpot, Meta Ads)

Each provider is bound by strict confidentiality agreements and GDPR-compliant Data Processing Agreements.

3.2 Business Transfers

In the event of a merger, acquisition, or sale of assets, your Personal Data may be transferred to the acquiring entity under the same privacy obligations.

3.3 Legal and Compliance Disclosures

We may disclose your information if required by law, subpoena, court order, or to protect the rights, property, or safety of Dropleather, our users, or the public.

3.4 International Transfers

Your Personal Data may be transferred to and processed in the United States, Morocco, and the European Union. We ensure that such transfers comply with applicable privacy laws through:

• Standard Contractual Clauses (SCCs)
• EU–US Data Privacy Framework (for certified partners)
• Signed Data Processing Agreements

4. SECURITY OF YOUR DATA

We employ appropriate technical and organizational measures to protect your data, including:

• SSL/TLS encryption for data transmission
• Encrypted password storage
• Role-based internal access
• Regular security audits and backup systems

No system is completely secure; however, we take all reasonable precautions to prevent unauthorized access or misuse.

5. DATA RETENTION

We retain your Personal Data only for as long as necessary to:

• Fulfill the purposes for which it was collected
• Comply with legal and tax obligations
• Resolve disputes or enforce agreements

After this period, data is securely deleted or anonymized.

6. YOUR RIGHTS

Depending on your jurisdiction, you have the right to:

• Access and obtain a copy of your Personal Data
• Request correction or deletion of inaccurate or outdated information
• Withdraw consent or restrict processing
• Object to marketing communications
• Request data portability

To exercise your rights, contact us at privacy@dropleather.com. We will respond within the legally required timeframe.

7. MARKETING COMMUNICATIONS

As an active business client, Dropleather may send you communications about new products, offers, or updates relevant to your account. You can unsubscribe anytime through your account settings or by clicking the "Unsubscribe" link in our emails.

Administrative or transactional messages (order confirmations, invoices) will still be sent.

8. COOKIE POLICY

Dropleather uses cookies and similar technologies for analytics, functionality, and personalization. You can manage cookie preferences through our website banner or browser settings. For details, refer to our separate Cookie Policy available on our website.

9. DATA PROCESSING AGREEMENT (DPA)

9.1 Applicability

This DPA applies when Dropleather processes Personal Data on behalf of a business customer (e.g., brands or retailers using our white-label platform).

In these cases:

• The Customer is the Data Controller.
• Dropleather Inc. acts as the Data Processor.

9.2 Processor Obligations

Dropleather agrees to:

• Process Personal Data only according to the Customer's documented instructions.
• Implement appropriate technical and organizational measures to ensure data security.
• Ensure that all personnel authorized to process data are bound by confidentiality.
• Assist the Customer in fulfilling their data subject requests and compliance obligations.
• Notify the Customer without undue delay in the event of a data breach.
• Upon termination of services, delete or return all Personal Data, unless required by law to retain it.
• Maintain records of processing activities as required by GDPR Article 30.

9.3 Sub-Processors

Dropleather may engage sub-processors (e.g., payment, cloud, or logistics providers). A current list of sub-processors is available upon request at privacy@dropleather.com. Dropleather remains fully responsible for the performance of each sub-processor.

9.4 Data Transfer Mechanisms

Dropleather ensures that international data transfers are conducted under:

• Standard Contractual Clauses (EU Commission)
• Data Privacy Framework certifications (where applicable)
• Signed sub-processor agreements ensuring equivalent data protection.

9.5 Audit Rights

The Customer may audit Dropleather's data processing compliance upon reasonable notice, limited to once per year, and under strict confidentiality.

10. CHANGES TO THIS PRIVACY POLICY

Dropleather reserves the right to update this Privacy Policy at any time. If changes are material, we will notify you via email or a notice on our website at least 30 days prior to the change taking effect. The updated version will be posted with a revised "Last Updated" date.

11. CONTACT INFORMATION

If you are located in the EU, you have the right to file a complaint with your national data protection authority.