Privacy Policy

1. Overview

We are committed to protecting the privacy, confidentiality, and security of information entrusted to us. This Privacy Policy applies to all users of the Service, including merchants, administrators, authorized personnel, and any individual whose personal information is processed through the Platform. It also applies to Customer Data provided by merchants, which we process strictly on their behalf.

This Policy applies globally, including to users located in the United States, Latin America, the European Union, and other jurisdictions where we operate.

2. Information We Collect

We collect several categories of information to operate, maintain, and improve the Service.

2.1 Account Information

When you create an account or authenticate using Google, Apple, Meta, or email login, we collect:

• Email address
• Display name (if provided)
• Authentication provider identifiers
• Associated metadata necessary for login and security

This information is required to operate the account and maintain secure access to the Platform.

2.2 Business Information

Merchants may provide business-related information, including:

• Store name
• Store location(s)
• Business contact information
• Store phone number
• Inventory, product descriptions, and images
• Marketing copy and advertising materials

This information is used to enable the Service's business, messaging, and AI features.

2.3 Customer & End-User Data ("Customer Data")

Merchants may upload or transmit information about their own customers or contacts, including:

• Names
• Phone numbers
• WhatsApp identifiers
• Purchase or inquiry information
• Notes or tags
• Contact history

Merchants must ensure they have obtained all rights and permissions necessary to upload or provide Customer Data. For Customer Data, the merchant is the Data Controller; we act solely as a Data Processor, processing that information on behalf of and under the instructions of the merchant. While we act as a Data Processor for the specific names and contact details within your database, we may derive Aggregated and Anonymized Data from these records (see Section 3.5) for which we act as a Data Controller.

2.4 Message Content and Communications

To provide the Service, we store and process:

• Incoming and outgoing WhatsApp messages
• System-generated messages
• Message templates
• AI-generated responses
• Media or attachments transmitted through the Service
• Conversation history

This data may be retained to provide continuity, maintain chat context, improve AI relevance, and support audit logging. We collect and store Messaging Metadata (e.g., timestamps, message volume, response rates, and intent categories). This data is used to provide the Service and to generate anonymized district-level intelligence.

2.5 Billing and Payment Information

Payments are processed by third-party payment processors. We do not collect or store full credit card numbers. We may receive limited metadata (e.g., subscription status, transaction identifiers) from the payment processor to support billing functions.

2.6 Technical and Usage Information

We may automatically collect technical information including:

• IP address
• Browser type
• Device identifiers
• Operating system
• Access times
• Referring URL
• Feature usage data
• Diagnostic logs

This information helps us secure, operate, and improve the Service.

Line Sheet Analytics: We automatically collect information about how you interact with digital line sheets provided through the Service. This includes:

• Interaction Data: Which products are viewed and for how long.
• Access Metadata: Timestamps of visits and frequency of access.
• Device Information: Basic device type and approximate location (IP-based) to ensure security and prevent unauthorized access.

3. How We Use Information

We use personal information for the following purposes:

3.1 Providing and Improving the Service

To authenticate users, deliver messaging functionality, facilitate AI responses, maintain data continuity, and perform core features of the Platform.

3.2 Communications and Support

To communicate with users, provide technical support, send administrative notices, and respond to inquiries.

3.3 AI Processing & Training

We use message content to facilitate real-time AI responses. We do not use PII (names/phone numbers) to train global AI models. However, we may use Anonymized Conversational Patterns to improve the accuracy of our industry-specific wholesale agents.

3.4 Security, Fraud Prevention, and Compliance

To protect the Service against unauthorized access, enforce our terms, detect abuse, and comply with legal obligations.

3.5 Analytics, Product Development & Market Insights

To understand how the Platform is used, improve functionality, develop new features, and conduct internal research.

District-Level Intelligence: We use anonymized and aggregated usage data to identify market trends, buyer behavior patterns, and inventory demand across the wholesale ecosystem. This "Derived Data" does not identify any individual Merchant or Customer and is used to provide benchmarking reports and improve the efficiency of the wholesale district.

We use interaction data to help Merchants understand which products are in high demand. We also use anonymized, aggregated versions of this data to identify broader market trends within the wholesale district to improve our AI and inventory forecasting tools.

3.6 Legal Obligations

To satisfy contractual or legal requirements, including tax, accounting, and regulatory compliance.

4. Legal Bases for Processing (GDPR)

Where the GDPR applies, we process personal information under the following lawful bases:

• Contract performance – processing required to provide the Service.
• Legitimate interests – including security, product improvement, fraud prevention, and customer support, balanced against user rights.
• Consent – for optional features or where required.
• Legal compliance – where processing is necessary to comply with law.

5. AI Technologies and Automated Decision-Making

We use third-party AI technologies to generate automated responses and assist merchants in managing conversations. These technologies may process message content and product information necessary for generating outputs.

AI outputs may be incorrect, unpredictable, or incomplete. Merchants remain responsible for reviewing content and ensuring compliance with legal and regulatory requirements. Drippy does not provide professional, legal, financial, or employment advice.

We do not use AI to make automated decisions that have legal or similarly significant effects on individuals without human oversight.

6. Cookies and Tracking Technologies

We may use cookies and similar technologies to authenticate users, maintain sessions, improve performance, analyze usage patterns, and personalize features. Users may disable cookies through browser settings, although this may affect functionality.

7. How Information Is Shared

We do not sell personal information.

We may share information with:

7.1 Service Providers

We use trusted service providers to support hosting, authentication, message delivery, analytics, AI processing, email, and infrastructure services. These providers process information only as instructed and only as necessary to operate the Service.

7.2 Payment Processors

We share billing information with payment providers for subscription and payment-related functions.

7.3 Law Enforcement and Legal Requests

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

Before responding to any legal request for user data, we:

• Review the legality and validity of the request
• Challenge requests that are overly broad, unclear, or unlawful
• Provide only the minimum data necessary to comply with the request
• Notify affected users when legally permitted to do so

We reserve the right to refuse requests that do not meet legal standards.

7.4 Business Transfers

If we undergo a merger, acquisition, financing, or sale of assets, information may be transferred as part of the transaction.

A list of subprocessors may be provided upon request at support@heydrippy.com.

8. Roles of Data Controller and Data Processor

8.1 Merchant as Data Controller

For all Customer Data uploaded or transmitted by the merchant, the merchant is the Data Controller, responsible for determining the purposes and means of processing.

8.2 Drippy Inc. as Data Processor

We act as a Data Processor for Customer Data to provide the Service on behalf of and under the instructions of the merchant. This includes the transmission and storage of specific customer contact lists and message content.

8.3 Drippy Inc. as Controller for Platform & Derived Data

We act as a Data Controller for account, billing, authentication, and platform usage data. Additionally, we act as a Data Controller for "Derived Data," which includes anonymized, de-identified, and aggregated information generated from the use of the Service. This data is used for industry benchmarking, improving our machine learning models, and providing market insights.

9. Data Retention

We retain personal information only as long as necessary to provide the Service, fulfill legal obligations, or maintain business records.

Operational Data: Conversation history and merchant-specific templates are retained for the duration of the account.

Anonymized Analytics: We may retain anonymized and aggregated transaction metadata (e.g., product category trends, interaction timestamps, and general buyer intent signals) indefinitely. This data does not contain PII and is used for long-term district trend analysis.

10. Data Deletion

Users may request deletion of their account or associated information by contacting:

📩 support@heydrippy.com

PII Removal: We will delete all Personal Identifiable Information (PII) within 14 days of verification.

Anonymization: In lieu of total deletion of activity records, we may choose to permanently anonymize certain data points so they can no longer be associated with a specific merchant or buyer, in accordance with applicable laws (e.g., CCPA/CPRA).

11. International Data Transfers

Although primary storage may reside in the United States, data may be transmitted internationally in connection with WhatsApp message delivery, AI processing, or other operational requirements. Where required, we rely on appropriate safeguards, such as Standard Contractual Clauses (SCCs), to protect data transferred from the European Economic Area (EEA), United Kingdom, or Switzerland.

Data may be processed by third-party AI providers and cloud infrastructure located in the United States. We ensure all sub-processors maintain high security standards and comply with current Data Privacy Frameworks.

12. Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, loss, or misuse. However, no method of storage or transmission is completely secure; users provide information at their own risk.

13. Children's Privacy

The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from children under 18.

14. Rights of Users Under Applicable Laws

Depending on jurisdiction, users may have rights including:

Under GDPR (EU/EEA):

• right to access
• right to rectification
• right to erasure
• right to restrict processing
• right to object
• right to data portability
• right to withdraw consent

Under CCPA/CPRA (California):

• right to know categories of data collected
• right to access specific information
• right to deletion
• right to correct inaccurate information
• right to opt out of data sale or sharing (we do not sell data)
• right to non-discrimination

To exercise rights, contact support@heydrippy.com.

15. Notice to California Residents (CPRA Notice at Collection)

We collect the following categories of personal information:

• identifiers (e.g., name, email, phone number)
• commercial information (e.g., subscription details)
• internet or device activity
• geolocation (approximate)
• professional or business information
• inferences derived from usage analytics

We do not sell or share personal information for cross-context behavioral advertising.

16. Third-Party Links

The Service may contain links to third-party sites or resources. We are not responsible for the privacy practices or content of those third parties.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last Updated" date above. Continued use of the Service signifies acceptance of updated terms.