PreviewDropPreviewDrop
Log inGet started
← Back to home

Privacy Policy

Effective date: April 7, 2026

Data Controller: Global Software Development SRL, operating PreviewDrop (previewdrop.dev). Contact: privacy@previewdrop.dev.

1. Introduction

Welcome to PreviewDrop (“Company”, “we”, “us”, or “our”). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.

By using PreviewDrop, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the service.

2. Information We Collect

We collect several types of information to provide and improve our service:

2.1 Account Information

When you sign up via GitHub OAuth, we receive your GitHub username, display name, email address, and profile avatar URL. We store these to authenticate you and personalise your experience.

2.2 GitHub Repository Data

When you connect a repository, we store the repository name, owner, and branch information necessary to trigger deployments. We do not clone or store your source code on our servers; builds run ephemerally and artifacts are discarded after the deployment container is started.

2.3 Deployment & Usage Data

We record metadata about each deployment — timestamps, status, build duration, and the unique preview URL — so you can manage and review your history. Aggregate usage metrics (number of deployments, active projects) are used to enforce plan limits and generate invoices.

2.4 Environment Variables

Environment variables you add to a project are encrypted at rest using AES-256 and injected into build containers at runtime. We cannot read the plaintext values of your secrets outside of the build process.

2.5 Payment Information

Billing is handled by Stripe. We never see or store your raw card details. We receive a Stripe customer ID and subscription status that we use to determine your plan.

2.6 Log & Diagnostic Data

Server-side request logs (IP address, user-agent, HTTP method, response code, timestamp) are retained for up to 30 days for security monitoring and debugging. These logs are not shared with third parties.

3. How We Use Your Information

  • To provide, operate, and maintain the PreviewDrop service.
  • To authenticate you and secure your account.
  • To trigger and manage GitHub-based deployments on your behalf.
  • To enforce plan limits and generate accurate invoices via Stripe.
  • To send transactional emails (e.g. deployment failure alerts, billing receipts).
  • To monitor service health, detect abuse, and respond to security incidents.
  • To improve the product based on aggregate, anonymised usage patterns.

We do not sell your personal data. We do not use your data for advertising.

3a. Lawful Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data under the following lawful bases:

  • Contract performance (Art. 6(1)(b)): Processing your account data, GitHub repository access, deployment records, and billing information is necessary to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): Server logs, security monitoring, abuse detection, and error tracking serve our legitimate interest in operating a secure and reliable service. These interests are not overridden by your rights.
  • Legal obligation (Art. 6(1)(c)): Retaining billing records as required by applicable tax and financial regulations.

4. Sharing of Information

We share data only in the following limited circumstances:

  • Service providers: Supabase (database, EU region), Hetzner Cloud (servers in Nuremberg, Germany — data stays within the EU), Stripe (payments, US-based — transfers are covered by Standard Contractual Clauses), and Sentry (error monitoring, EU data residency) process data on our behalf under Data Processing Agreements.
  • GitHub:We interact with the GitHub API on your behalf to clone repositories and post deployment status checks. GitHub's own privacy policy governs that interaction.
  • Legal obligations: We may disclose information if required by law, court order, or to protect our rights.
  • Business transfers: If PreviewDrop is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you beforehand.

5. Cookies & Tracking

We use the following cookies:

  • Session cookies (strictly necessary): Set by Auth.js (NextAuth) to maintain your logged-in session. These expire when you close your browser or sign out.
  • CSRF tokens (strictly necessary): Short-lived tokens to protect form submissions.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies that identify individual users.

6. Data Retention

  • Account data is retained while your account is active.
  • Deployment metadata is retained for 12 months after a project is deleted.
  • Server logs are purged after 30 days.
  • When you delete your account, we delete or anonymise your personal data within 30 days, except where retention is required for legal or billing compliance.

7. Security

We implement industry-standard security measures: TLS in transit, AES-256 encryption for secrets at rest, and role-based access controls at the database level. We perform regular dependency audits and promptly patch known vulnerabilities. No system is perfectly secure — if you discover a vulnerability, please report it responsibly to security@previewdrop.dev.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the data we hold about you.
  • Correction: Ask us to correct inaccurate data.
  • Deletion: Request that we delete your personal data.
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to certain processing activities.

To exercise these rights, contact us at privacy@previewdrop.dev. We will respond within 30 days (1 month as required by GDPR Art. 12).

Right to lodge a complaint (GDPR Art. 77): If you are located in the EEA and believe we are processing your data unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

8a. International Data Transfers

Our primary infrastructure runs in Nuremberg, Germany (EU). Your account data is stored by Supabase in the EU region. However, some sub-processors operate in the United States:

  • Stripe — payment processing. Transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR.
  • GitHub — OAuth authentication and repository access. Governed by GitHub's own DPA and SCCs.

You may request a copy of the applicable transfer safeguards by contacting privacy@previewdrop.dev.

9. Children's Privacy

PreviewDrop is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. When we do, we'll revise the effective date above and, for material changes, notify you via email or an in-app banner. Continued use of PreviewDrop after changes take effect constitutes acceptance of the revised policy.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@previewdrop.dev.