Back to home

LAST UPDATED: MARCH 2026

Privacy Policy

How Drop collects, uses, and protects your data. Clear, simple, no legalese.

Data Controller

Drop is operated by Greg Lazarus (sole proprietor), based in Tulum, Quintana Roo, Mexico.

For privacy inquiries: privacy@usedrop.app

Data We Collect

Through the provider registration form on usedrop.app:

  • Name
  • WhatsApp phone number
  • Service description
  • Source identifier (landing / waitlist)

Through the app at app.usedrop.app:

  • Google account email (OAuth login)
  • Search queries
  • Location (browser geolocation, with your consent)
  • Language preference
  • Push notification subscription

Why We Collect It

Provider registration: To review, approve, and list local service providers in the Drop directory.

Waitlist: To notify you when paid tiers (Drop Presence / Drop Studio) become available.

App usage: To provide personalized local search results and connect you with providers.

Analytics: To improve the service. No third-party analytics are currently active.

Data Storage & Protection

Your data is stored in AWS DynamoDB (us-east-1 region). API keys and secrets are stored in AWS Secrets Manager.

  • No data sold to third parties
  • No advertising or tracking cookies
  • HTTPS enforced on all endpoints

Your Rights (ARCO)

Under Mexico's LFPDPPP, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Cancellation: Request deletion of your data
  • Opposition: Object to processing of your data

To exercise your ARCO rights, email privacy@usedrop.app. We will respond within 20 business days.

Data Transfers

  • Data may be processed by AWS infrastructure in the United States (us-east-1)
  • Search queries are processed by Groq (LLM provider) for intent classification — queries only, no personal identifiers
  • Google Places API receives location coordinates for provider search — no user identity attached
  • No other third-party data transfers

Data Retention

  • Provider registration: Retained while active in the directory. Deleted within 30 days of removal request.
  • Waitlist: Retained until the service launches or you request removal.
  • Search cache: 24 hours (Google Places) or 10 minutes (intent classification), then automatically deleted.
  • User preferences: Stored locally on your device (localStorage). Not transmitted to our servers.

Cookies & Tracking

  • No advertising cookies
  • No third-party tracking scripts
  • The landing site (usedrop.app) uses zero cookies
  • The app (app.usedrop.app) uses an authentication cookie for session management (HttpOnly, Secure)

Changes to This Policy

We may update this policy. Changes will be posted on this page with an updated effective date.