Privacy Policy
This Policy explains what personal data DropRenew collects, why, who we share it with, how long we keep it, and the rights you have — including exporting your data and deleting your account.
1 · Who we are & scope
This Privacy Policy explains how [LEGAL ENTITY NAME], a company incorporated in Israel ("DropRenew", "we", "us", "our"), collects and uses personal data when you use the DropRenew website and application (the "Service"). For data about your use of the Service, DropRenew is the data controller. This Policy forms part of our Terms of Service.
We serve users around the world. We treat the EU and UK GDPR as our baseline standard, and we also honour rights under the California Consumer Privacy Act (as amended by the CPRA), the Israeli Privacy Protection Law, 5741-1981, and other applicable laws.
2 · What we collect
You give us
- Identity & account data — your name, email address, and, if you sign in with Google, your Google profile name and photo.
- Portfolio & registrar data — the domains, expiry dates, registrar information, valuations, notes, themes and related data you enter or connect, including any registrar API credentials you choose to store.
- Communications & feedback — messages, support requests and beta feedback you send us.
We generate
- Analysis outputs — valuations, scores, recommendations, alerts and signal analyses we produce for your portfolio.
- Account-lifecycle data — your role, onboarding and disclaimer status, and last-active time.
We collect automatically
- Usage & device data — pages viewed, actions taken, approximate location, browser and device information, and log data.
- Cookies & analytics — via Google Analytics and Microsoft Clarity (which records page interactions such as clicks, scrolling and navigation as part of heatmaps and session recordings). We also record error and performance diagnostics using our own server-side logging (no third-party error-monitoring service). See "Cookies & tracking" below.
3 · How we use it & our legal bases (GDPR)
| Purpose | Legal basis |
|---|---|
| Provide and operate the Service (accounts, sync, analysis, alerts) | Performance of our contract with you |
| Keep the Service secure, prevent abuse, debug and improve it | Our (and your) legitimate interest in a secure, working Service |
| Analytics and session recording (Google Analytics, Microsoft Clarity) | Your consent |
| Service and security emails (activation, account, critical alerts) | Contract / legitimate interest |
| Optional product or marketing emails and digests | Your consent |
| Comply with legal, tax and accounting obligations | Legal obligation |
Where we rely on consent, you can withdraw it at any time without affecting processing already carried out. Where we rely on legitimate interests, you can object (see "Your rights").
4 · Cookies & tracking
We use cookies and similar technologies. Strictly necessary cookies (for sign-in, security and basic functionality) are always on. Analytics and session-recording technologies are non-essential and load only after you consent, where consent is required by law.
| Tool | Purpose | Notes |
|---|---|---|
| Google Analytics (Google) | Aggregate usage analytics | Sets cookies; data shared with Google. Consent-gated. |
| Microsoft Clarity (Microsoft) | Heatmaps & session recordings of page interactions | Records interactions to help us understand usability. Consent-gated; we enable masking of input content. Microsoft enforces consent for EEA/UK/Swiss visitors. |
| Sentry | Error & performance monitoring | Captures technical/error data to keep the Service reliable; not used for advertising. |
You can withdraw or change your cookie choices at any time via our cookie settings, and you can also control cookies in your browser. For more detail, see Google’s and Microsoft’s own privacy notices.
Our cookie-consent banner gates both Google Analytics (via Google Consent Mode) and Microsoft Clarity (via Clarity’s Consent API): they are denied by default and load only after you opt in, in every region.
5 · AI & data sub-processors
To run the Service we share limited data with the processors below. We do not sell your personal data, and we do not allow these providers to use your data to train their models except as noted.
| Provider | Role | Data shared |
|---|---|---|
| Supabase | Hosting, database, authentication, file storage | Account, portfolio and analysis data |
| Vercel | Application hosting & delivery | Request and log data |
| Anthropic | AI model for recommendations & analysis | Domain/portfolio context for a given analysis; processed via API and not used to train models |
| Replicate / HumbleWorth | Automated domain valuations | Domain names and minimal context |
| Tavily | Web-signal retrieval | Search queries derived from your themes/domains |
| Resend | Transactional & digest email | Email address and message content |
| Google (incl. Google Analytics 4) | Google sign-in (OAuth) & consent-gated usage analytics | Identity for sign-in; pseudonymised analytics data with IP anonymisation enabled. Processed in the United States under Google’s data-processing terms and Standard Contractual Clauses. Consent-gated; not used to train models. |
| Microsoft (Clarity) | Consent-gated session-recording analytics | Page-interaction data with input content masked; US/international processing under Microsoft’s DPA and Standard Contractual Clauses. Consent-gated. |
6 · Sharing & disclosure
We share personal data only: with the sub-processors above; where you direct us to (for example, a registrar you connect); where required by law or to protect our or others’ rights; and in connection with a merger, acquisition or asset sale (with notice). We do not sell personal data, and we do not "share" it for cross-context behavioural advertising as defined by California law.
7 · International transfers
We and our providers may process your data in countries other than yours, including outside the EEA, the UK and Israel. Where we transfer personal data internationally, we rely on appropriate safeguards, such as adequacy decisions or Standard Contractual Clauses.
Several of our providers — including Google, Microsoft, Anthropic, Vercel, Supabase and Resend — are based in or process data in the United States. For transfers from the EEA, the UK or Switzerland we rely on Standard Contractual Clauses (and, where applicable, a provider’s Data Privacy Framework certification) together with supplementary measures.
8 · Retention & deletion
We keep your personal data while your account is active. You can delete your account at any time from Settings.
When you delete your account, we soft-delete it and retain your data for a recovery (grace) period of 90 days, so you can return without losing your portfolio. After the grace period we permanently delete or anonymise your personal data — except data we must keep longer to meet legal, tax or accounting obligations, to resolve disputes, or to enforce our agreements. Backups are purged on their normal rotation cycle.
You can export a copy of your data at any time (see "Your rights").
9 · Your rights
Subject to your local law, you can:
- Access the personal data we hold about you and obtain a copy.
- Export your data — a self-service download is available in Settings.
- Correct inaccurate or incomplete data.
- Delete your data and be forgotten — available in Settings, subject to the 90-day grace period and any legal retention.
- Restrict or object to certain processing, including processing based on legitimate interests.
- Withdraw consent (for example, for analytics or optional emails) at any time.
- Port your data to another service, where applicable.
California residents also have the rights to know, delete, correct, and opt out of the sale or sharing of personal information (we do not sell or share), and not to be discriminated against for exercising them. Residents of Israel have the right to review and correct their data under the Privacy Protection Law.
To exercise any right, use the tools in Settings or contact privacy@droprenew.com. You also have the right to lodge a complaint with your data-protection authority — in Israel, the Privacy Protection Authority; in the EEA/UK, your local supervisory authority.
10 · Security
We use technical and organisational measures to protect your data, including per-account isolation and row-level access controls, encryption of stored registrar credentials, and access limited to what is needed to operate the Service. No system is perfectly secure, and we cannot guarantee absolute security.
11 · Children
The Service is not directed to children and is intended for users aged 18 and over. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
12 · Changes to this Policy
We may update this Policy. If we make a material change, we will give reasonable notice (for example, by email or in-product) and update the date above. Continued use after the change takes effect means you accept the updated Policy.
13 · Contact
Privacy questions and requests: privacy@droprenew.com.