Privacy Policy
Effective date: 15 June 2026
Last updated: 15 June 2026
DropZillaAI ("we", "us", "our") runs primarily on your own computer. Most of the data DropZillaAI handles — your eBay and AliExpress credentials, your product listings, your financial records — never leaves your machine. This policy explains the small amount of data we do receive (for logging you in and handling your subscription), what we do with it, and how to contact us.
We are the "data controller" for the personal data described below. The contact details are at the bottom of this policy.
1. Summary (the short version)
- We do not see your eBay / AliExpress / OpenAI credentials. They stay encrypted on your computer in
%APPDATA%\DropZillaAI\. - We do not see your product lists, sales data, or financial records. Those live in SQLite databases on your computer.
- We only process: your account email + password hash, your subscription tier + device ID (so the app knows what features to unlock), optional crash reports you choose to send, and payment details via our payment processor Stripe.
- You can delete your account at any time from the app or by emailing us, and we will wipe what we hold within 30 days (legally-required accounting records aside).
- Complaints: you can raise a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk/make-a-complaint/.
2. What we collect, and why
2.1 When you create a DropZillaAI account
| Data | Why | Lawful basis |
|---|---|---|
| Email address | To identify your account, send password resets, send required subscription notices | Contract (Art. 6(1)(b) UK GDPR) |
| Password (hashed) | To let you log in securely. We never see your actual password. | Contract |
| Subscription tier (Free / Basic / Pro / Enterprise) | To tell the desktop app which features to enable | Contract |
| Device ID + device name | To enforce the "max N devices" limit on your tier | Contract / legitimate interest |
2.2 When you pay
Payment is handled by Stripe, Inc. (privacy policy). Stripe receives your name, address, and card details. We receive from Stripe:
| Data | Why | Lawful basis |
|---|---|---|
| Stripe customer ID | To link your subscription to your account | Contract |
| Subscription status (active / cancelled / past-due) | To unlock or lock your tier | Contract |
| VAT receipt metadata | For invoicing + our own tax records | Legal obligation (HMRC) |
We never see your full card number or CVV.
2.3 When you send a crash report
If DropZillaAI crashes, we show you a dialog offering to send a crash report. If you click "Send", we upload:
- App version, Python version, OS version
- The Python traceback of the crash
- The last ~200 lines of your log file, with credentials automatically redacted (see
helpers/log_redactor.pyin the source) - Your account email, so we can reply to you
If you click "Don't send", nothing leaves your machine.
2.4 When you email support
If you email support@dropzillaai.co.uk, we receive your email address and whatever you put in the message. We use this only to reply to you.
2.5 What we do not collect
- Your eBay Developer credentials
- Your AliExpress API keys
- Your OpenAI API key
- Any of your product listings, inventory, sales, refunds, or financials
- Your eBay messages or AliExpress orders
- Any keystrokes, screenshots, or screen recordings
- Analytics / telemetry "phone-home" data
These live on your computer and never reach our servers.
3. Who we share your data with
We share the minimum data needed to run the service:
| Processor | What | Where | Purpose |
|---|---|---|---|
| Stripe | Name, address, card details, purchase history | EU + US | Subscription billing |
| Railway (Auth Server hosting provider) | Email + password hash + subscription metadata | EU region | Running the login service |
| Transactional email provider | Email address + message body | EU/US | Password resets + pre-renewal reminders |
We do not sell your data. We do not use it for advertising. We do not share it with data brokers.
4. International transfers
Where a processor above is outside the UK/EEA, we rely on either UK Adequacy Regulations or the UK International Data Transfer Addendum to the Standard Contractual Clauses, and keep a copy of each processor's signed DPA.
5. How long we keep your data
| Data | Retention |
|---|---|
| Account email + password hash | While your account is active, then 12 months after you delete it (in case you come back) |
| Subscription history | 7 years (UK tax-record requirement) |
| Crash reports | 90 days |
| Support emails | 24 months |
| Website access logs | 30 days |
Anything beyond these windows is automatically deleted.
6. Your rights under UK GDPR
You have the right to:
- Access — ask for a copy of what we hold
- Rectification — ask us to correct it if it's wrong
- Erasure — ask us to delete it ("right to be forgotten")
- Restriction — ask us to freeze processing while you dispute something
- Portability — ask for your data in a portable (JSON/CSV) format
- Objection — object to processing based on legitimate interest
- Withdraw consent — where we relied on consent (e.g. crash reports)
You also have the right to complain to the ICO at https://ico.org.uk/make-a-complaint/.
To exercise any of these rights, email privacy@dropzillaai.co.uk (or support@dropzillaai.co.uk) from the address associated with your account. We will respond within one month (UK GDPR default) and at no charge unless the request is manifestly unfounded or excessive.
7. Security
- Account passwords are stored as bcrypt hashes — we never see them.
- The app-to-server connection uses TLS 1.2+.
- Your eBay / AliExpress / OpenAI credentials are encrypted on your own computer with a machine-bound key; they cannot be decrypted elsewhere even if the file is copied.
- We run regular dependency updates and monitor for known vulnerabilities.
No system is perfectly secure. If we ever become aware of a breach affecting your data, we will tell you within 72 hours where feasible, and notify the ICO where required.
8. Children
DropZillaAI is a business tool and is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe we have done so, please email us and we will delete it.
9. Cookies + website analytics
The DropZillaAI website (dropzillaai.co.uk) uses only essential cookies plus aggregated, anonymised analytics — see our Cookie Notice.
The DropZillaAI desktop app uses a local Flask session cookie that stays on your computer. It is not transmitted to us.
10. Changes to this policy
If we change this policy materially we will email registered users at least 14 days before the change takes effect. The current version and "Last updated" date are always published at https://dropzillaai.co.uk/privacy.
11. Contact us
DropZillaAI
Data controller: DropZillaAI (operated as a sole trader)
Email: privacy@dropzillaai.co.uk
Postal address: available on request — email privacy@dropzillaai.co.uk and we will provide it
Data Protection contact: same as above
ICO (if you want to complain to the regulator):
https://ico.org.uk/make-a-complaint/ — 0303 123 1113