Article 1: Preamble
The purpose of this privacy policy is to inform users of the site Dropapost (accessible at https://dropapost.io):
- On how their personal data is collected and processed;
- On the rights they have regarding this data;
- On the person responsible for processing the collected personal data;
- On the recipients of this personal data;
- On the site's cookie policy.
Article 2: Principles and Legal Bases for Processing
In accordance with Article 5 of the European Regulation 2016/679 (GDPR), personal data is:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and kept up to date;
- Kept for no longer than is necessary;
- Processed in a manner that ensures appropriate security.
Legal bases applicable to our processing:
- Performance of contract (Art. 6.1.b): account management, service delivery, billing, transactional communications;
- Consent (Art. 6.1.a): analytical and marketing cookies, newsletters;
- Legal obligation (Art. 6.1.c): retention of billing data (accounting obligation);
- Legitimate interest (Art. 6.1.f): service improvement, security, fraud prevention.
Article 3: Personal Data Collected and Processed
3.1 - Data collected
The personal data collected as part of our activity are as follows:
Account Data
- First and last name
- Email address
- Password (stored in encrypted form)
Billing Data
- Payment information (processed by our secure payment provider)
- Transaction history
- Credits purchased and consumed
Usage Data
- Created content (posts, images)
- Managed brands
- Social media account connection authorizations
Browsing Data
- IP address
- Browser information
- Pages visited
Purposes of collection: Service delivery, account management, billing, service improvement, transactional communications, marketing campaign effectiveness measurement (with your consent).
3.2 - Data collection method
When you use our site, the following browsing data is automatically collected:
- IP address
- Browser information
- Pages visited and duration of visit
Other personal data is collected when you perform the following operations:
- Registration: first name, last name, email, password
- Credit purchase: billing information
- Content creation: texts and images
- Social media connection: connection authorizations to your Instagram/Facebook accounts
Retention period:
- Account data: until account deletion + 1 year (legal archiving)
- Billing data: 10 years (Belgian accounting obligation)
- Created content: until deletion by the user
- Analytical/marketing cookies: 12 months maximum
- Browsing data: 12 months maximum
3.3 - Data hosting
The site Dropapost is hosted by:
Vercel Inc. (United States)
Website: https://vercel.com
3.4 - Sub-processors and partners
Your data may be shared with the following partners, strictly within the scope of providing our services:
- Stripe: Secure payment processing
- Meta (Facebook/Instagram): Publishing to your connected accounts
- Cloudflare: Image storage and delivery
- PostHog: Product usage analytics (anonymized)
- Tawk.to: Live support chat
- AI provider: Content generation (submitted texts are processed without retention by the provider)
- Google (with consent): Audience measurement
- Meta Pixel (with consent): Marketing conversion tracking
3.5 - Cookie Policy
In accordance with European regulations, we ask for your consent before placing non-essential cookies.
Essential Cookies (no consent required)
- Authentication session
- Security cookies
- Essential user preferences (language, theme)
Analytical Cookies (consent required)
- Google audience measurement cookies
- PostHog product analytics
Marketing Cookies (consent required)
- Meta advertising tracking cookies
Manage your cookies: You can change your preferences at any time by clicking on at the bottom of the page. Your consent is stored for 12 months.
3.6 - Data Security
We implement appropriate technical and organizational security measures in line with industry standards to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
3.7 - International Data Transfers
Some of our sub-processors are located in the United States (Vercel, Stripe, Cloudflare). These transfers are governed by the EU-US Data Privacy Framework (European Commission adequacy decision of July 10, 2023) and/or Standard Contractual Clauses approved by the European Commission, in accordance with Articles 44 to 49 of the GDPR.
3.8 - Use of Artificial Intelligence
Dropapost uses artificial intelligence systems for content generation (text, images) and automatic responses. The content you submit is sent to our AI providers solely for the requested processing, without retention by these providers. No automated decision within the meaning of Article 22 of the GDPR is made about you based on these processes.
3.9 - OAuth integrations (social networks and third-party services)
To publish on your behalf on social networks and connected services, Dropapost uses the OAuth 2.0 protocols provided by each platform. You explicitly grant the permissions when connecting, and can revoke them at any time.
Meta (Facebook & Instagram)
Permissions requested: public_profile, business_management, pages_show_list, pages_read_engagement, pages_manage_engagement, pages_manage_posts, pages_manage_metadata, pages_messaging, read_insights, instagram_basic, instagram_content_publish, instagram_manage_insights, instagram_manage_comments, instagram_manage_messages
Usage: Publish the posts you create on your Facebook Pages and Instagram Business accounts, read publication statistics, manage comments and direct messages.
Google Business Profile
OAuth scope requested: https://www.googleapis.com/auth/business.manage
Usage: Publish your posts (Standard, Event, Offer) to your Google Business Profile listing, read your listing information for selection (name, address, identifier), manage connection status.
Limited Use compliance: Dropapost's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Concretely: we use Google data only to provide the publishing features described above, we do not sell it, we do not use it for advertising, and we do not allow humans to read it except in narrow cases (explicit user consent, legal compliance, or critical security operations).
Revoke: myaccount.google.com/permissions
Permissions requested: user_accounts:read, boards:read, boards:write, pins:read, pins:write
Usage: List your boards, create new boards if you ask for it, publish Pins (image, carousel, video) to your boards, read engagement statistics for your Pins.
Revoke: Pinterest Settings → Apps
TikTok
Permissions requested: user.info.basic, video.upload, video.publish
Usage: Publish the videos and photos you create on your TikTok account, read your username and avatar for display in the editor.
Revoke: TikTok Settings → Manage apps
Token storage: OAuth tokens (access tokens and refresh tokens) are encrypted at rest in our database. They are used only to perform the actions you initiate (publishing, reading statistics) or to automatically refresh expired sessions.
3.10 - Public showcase of publications
Posts you publish via Dropapost on your social networks are public by nature. Dropapost may display some of these posts in a limited way (public account handle, image, caption, date) on its own public pages (home, sign in, sign up) to illustrate the service. No private, draft or unpublished content is ever exposed. To exclude your posts from this showcase, contact us at [email protected].
Article 4: Data Controller
4.1 - The Data Controller
Company name: Dropapost
Controller: Jhon Bauwens
Business number (BCE): BE0500915324
Country: Belgium
Email: [email protected]
Website: https://dropapost.io
4.2 - Data Protection Contact
For any questions regarding the protection of your personal data, you can contact us at: [email protected]
If you believe that your rights are not being respected after contacting us, you can file a complaint with the competent supervisory authority:
— Belgium: Data Protection Authority (APD/GBA)
— France: CNIL
Article 5: User Rights
In accordance with the European Regulation 2016/679 (GDPR), you have the following rights regarding your personal data:
Right of access (Article 15 GDPR)
Obtain a copy of your personal data.
Right of rectification (Article 16 GDPR)
Correct your inaccurate or incomplete data.
Right to erasure (Article 17 GDPR)
Delete your data under certain conditions.
Right to data portability (Article 20 GDPR)
Receive your data in a usable format.
Right to restriction (Article 18 GDPR)
Restrict the processing of your data.
Right to object (Article 21 GDPR)
Object to the processing of your data.
- Right not to be subject to a decision based solely on automated processing
- Right to withdraw your consent at any time
- Right to lodge a complaint with the competent supervisory authority (Article 77 GDPR)
To exercise your rights:
Please send your request by email to: [email protected]
In order to process your request, we may ask you to confirm your identity. We will respond to your request within 1 month maximum, in accordance with the GDPR.
For more information about your rights, visit the Data Protection Authority website.
Article 6: Conditions for Modification
The publisher of the Dropapost site reserves the right to modify this Policy at any time to ensure compliance with applicable law.
Any modifications shall not affect purchases previously made on the site.
In the event of substantial modifications impacting your rights, we will notify you by email.
This policy was last updated on 02/16/2026.