Privacy Policy

• Account data: email address, password hash, display name, and the account settings you configure.
• Contact channels you opt into: phone number (for SMS), Discord user ID or webhook URL (for Discord), and web push subscription tokens (for browser push).
• Location: optional home ZIP, home coordinates, and alert radius — only if you choose to set them. Used to geo-filter alerts to kiosks near you.
• Billing data: handled by Stripe. We store the Stripe customer ID and subscription status but never your card number.
• Activity: alerts we sent you, sightings and submissions you created, scout reports, auto-buy watches. We use this to operate the Service.
• Logs: standard request logs (IP, user agent, timestamp) kept for a short retention window for debugging and abuse prevention.

• Payment card numbers — Stripe handles that.
• Precise GPS tracking. Home location is optional and never continuous.
• Personal messages from your Discord, SMS, or email accounts.
• Third-party tracking cookies. We don’t sell your data to ad networks.

• To send you the alerts, predictions, and auto-buy results you signed up for.
• To operate and improve the prediction engine (aggregate only — your individual sightings aren’t shared with other users in identifiable form).
• To detect abuse, enforce rate limits, and prevent fraudulent scout reports or submissions.
• To bill you for paid tiers.
• To respond when you contact us.

We use the following processors. Each one has access to only what they need.

• Supabase — database and authentication. Stores account data, settings, alert history.
• Vercel — web hosting and serverless functions.
• Stripe — subscription billing and scout payouts via Stripe Connect.
• Twilio — SMS delivery. Only your phone number and the message text.
• Resend — transactional email delivery.
• Discord — message delivery via webhook URLs you provide. We only send alert content.

We do not sell personal information. We may disclose information if required by valid legal process, or to protect rights, property, or safety.

• Unsubscribe from email: use the link at the bottom of any alert email, or request unsubscribe at /api/email/unsubscribe or via email.
• Stop SMS: reply STOP to any SMS.
• Disable web push: revoke in your browser’s site settings.
• Delete your account: email team@wilddrops.me. We delete within 30 days except where retention is legally required.
• Access / correction: contact us and we’ll help.

We retain account data while your account is active and for a reasonable period after deletion for backup and legal retention (generally 30–90 days, longer for billing records required by law). Request logs are rotated on a short cycle.

Passwords are stored as salted hashes via Supabase Auth. All traffic is served over TLS. Sensitive credentials (service role keys, API tokens) are kept in Vercel environment variables and never served to clients. No system is perfectly secure; if you suspect unauthorized access to your account, email us immediately.

The Service is not directed at children under 13 (or the digital consent age in your country). If you believe a child has created an account, contact us and we’ll remove it.

WildDrops operates from and stores data in the United States. By using the Service you consent to the transfer of your data to the US for processing.

California residents have rights to know what personal information we hold, to request deletion, and to opt out of sale. We do not sell personal information. Contact us to exercise any right.

We’ll update this policy as the Service changes. Material changes will be announced via email or in-app notice.

Privacy questions or requests: team@wilddrops.me or /contact.