PRIVACY POLICY
Last Updated: February 22, 2026
Dev Forward LLC, d/b/a SlopDrop ("we," "us," or "our"), operates the website slopdrop.net (the "Service").
This Privacy Policy explains how we collect, use, disclose, and protect your personal information
when you use our Service.
By using SlopDrop, you agree to the collection and use of information in accordance with this policy.
If you do not agree, please do not use the Service.
1. Information We Collect
A. Information You Provide
- Account Information: Email address when you create an account or log in via magic link
- Mailing Addresses: Recipient names, street addresses, city, state, postal code, and country that you enter for postcard delivery
- User-Generated Content: Prompts and selections you provide for AI postcard generation, text you write for postcard backs, and guestbook entries (display name, location, message)
- Payment Information: Payment details are collected and processed directly by Stripe, our third-party payment processor. We do not store your credit card number, CVV, or full payment card details on our servers. We receive your email address and transaction metadata from Stripe.
B. Information Collected Automatically
- IP Address: Collected when you log in, generate postcards, or browse the Service, used for rate limiting and abuse prevention
- User-Agent String: Your browser type and version, collected during authentication sessions
- Session Data: We generate a session identifier to track your browsing session for functionality purposes (e.g., associating generated previews with your session before account creation)
- Usage Data: Pages visited, timestamps of activity, and feature interactions
C. Information from Third Parties
- Stripe: Payment confirmation, transaction status, and email address associated with your payment
- Lob: Mailing delivery status updates (e.g., delivered, returned) for postcards sent through USPS
- Cloudflare Turnstile: Bot detection signals (does not use cookies; collects client-side browser signals to verify you are human)
2. How We Use Your Information
We use the information we collect for the following purposes:
- Account Management: To create and manage your account, authenticate your identity via magic link emails, and maintain your session
- Order Fulfillment: To process your postcard orders, generate AI images, validate mailing addresses, print postcards, and deliver them via USPS
- Payment Processing: To process payments through Stripe, manage credits, and maintain transaction records
- AI Content Generation: To send your prompts and selections to OpenAI's API for postcard image and text generation
- Transactional Communications: To send you magic link login emails and purchase confirmation emails via SendGrid
- Abuse Prevention: To enforce rate limits on free postcard generation (based on IP address), prevent spam, and detect fraudulent activity
- Public Features: To display guestbook entries and (for purchased postcards) gallery listings, as part of the Service's public features
- Legal Compliance: To comply with applicable laws, respond to legal requests, and protect our rights
3. How We Share Your Information
We do not sell your personal information. We share information only with the following third-party service providers as necessary to operate the Service:
| Service Provider | Data Shared | Purpose |
| Stripe | Email, payment info, order metadata | Payment processing |
| OpenAI | User prompts, template selections | AI image and text generation |
| Lob | Recipient name, mailing address, postcard image and text | Physical postcard printing and USPS mailing |
| SendGrid | Email address | Transactional email delivery (login links, purchase confirmations) |
| Cloudflare | IP address, browser signals | Hosting, content delivery, bot protection (Turnstile) |
We may also disclose your information if required to do so by law, in response to valid legal process (such as a subpoena or court order), to protect our rights or safety, or in connection with a merger, acquisition, or sale of assets.
4. Data Retention
We retain your personal information only as long as necessary for the purposes described in this policy:
- Account Data: Retained until you request account deletion
- Authentication Sessions: Expire after 30 days of inactivity
- Anonymous Session Previews: AI-generated preview images for non-logged-in users expire after 24 hours
- Magic Link Tokens: Expire after 15 minutes
- Rate Limit Data: IP-based rate limit counters reset daily (generation limits) or after 1 hour (login attempt limits)
- Order and Mailing Records: Retained for as long as required for accounting, tax, and legal compliance purposes
- Guestbook Entries: Retained indefinitely unless removed by moderation or at your request
- Webhook Idempotency Keys: Retained for 48 hours to prevent duplicate processing
5. Your Privacy Rights
Depending on your state of residence, you may have the following rights regarding your personal information:
- Right to Know/Access: Request a copy of the personal information we have collected about you
- Right to Delete: Request that we delete your personal information, subject to certain legal exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide an opt-out mechanism.
- Right to Data Portability: Request your personal data in a portable format
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights
California Residents (CCPA/CPRA)
Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the rights listed above.
In the preceding 12 months, we have collected the following categories of personal information: identifiers (email, IP address),
commercial information (purchase history), internet/electronic activity (session data, user-agent), and user-generated content (prompts, guestbook entries).
We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA.
Global Privacy Control
We honor Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will treat it as a valid opt-out
request for the sale or sharing of personal information, as required by applicable state laws.
How to Exercise Your Rights
To exercise any of the rights described above, please contact us at
[email protected].
We will verify your identity before processing your request and respond within 45 days
(or up to 90 days if an extension is necessary, with notice to you). You may also designate an
authorized agent to submit a request on your behalf.
6. Do Not Sell or Share My Personal Information
We do not sell your personal information.
We do not share your personal information for cross-context behavioral advertising.
If our practices change in the future, we will update this policy and provide appropriate opt-out mechanisms
as required by applicable law.
7. Cookies and Tracking Technologies
SlopDrop uses a minimal approach to cookies and tracking:
- Session Identifier: We use a session-based identifier stored in your browser to maintain your browsing session and associate generated previews with your visit. This is essential for the Service to function.
- Local Storage: We use browser local storage for session management and basic site functionality (such as the visitor counter).
- Cloudflare Turnstile: Our bot protection system (Cloudflare Turnstile) does not use cookies. It collects client-side signals to verify that visitors are human.
We do not use third-party advertising cookies, analytics trackers, or cross-site tracking technologies.
8. Data Security
We implement reasonable technical and organizational measures to protect your personal information, including:
- All data transmitted between your browser and our servers is encrypted via TLS/HTTPS
- Payment card data is handled entirely by Stripe and never touches our servers
- Our infrastructure is hosted on Cloudflare's global network with built-in DDoS protection
- Magic link authentication eliminates password-related vulnerabilities
- Rate limiting on authentication and generation endpoints to prevent abuse
However, no method of electronic transmission or storage is 100% secure. While we strive to protect your
personal information, we cannot guarantee its absolute security.
9. Children's Privacy
SlopDrop is not directed at children under the age of 13. We do not knowingly collect personal information
from children under 13. If you are a parent or guardian and believe your child has provided us with personal
information, please contact us at [email protected] and we will
take steps to delete that information.
10. Third-Party Services
Our Service integrates with and links to third-party services. Each has its own privacy policy governing
data they collect:
We are not responsible for the privacy practices of these third-party services.
11. Data Transfers
Your information may be processed on servers located in the United States through Cloudflare's global network,
OpenAI's US-based servers, and other third-party services described above. By using the Service, you consent
to the transfer and processing of your information in the United States.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you
by posting the updated policy on this page with a new "Last Updated" date. For significant changes,
we may also notify you via the email address associated with your account.
Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at: