Privacy Policy

SubDrop.live ("SubDrop," "we," "us," or "our") operates the platform at subdrop.live that connects brands with live streamers for brand-funded gift subscription drops.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website, dashboards, APIs, and overlay services.

Account Information

• For brands: email address, company name, password (hashed), Stripe customer ID
• For streamers: Kick/Twitch username, display name, avatar, OAuth tokens (encrypted)

Payment Information

• Payment processing is handled by Stripe. We do not store credit card numbers.
• We store transaction records: amounts, dates, campaign references, and Stripe session IDs.

Usage Data

• Dashboard interactions, API requests, overlay views, clicks, and campaign analytics events.
• IP addresses, browser type, device information for security and debugging.

Streaming Data

• Gift sub events, drop delivery confirmations, chat messages sent via our integration.
• Streamer channel information received via Kick/Twitch OAuth.

• Provide and maintain the SubDrop platform and services
• Process payments and manage campaigns
• Deliver gift sub drops and display overlays during live streams
• Generate analytics and reports for brands and streamers
• Send transactional emails (campaign updates, payment confirmations)
• Improve our platform through usage analysis and feedback
• Prevent fraud and ensure platform security
• Comply with legal obligations

We share your information only in these circumstances:

• Service Providers: Stripe (payments), Supabase (database/auth), Vercel (hosting), Resend (email)
• Streaming Platforms: Kick and Twitch receive gift sub and channel data as part of the integration
• Legal Requirements: When required by law, court order, or government request
• Business Transfers: In connection with a merger, acquisition, or sale of assets

We do not sell your personal information to third parties.

We implement industry-standard security measures including:

• Encryption of OAuth tokens and sensitive credentials at rest
• HTTPS/TLS encryption for all data in transit
• Row Level Security (RLS) on all database tables
• API key hashing (SHA-256) — keys are never stored in plain text
• Webhook signature verification for all external integrations
• Regular security audits and dependency updates

• Account data: Retained while your account is active. Deleted within 30 days of account closure.
• Campaign data: Retained for 2 years after campaign completion for analytics and dispute resolution.
• Analytics events: Retained for 1 year, then aggregated and anonymized.
• Payment records: Retained as required by law (typically 7 years for tax/accounting).

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Export your data in a portable format
• Opt out of marketing communications

To exercise these rights, contact us at privacy@subdrop.live.

We use essential cookies for authentication (session cookies, OAuth state verification) and platform functionality. We do not use advertising or tracking cookies.

SubDrop is not intended for users under 18. We do not knowingly collect personal information from children. If we learn we have collected data from a minor, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on our platform. Continued use of SubDrop after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy, contact us at:

privacy@subdrop.live