Privacy Policy

When you sign in with Google we receive, from Google's OAuth flow:

• Your email address
• Your display name
• Your profile picture URL
• A Google account identifier (the "uid")

We also store a single boolean flag indicating whether you opted in to product / marketing emails at sign-in, plus timestamps for account creation and last login. That's the entire user record.

We do not ask Google for any sensitive scopes (Drive, Gmail, Calendar, Contacts, etc.). The OAuth consent screen shows you exactly what is requested before you approve.

Your projects — including app names, descriptions, uploaded screenshots, generated headlines, accent colors, and exported files — are stored in your browser's IndexedDB and never leave your device.

If you bring your own Gemini API key in Settings, that key is stored locally as well and is sent directly from your browser to Google's Gemini API. dropscreens.xyz has no server that handles your screenshots, your Gemini key, or your generated copy.

The user fields listed in section 1 are stored in Google Firebase Authentication and Cloud Firestore (Google Cloud, EU region). Firestore Security Rules ensure that only you can read or modify your own user record.

Authentication state is kept in a session cookie issued by Firebase. We don't set additional first-party cookies for tracking.

We use Google Analytics 4 to understand how visitors move through the site so we can improve the funnel. GA4 places cookies on your device, captures anonymized page views, and records button-click events such as landing_cta_click, signin_attempt, project_created, and export_completed.

We do not link analytics events to your email or your Google account. If you prefer not to be measured, browser-level Do Not Track signals are honored where supported, and an extension such as uBlock Origin will block GA entirely without affecting the app.

If you ticked the marketing opt-in checkbox at sign-in, we may occasionally send you product updates and indie-hacker tips. Every email contains a one-click unsubscribe link. You can also flip the preference any time from the Settings page or by replying with "unsubscribe" — both methods take immediate effect.

Transactional notices (security alerts, account-related messages) are sent regardless of the marketing flag, but we keep them rare.

The services that touch your data:

• Google (Firebase Auth, Firestore, Analytics): authentication, user record storage, traffic analytics
• Vercel: hosting and request logs (no payload data is logged)
• Google Gemini API (optional, only if you provide your own key): AI generation of screen titles

We do not sell your data, share it with advertisers, or use it for training any AI model.

You can, at any time:

• Export your local projects — they live in your browser; use the in-app export buttons
• Delete your local projects — Settings → Clear local data, or by clearing your browser's IndexedDB for this origin
• Delete your account — email hello@dropscreens.xyz from the address tied to your account and we will remove your Firestore record within 7 days
• Opt out of marketing email — toggle in Settings or click any unsubscribe link
• Request a copy of your data — same email; we will return the full Firestore record as JSON

If you are an EU/EEA/UK resident, the rights above are afforded to you by GDPR and UK GDPR. Residents of other regions with similar laws (Egypt 151/2020, KSA PDPL, UAE PDPL, California CPRA) are granted equivalent rights.

dropscreens.xyz is not intended for anyone under 13. We do not knowingly collect data from children. If you believe we have done so, contact us and we will delete it.

If we make a material change, we'll update the "Last updated" date at the top and, for accounts with marketing opt-in, send a heads-up email. Continuing to use the service after a change means you accept it; if you don't, the deletion path in section 7 is always available.

Questions, concerns, or formal data requests: hello@dropscreens.xyz.