Rowdrop

Privacy Policy

Last updated: May 15, 2026

1. Who we are

Rowdrop (referred to as we, us, or our) is a web application that lets you create embeddable forms that write submissions directly to your Notion database. Our website is www.rowdrop.online.

2. What we collect

We collect only what is necessary to provide the service:

  • Account information: Your email address and a hashed (bcrypt) version of your password. We never store your password in plain text.
  • Form configuration: Your Notion integration token, Notion database ID, and field mappings you define when creating a form. These are stored to power your forms.
  • Billing information: If you upgrade to Pro, your payment is processed by Stripe. We store your Stripe customer ID but never your card details — those stay with Stripe.

3. What we do NOT collect

  • Form submissions: When someone fills out your Rowdrop form, their submission is forwarded directly to your Notion database. We do not store, read, or retain submission data.
  • Analytics or tracking: We do not use third-party analytics, ad trackers, or fingerprinting.
  • Cookies beyond authentication: We use a single secure, HTTP-only cookie to keep you logged in. No marketing cookies.

4. How we use your data

  • To authenticate you and keep your session secure
  • To store and serve your form configurations
  • To process payments and manage your subscription via Stripe
  • To send transactional emails if necessary (e.g., billing receipts from Stripe)

5. Third-party services

  • Upstash Redis: We use Upstash to store your account and form configuration data. Upstash is SOC 2 compliant.
  • Stripe: We use Stripe for payment processing. Stripe is PCI DSS compliant. See Stripe's Privacy Policy.
  • Notion: Form submissions are sent to Notion via their API using the token you provide. See Notion's Privacy Policy.

6. Data retention

We retain your account and form data for as long as your account is active. If you delete your account, we will delete your data within 30 days.

7. Your rights (GDPR)

If you are located in the European Economic Area, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (right to be forgotten)
  • Object to or restrict processing of your data
  • Data portability

To exercise any of these rights, contact us at the address below.

8. Security

We use industry-standard security practices: bcrypt password hashing, HTTPS-only, secure HTTP-only cookies, and access controls on our infrastructure. No system is 100% secure, but we take reasonable measures to protect your data.

9. Changes to this policy

We may update this policy from time to time. We will notify you of significant changes by updating the date at the top of this page. Continued use of the service after changes constitutes acceptance.

10. Contact

Questions about this policy? Email us at [email protected].