Privacy Policy – StoryDrop

1. Controller

Loom Drop Global Teknoloji Tic.Ltd.Şti.

33010 Akdeniz, Mersin, Turkey

2. Data We Collect

Account Registration

Email address, display name, password (stored as bcrypt hash), optional profile picture, Drop Link slug, bio, and category.

Fan Submissions (Drops)

Sender name, optional email address, submission type (Story, Question, Idea, Feedback), content text, optional voice recording, and submission timestamp.

Story Arcs

Arc titles, descriptions, status, and associated submission data created by creators to organise their content.

Technical & Security Data

Hashed IP addresses (for spam protection via Cloudflare Turnstile, not individually traceable), session tokens, and browser type for security purposes.

3. Purpose of Processing

→ Providing and operating the StoryDrop service (creator inbox, Drop Link, Story Arcs, calendar)
→ Spam and abuse protection (Cloudflare Turnstile CAPTCHA on submission forms)
→ Voice transcription of audio submissions (processed via Whisper API, not stored beyond the session)
→ User authentication and session management
→ Transactional emails (email verification, password reset)
→ Service improvement and analytics (aggregated, non-personal)

4. Legal Basis

Art. 6(1)(b) GDPR — Contract performance: processing necessary to provide the service you signed up for.

Art. 6(1)(f) GDPR — Legitimate interests: spam protection, security, and fraud prevention.

Art. 6(1)(a) GDPR — Consent: where you have explicitly agreed (e.g., optional profile fields).

5. Data Retention

Account data is retained for as long as your account is active. When you delete your account, all personal data is permanently erased within 30 days.

Fan submissions (Drops) are stored until the creator deletes them or their account is closed.

Voice recordings are processed for transcription and then deleted from temporary storage immediately after transcription is complete.

6. Cookies & Session Storage

We use a single session cookie (sd_session) to keep you logged in. This cookie is strictly necessary for the service to function and does not require consent under ePrivacy rules.

No third-party tracking cookies or advertising cookies are used. Cloudflare sets a technical cookie (cf_clearance) for DDoS protection.

A language preference cookie (sd_lang) stores your chosen display language. This is a functional cookie and does not require consent.

7. Third-Party Services

Cloudflare Turnstile

Used on public submission forms to prevent spam. Processes hashed IP data. Cloudflare Privacy Policy →

Hostinger (Hosting)

All data is stored on EU-based servers operated by Hostinger. Hostinger Privacy Policy →

OpenAI Whisper (Voice Transcription)

Audio files submitted via voice drops are transcribed using the Whisper API. Audio is sent to OpenAI servers for processing and immediately deleted after transcription. OpenAI Privacy Policy →

8. Your Rights

Access

Request a copy of all data we hold about you.

Rectification

Correct inaccurate or incomplete data.

Erasure

Request deletion of your account and all associated data.

Restriction

Ask us to limit how we process your data.

Portability

Receive your data in a machine-readable format.

Objection

Object to processing based on legitimate interests.

To exercise any of these rights, contact us at info@loomdroop.io. We will respond within 30 days.

9. Hosting & Data Location

All data is stored exclusively on EU-based servers (Hostinger, Lithuania). No data is transferred to third countries outside the EU/EEA except where explicitly stated above (Cloudflare, OpenAI — both covered by Standard Contractual Clauses).