Introduction
Sharedrop is a platform for publishing AI-generated HTML and sharing it with the people who need to see it. The service is operated by Scott Owen at the domain sharedrop.cloud. This policy describes the personal data we collect, how we use it, and the third parties we rely on to run the service.
We aim to keep this short and accurate. If anything here is unclear, email support@sharedrop.cloud.
What we collect
- Account information from Clerk: your email address, display name, avatar URL, and identifiers from any OAuth provider you sign in with (Google or GitHub).
- Content you upload: HTML pages, version-history snapshots, page metadata (title, slug, visibility, mode, parent, materialised path), comments, and any access grants you create.
- Usage data: rate-limit counters, audit events recording activity on your pages, page-view metadata, and request logs needed for security and abuse prevention.
- Billing information: once Stripe is wired in, billing identifiers and plan state. We do not store full card numbers.
How we use it
- Serving your pages to the visitors you authorise.
- Enforcing per-tier limits and preventing abuse.
- Sending essential transactional email (sign-in, password reset, account events) — handled via Clerk.
- Investigating security incidents and responding to lawful requests.
Sub-processors
We use the following third-party services to operate Sharedrop. Each one only sees the data needed for its function.
- Clerk — authentication, identity, session management, OAuth (Google + GitHub), and outbound transactional email. Sees: your account profile and session data.
- Cloudflare R2 — object storage for uploaded HTML and any extracted images. Served via the CDN at
cdn.sharedrop.cloud. Sees: the contents of pages you upload. - Neon — serverless PostgreSQL database, typically hosted in
us-east-1. Sees: page metadata, comments, access grants, audit events, and synced user records. - Vercel — hosting, edge network, build pipeline, and (if enabled) Vercel Analytics. Sees: HTTP request metadata for every page load and API call.
- Upstash Redis — distributed rate limiting. Sees: short-lived rate-limit counters keyed by user ID, API key, or IP.
- Svix— webhook signature verification used by Clerk's webhook delivery. Sees: webhook payloads in transit.
- Stripe (planned) — will process billing once paid plans launch. Will see: billing identifiers and plan state.
Where data lives
Primary infrastructure runs in United States regions: Neon defaults to us-east-1and Vercel deploys to its default region. Cloudflare R2 is globally distributed, and traffic may transit other regions through Cloudflare's network in the course of delivery.
Retention
- Page versions are retained per tier — Free retains zero historical versions, Pro retains the last 10, and Team retains the last 25.
- Account deletion cascades to all owned pages, versions, comments, share tokens, and access grants. Audit events are unlinked from the deleted account but retained for security purposes.
- Audit events are retained indefinitely in v1. You can request deletion by emailing support@sharedrop.cloud.
Your rights
You can request access to, correction of, deletion of, or export of your personal data by emailing support@sharedrop.cloud. There is no self-serve export endpoint yet — we'll add one and link it here when it ships.
Cookies
- Clerk session cookie (essential) — keeps you signed in.
- Vercel Analytics (optional, only if enabled on a given deployment) — aggregate usage metrics, no cross-site tracking.
Children
Sharedrop is not directed to anyone under 16. We do not knowingly collect data from children. If you believe a child has created an account, email support@sharedrop.cloud and we will remove it.
Contact
Privacy questions: support@sharedrop.cloud. For security disclosures see /security.
Changes to this policy
We will update the “Last updated” date at the top of this page when this policy changes. Material changes will be announced via email to the address on your account.