Last updated :
This Privacy Policy describes how CutDrop collects, uses and protects the personal data of users of the cutdrop.io website, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”) and the French Data Protection Act n° 78-17 of 6 January 1978 as amended.
The controller of the personal data collected on the Site is:
CutDrop has not appointed a Data Protection Officer (DPO): the nature, context and purposes of processing do not make this designation mandatory under article 37 of the GDPR. Any request regarding your personal data can be sent directly to contact@cutdrop.io.
| Data | Purpose | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Email, name, credentials | Customer account management | Performance of contract (art. 6.1.b) | Until account deletion by user, or 3 years of inactivity |
| Email, name, order history, amount, order number | Order processing and tracking, invoicing | Performance of contract (art. 6.1.b) + legal obligation (art. 6.1.c) | 10 years from the order (accounting obligation, art. L123-22 French Commercial Code) |
| Consent to immediate delivery of digital content | Legal proof of waiver of right of withdrawal | Legal obligation (art. 6.1.c, art. L221-28 13° French Consumer Code) | 10 years (same as invoicing) |
| Newsletter and marketing communications | Consent (art. 6.1.a) | 3 years from last contact, or until consent withdrawal | |
| Customer reviews (text, rating, product association) | Public display of verified reviews | Performance of contract + legitimate interest (art. 6.1.b and 6.1.f) | As long as the product remains in the catalog |
| Wishlist | Personalized account feature | Performance of contract (art. 6.1.b) | Until manual deletion or account deletion |
| Loyalty points, referrals, used promo codes | Loyalty program, commercial tracking | Performance of contract (art. 6.1.b) | Until account deletion |
| IP address, user-agent, access logs | Site security, fraud prevention | Legitimate interest (art. 6.1.f) | 12 months maximum (CNIL recommendation) |
| Session, cart cookies | Site operation | Strictly necessary (art. 82 LIL — exempt from consent) | User session |
No banking data is stored by CutDrop. Payment information is transmitted and processed directly by our payment provider Stripe, certified PCI-DSS level 1.
All data processed is collected directly from the user: via the registration form, the order process, the newsletter form, the submission of customer reviews, and technical interactions with the Site. CutDrop carries out no collection via data brokers or third-party databases.
| Sub-processor | Data concerned | Role | Location |
|---|---|---|---|
| Stripe Payments Europe Ltd | Email, billing data, amount | Payment processing | Dublin, Ireland (EU) |
| Supabase Inc. | Customer account, orders, user content | Database hosting | EU West (Paris, France) — EU |
| Vercel Inc. | HTTP logs, technical requests, IP | Site hosting and CDN | United States |
| Cloudflare, Inc. | Downloadable digital files | File storage and distribution (R2) | United States |
| Resend, Inc. | Email, content of transactional and marketing emails | Email sending | United States |
CutDrop does not sell, rent, or share its personal data with any third party for commercial purposes. No data is transmitted to brokers, advertisers or enrichment services.
Some of our sub-processors (Vercel Inc., Cloudflare Inc., Resend, Inc.) are established in the United States. Data transfers to these companies are framed by:
CutDrop has selected these providers based on their commitment to GDPR compliance. The user is nevertheless informed that under the US CLOUD Act, US authorities may, in certain limited circumstances, request access to data stored by companies under US jurisdiction.
Important: the storage of main user data (account, orders, personal data) is performed by Supabase in the region EU West (Paris, France): this data does not leave the territory of the European Union. The only data transiting via US sub-processors are technical data (logs, HTTP requests, IP), downloadable files (which are public by nature, purchased by customers), and the content of transactional emails.
CutDrop implements appropriate technical and organizational measures to protect personal data against any unauthorized access, loss, alteration or disclosure, including:
In case of a personal data breach likely to result in a risk to the rights and freedoms of the persons concerned, CutDrop will notify the CNIL within 72 hours and inform the affected users in accordance with article 34 of the GDPR.
In accordance with articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights over your personal data:
To exercise these rights, contact us at contact@cutdrop.io, specifying your request and providing proof of identity. We commit to respond within a maximum of one month from the receipt of your request (article 12.3 GDPR).
If you believe that the processing of your personal data by CutDrop is not compliant with applicable regulations, you have the right to lodge a complaint with the French Data Protection Authority (CNIL):
CutDrop uses only cookies strictly necessary for the operation of the Site:
In accordance with CNIL deliberation n° 2020-091 of 17 September 2020, these cookies are exempt from prior consent because they are strictly necessary for the provision of the services requested by the user.
CutDrop does not currently use any audience measurement, advertising, social media, or tracking cookies. If CutDrop introduces such cookies in the future, a consent banner compliant with CNIL requirements will be put in place and this policy will be updated accordingly.
CutDrop reserves the right to modify this Privacy Policy at any time, in particular to comply with any legislative or regulatory changes. The last update date is indicated at the top of this page. In case of substantial modification affecting user rights, holders of a customer account will be informed by email.
For any question regarding this Privacy Policy or the processing of your personal data: contact@cutdrop.io
