Privacy Policy
Effective date: 26 June 2026
Last updated: 26 June 2026
Who we are
Dropframe ("Dropframe", "we", "us", "our") operates the web hosting platform at dropframe.run and the associated MCP server package dropframe-mcp. Our contact address is hello@dropframe.run.
What we collect
We collect as little as possible. Here is the complete list.
Content you deploy
When you or your AI assistant calls dropframe_deploy, we store the HTML you submit. This content is stored in Cloudflare KV, keyed by a randomly generated 10-character ID. We do not inspect, index, analyse, or sell this content.
If you embed personal information inside your HTML — names, emails, images, financial data — that becomes content we store on your behalf. You are responsible for what you put in your deployments.
Request metadata
Cloudflare Workers process every request to api.dropframe.run and *.dropframe.run. Cloudflare may log standard request metadata (IP address, timestamp, URL path, response code, edge location) for operational and security purposes. This is governed by the Cloudflare Privacy Policy.
We do not separately log IP addresses at the application layer.
Account data (paid plans only)
If you upgrade to a paid plan, we collect:
- Email address (required for billing and account recovery)
- Payment information — processed by Paddle; we never see or store raw card numbers
- MCP tokens (generated by you to authenticate deployments, stored securely as SHA-256 hashes)
What we do not collect
- We do not use cookies on deployed apps.
- We do not use analytics SDKs, tracking pixels, or ad networks.
- We do not collect names, phone numbers, or addresses on the free tier.
- We do not read conversation history from your AI assistant.
- We do not access your file system, clipboard, or browser storage.
How we use what we collect
| Data | Purpose |
|---|---|
| Deployed HTML content | Serving your app at {id}.dropframe.run |
| App ID + creation timestamp | Expiry enforcement; list view |
| Email (paid plans) | Account management, billing receipts, service notices |
| Payment data (via Paddle) | Subscription processing |
| MCP tokens / API keys | Authenticating requests |
We do not use your data for advertising. We do not sell your data. We do not share your data with third parties except as described in the Infrastructure section below.
Infrastructure and sub-processors
Dropframe is built on Cloudflare. Content you deploy is stored and served by Cloudflare's global network. By using Dropframe you acknowledge that your deployed content passes through Cloudflare's infrastructure.
| Sub-processor | Role | Policy |
|---|---|---|
| Cloudflare | Edge compute (Workers), KV storage, DNS | cloudflare.com/privacypolicy |
| Paddle | Payment processing (paid plans only) | paddle.com/legal/privacy |
We do not use any other sub-processors. We will update this table if that changes.
Data retention
| Data | Free tier | Paid tier |
|---|---|---|
| Deployed HTML | Deleted automatically after 14 days | Retained until you delete the app |
| App metadata (ID, name, timestamp) | Deleted with the app | Retained until you delete the app |
| Email + account data | N/A | Retained while your account is active; deleted within 30 days of account closure |
| Payment records | N/A | Retained for 7 years (legal and tax obligation) |
Deletion is permanent. We do not maintain backups of user content that can be selectively restored.
Deployed apps and public access
Every app you deploy is publicly accessible at its URL. Anyone with the link can view it. Dropframe does not support private or access-controlled deployments on the free tier.
If you deploy content that should not be public, do not use Dropframe.
Security
- All traffic to
api.dropframe.runand*.dropframe.runis encrypted in transit over HTTPS. - Deployed apps are served inside a sandboxed iframe shell (
sandbox="allow-scripts allow-forms allow-same-origin"), which restricts cross-frame access. - MCP tokens and API keys are transmitted over HTTPS and stored as hashed values.
- We do not store passwords. Authentication is managed securely by Clerk.
No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to hello@dropframe.run before publishing.
Your rights
Depending on your jurisdiction, you may have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Delete your data and deployments
- Export your data in a portable format
- Object to certain processing
To exercise any of these rights, email hello@dropframe.run. We will respond within 30 days. For deletion requests, we can confirm when content has been removed from our systems.
For paid accounts, you can delete all your apps and close your account from the account settings page. Deletion takes effect immediately for app content; billing records are retained for the legally required period.
Children
Dropframe is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has submitted content through Dropframe, contact us at hello@dropframe.run and we will remove it.
Changes to this policy
We will post any changes to this page and update the "Last updated" date at the top. For material changes, we will notify paid-plan users by email at least 14 days before the change takes effect.
Contact
Email: hello@dropframe.run
Website: dropframe.run
For data protection enquiries specifically, use the subject line "Privacy" in your email.