Privacy Policy

Effective date: 26 June 2026
Last updated: 26 June 2026


Who we are

Dropframe ("Dropframe", "we", "us", "our") operates the web hosting platform at dropframe.run and the associated MCP server package dropframe-mcp. Our contact address is hello@dropframe.run.


What we collect

We collect as little as possible. Here is the complete list.

Content you deploy

When you or your AI assistant calls dropframe_deploy, we store the HTML you submit. This content is stored in Cloudflare KV, keyed by a randomly generated 10-character ID. We do not inspect, index, analyse, or sell this content.

If you embed personal information inside your HTML — names, emails, images, financial data — that becomes content we store on your behalf. You are responsible for what you put in your deployments.

Request metadata

Cloudflare Workers process every request to api.dropframe.run and *.dropframe.run. Cloudflare may log standard request metadata (IP address, timestamp, URL path, response code, edge location) for operational and security purposes. This is governed by the Cloudflare Privacy Policy.

We do not separately log IP addresses at the application layer.

Account data (paid plans only)

If you upgrade to a paid plan, we collect:

What we do not collect


How we use what we collect

Data Purpose
Deployed HTML content Serving your app at {id}.dropframe.run
App ID + creation timestamp Expiry enforcement; list view
Email (paid plans) Account management, billing receipts, service notices
Payment data (via Paddle) Subscription processing
MCP tokens / API keys Authenticating requests

We do not use your data for advertising. We do not sell your data. We do not share your data with third parties except as described in the Infrastructure section below.


Infrastructure and sub-processors

Dropframe is built on Cloudflare. Content you deploy is stored and served by Cloudflare's global network. By using Dropframe you acknowledge that your deployed content passes through Cloudflare's infrastructure.

Sub-processor Role Policy
Cloudflare Edge compute (Workers), KV storage, DNS cloudflare.com/privacypolicy
Paddle Payment processing (paid plans only) paddle.com/legal/privacy

We do not use any other sub-processors. We will update this table if that changes.


Data retention

Data Free tier Paid tier
Deployed HTML Deleted automatically after 14 days Retained until you delete the app
App metadata (ID, name, timestamp) Deleted with the app Retained until you delete the app
Email + account data N/A Retained while your account is active; deleted within 30 days of account closure
Payment records N/A Retained for 7 years (legal and tax obligation)

Deletion is permanent. We do not maintain backups of user content that can be selectively restored.


Deployed apps and public access

Every app you deploy is publicly accessible at its URL. Anyone with the link can view it. Dropframe does not support private or access-controlled deployments on the free tier.

If you deploy content that should not be public, do not use Dropframe.


Security

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to hello@dropframe.run before publishing.


Your rights

Depending on your jurisdiction, you may have the right to:

To exercise any of these rights, email hello@dropframe.run. We will respond within 30 days. For deletion requests, we can confirm when content has been removed from our systems.

For paid accounts, you can delete all your apps and close your account from the account settings page. Deletion takes effect immediately for app content; billing records are retained for the legally required period.


Children

Dropframe is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has submitted content through Dropframe, contact us at hello@dropframe.run and we will remove it.


Changes to this policy

We will post any changes to this page and update the "Last updated" date at the top. For material changes, we will notify paid-plan users by email at least 14 days before the change takes effect.


Contact

Email: hello@dropframe.run
Website: dropframe.run

For data protection enquiries specifically, use the subject line "Privacy" in your email.