1. Scope and our role
This Privacy Policy applies to the ToolDrop website, workspace, command-line interface, APIs, hosted tools, support interactions, and related services operated by ToolDrop (collectively, the “Service”). It does not govern third-party services you connect to ToolDrop or websites that merely link to us.
For account, billing, security, website, and direct support information, ToolDrop generally acts as the business or data controller. For source code, app data, credentials, logs, and other content a workspace submits to ToolDrop (“Customer Content”), the workspace customer generally determines why that content is processed and ToolDrop processes it to provide the Service. Workspace administrators control membership, access, connected resources, and many retention decisions for their workspace.
2. Information we collect
Account and workspace information
We receive information such as your name, email address, profile image, authentication identifier, organization membership, role, invitations, and workspace settings. Authentication is provided through Clerk; ToolDrop does not receive your password.
Customer Content and configuration
Depending on how you use the Service, we process:
- tool source bundles, app names, descriptions, versions, deploy messages, and deployment metadata;
- Tool Storage records and managed-database content;
- environment variables, API credentials, and resource connection details that you choose to store;
- workspace branding, designs, domains, scheduled-job definitions, webhook configuration, and access rules;
- app, cron, webhook, audit, and gateway logs created through the Service.
Secret values are encrypted at rest. Authorized users can explicitly retrieve certain secret values because using and managing those values is part of the Service.
Usage, device, and diagnostic information
We process actions such as sign-ins, app opens, deployments, data calls, invitations, billing changes, and administrative activity. Our infrastructure and security providers may also process IP address, browser/device information, timestamps, referring pages, request identifiers, and error or performance data needed to deliver and protect the Service.
Billing and communications
Stripe processes payment-card details. ToolDrop receives billing identifiers and information such as plan, subscription status, invoices, payment-method brand and last four digits, and payment outcomes. We also process messages you send to support, privacy, or security contacts and any information you choose to include.
Cookies and similar storage
We use essential authentication/security storage and preferences you request. Optional analytics or advertising technology remains off until your saved choice permits it. See our Cookie Policy for the current categories and controls.
3. How we use information
We process information to:
- create and secure accounts and workspaces;
- host, deploy, version, share, and operate tools;
- provide storage, managed databases, scheduled jobs, webhooks, logs, billing, and support;
- enforce permissions, usage limits, and workspace instructions;
- detect abuse, investigate errors, maintain reliability, and protect users and the Service;
- communicate operational, billing, security, and support information;
- understand and improve the Service when analytics is permitted;
- measure and improve advertising when advertising storage is permitted;
- comply with law and enforce our agreements.
Where applicable, our legal bases include performing our contract with you, our legitimate interests in operating and securing a business service, your consent for optional technology, and compliance with legal obligations.
5. AI-assisted features
Some optional features can send the prompt and context needed for a requested generation to a configured AI provider, such as Anthropic or OpenRouter. ToolDrop does not send stored secret values as part of an AI prompt. Workspace operators choose whether to configure these providers, and their terms and privacy practices also apply to information sent to them.
Apps you build with Codex, Claude, or another agent are Customer Content. Those agent providers are separate services, and their processing is governed by your relationship with them.
6. Retention and security
We keep information for as long as reasonably needed to provide the Service, maintain legitimate business and security records, comply with law, resolve disputes, and enforce agreements. Retention varies by record and plan. For example, audit-history windows differ by plan, while active source versions and workspace configuration are generally retained while needed to operate the workspace. Backups and fraud, billing, tax, or security records may remain for a limited period after deletion.
ToolDrop uses measures designed to protect information, including access controls, encrypted transport, encryption at rest for stored secrets, scoped credentials, signed tool identity, audit records, and provider security controls. No system is perfectly secure. Keep recovery methods current, protect API and CLI credentials, grant the narrowest practical access, and contact us promptly about suspected compromise.
7. International data transfers
ToolDrop and its providers may process information in the United States and other countries where they operate. Those countries may have different data-protection laws. Where required, we use contractual or other recognized safeguards for transfers of personal information.
8. Your choices and privacy rights
You can update many profile, workspace, access, and billing details through the Service. You can also change optional tracking choices at any time through “Cookie settings” in the footer.
Depending on where you live, you may have rights to request access, correction, deletion, restriction, portability, or an objection to certain processing, and to withdraw consent. You may also have a right to appeal a denied request or complain to a data-protection authority. These rights can be limited—for example, when we must retain billing or security records or when the workspace customer controls the relevant Customer Content.
Send requests to support@tooldrop.app. We may verify your identity and authority before acting. Authorized agents should identify the person they represent and provide evidence of authority.
We do not sell personal information for money. Where applicable law treats certain advertising disclosures as a “sale” or “share,” you can opt out through Cookie settings. A recognized Global Privacy Control signal keeps advertising storage disabled in this interface.
9. Children
The Service is designed for businesses and is not directed to children under 18. We do not knowingly collect personal information from a child through a consumer account. Contact us if you believe a child has provided personal information improperly.
10. Changes to this policy
We may update this policy as the Service or law changes. We will change the effective date and, when a change is material, provide additional notice through the Service or by email when appropriate.
11. Contact
Privacy questions and requests can be sent to support@tooldrop.app. General contact options are listed on our Contact page.

