Privacy Policy
Last updated: March 5, 2026
1. Introduction
StatusDrop ("we," "us," or "our") operates the statusdrop.dev website, dashboard, embeddable widget, hosted status pages, and related APIs (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection laws.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Data Controller
StatusDrop is the data controller responsible for your personal data. For questions or concerns about how your data is processed, you may contact us at:
- Email: privacy@statusdrop.dev
- Website: statusdrop.dev
3. Legal Basis for Processing
We process your personal data under the following legal bases as defined by GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service to you, including account creation, stack management, widget delivery, status monitoring, and billing.
- Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Service, preventing fraud, ensuring security, and analyzing aggregated usage patterns. We balance these interests against your rights and freedoms.
- Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable legal obligations, such as tax record-keeping and responding to lawful requests from authorities.
- Consent (Art. 6(1)(a)): Where required, we obtain your explicit consent before processing. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
4. Data We Collect
4.1 Account Data
When you create an account through our authentication provider (Clerk), we collect:
- Email address
- Full name (if provided)
- Profile picture (if provided via OAuth)
- Clerk user identifier
- Account creation timestamp
4.2 Service Usage Data
When you use the dashboard, we collect data related to your use of the Service:
- Stacks you create (name, slug, configuration)
- Services you add to stacks (selected from our catalog or custom URLs)
- Widget configurations (template, theme, accent color, branding preferences)
- Status page settings (custom domain, layout preferences)
- Notification preferences (webhook URLs, email alert addresses)
4.3 Billing Data
Payment processing is handled entirely by Clerk (via Stripe). We do not directly store credit card numbers, CVVs, or full payment card details. We receive and store:
- Subscription plan type (free or Pro)
- Subscription status (active, canceled, past due)
- Billing cycle information
4.4 Technical Data
When you access the Service, we may automatically collect:
- IP address (for rate limiting and security purposes)
- Browser type and version
- Device type and operating system
- Pages visited and features used within the dashboard
- Timestamps of access
4.5 Status Check Data
We fetch publicly available status page data from third-party services (e.g., Stripe, AWS, GitHub) that you add to your stacks. This data includes service health indicators, component statuses, and response times. This is not personal data; it is publicly available information retrieved from official status page APIs.
4.6 Support and Feedback Data
If you submit a support request or feedback through our platform, we collect the content of your message, your email address, and any attachments you provide.
5. How We Use Your Data
We use the data we collect for the following purposes:
- Service delivery: To create and manage your account, stacks, services, and widget configurations.
- Status monitoring: To check third-party service status pages and deliver status data through widgets and hosted status pages.
- Notifications: To send status change alerts via Slack webhooks, Discord webhooks, or email (Pro feature), and to send essential service communications.
- Billing: To process subscriptions, enforce plan limits, and manage upgrades or cancellations.
- Security: To protect against unauthorized access, abuse, and fraud through rate limiting and access controls.
- Service improvement: To analyze aggregated, anonymized usage patterns and improve the Service.
- Legal compliance: To comply with applicable laws, regulations, and legal processes.
- Support: To respond to your support requests and feedback.
6. Widget and Embedded Script Data
The StatusDrop embeddable widget is a standalone JavaScript bundle that customers embed on their websites using a <script> tag. It is important to understand what the widget does and does not do:
What the widget does:
- Fetches service status data from our public API endpoint (
/api/widget/[slug]) - Renders a status indicator on the page using the fetched data
- Polls for updated status data every 60 seconds
- Opens the hosted status page in a new tab when clicked
What the widget does NOT do:
- It does NOT set, read, or use any cookies
- It does NOT track, fingerprint, or identify website visitors
- It does NOT collect any personal data from website visitors
- It does NOT use localStorage, sessionStorage, or IndexedDB
- It does NOT load any third-party tracking scripts
- It does NOT send any visitor information to StatusDrop or any third party
The widget communicates exclusively with our API to retrieve status data for the configured stack. No visitor data is transmitted in these requests beyond the standard HTTP headers sent by the browser (such as IP address and User-Agent in server logs). We do not log or store visitor-level data from widget API requests beyond what is necessary for rate limiting and abuse prevention.
For website owners embedding the widget: The StatusDrop widget is designed to be privacy-friendly and does not require cookie consent banners or GDPR consent mechanisms on its own, as it does not process personal data of your website visitors.
7. Third-Party Data Processors
We use the following third-party service providers (data processors) to operate the Service. Each processor has committed to data protection obligations consistent with GDPR requirements:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Clerk | Authentication, session management, billing (via Stripe) | Email, name, profile picture, session tokens, payment data | United States |
| Convex | Database, backend functions, cron jobs | Account data, stacks, services, status checks, configurations | United States |
| Vercel | Application hosting, edge functions, CDN | HTTP request data, server logs | Global (edge network) |
| Upstash Redis | Caching, rate limiting, status check deduplication | Cached status data, rate limit counters (IP-based) | United States |
| Resend | Transactional email delivery | Email addresses, email content (status alerts, notifications) | United States |
We have Data Processing Agreements (DPAs) or equivalent contractual protections in place with each processor. We do not sell, rent, or share your personal data with third parties for their own marketing purposes.
8. International Data Transfers
Our Service and most of our third-party processors are based in the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States or other countries outside your jurisdiction.
We ensure that such transfers are carried out in compliance with GDPR by relying on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the European Commission for the destination country
- The EU-U.S. Data Privacy Framework, where applicable
- Other legally recognized transfer mechanisms under applicable data protection law
You may request a copy of the safeguards in place by contacting us at privacy@statusdrop.dev.
9. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
- Account data: Retained for the duration of your active account. Upon account deletion, all personal data is permanently removed within 30 days.
- Stack and service data: Retained for the duration of your active account and deleted along with your account data.
- Status check history: Retained for 7 days on the Free plan and 90 days on the Pro plan. Older records are automatically purged.
- Cached status data (Redis): Automatically expires after the configured cache TTL (typically 1 to 5 minutes).
- Server logs: Retained by our hosting provider (Vercel) according to their data retention policies, typically for up to 30 days.
- Billing records: Retained as required by applicable tax and accounting laws, typically for up to 7 years after the end of the billing relationship.
- Support and feedback: Retained for as long as necessary to resolve requests and improve the Service, unless you request deletion.
10. Your Rights Under GDPR
If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights under GDPR Articles 13 through 22. You may exercise any of these rights by contacting us at privacy@statusdrop.dev.
- Right of access (Art. 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed.
- Right to rectification (Art. 16): You have the right to request correction of any inaccurate personal data, or to have incomplete data completed.
- Right to erasure (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when there is no other legal basis for processing.
- Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of your data or when processing is unlawful.
- Right to data portability (Art. 20): You have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
- Right to object (Art. 21): You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Right not to be subject to automated decision-making (Art. 22): We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.
We will respond to your request within 30 days. In certain cases, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for the delay. If we cannot comply with your request, we will provide an explanation.
11. Cookies
Our website uses only essential cookies that are strictly necessary for the operation of the Service. We do not use advertising, analytics, or tracking cookies.
| Cookie Type | Provider | Purpose | Duration |
|---|---|---|---|
| Session cookie | Clerk | Authentication and session management. Required to keep you signed in. | Session / 7 days |
| CSRF token | Clerk | Protects against cross-site request forgery attacks. | Session |
These cookies are classified as "strictly necessary" under GDPR and ePrivacy regulations. They do not require consent because the Service cannot function without them.
Embeddable widget: The StatusDrop widget embedded on customer websites does not set, read, or use any cookies whatsoever.
12. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly. If you believe we may have collected data from a child under 16, please contact us at privacy@statusdrop.dev.
13. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of all data in transit using TLS 1.2 or higher
- Encryption of data at rest by our database and storage providers
- Authentication managed by Clerk with industry-standard security practices, including bcrypt password hashing and optional multi-factor authentication
- Role-based access controls within the application
- Rate limiting and abuse prevention on all public API endpoints
- Regular security reviews and dependency updates
- Ownership verification on all data access and modification operations
While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining strong protections and responding promptly to any security concerns.
14. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
- Document the breach, including its nature, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address and mitigate the breach.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Post the revised Privacy Policy on our website
- Notify you by email or through an in-app notification for significant changes that affect your rights
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.
16. Data Protection Contact
For any questions, concerns, or requests related to this Privacy Policy or our data processing practices, please contact us:
- Email: privacy@statusdrop.dev
We aim to respond to all data protection inquiries within 30 days. For GDPR-related requests, we will confirm receipt and provide a substantive response within the timeframes required by applicable law.
17. Supervisory Authority
If you are located in the EEA or the United Kingdom and believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities and their contact details is available at the European Data Protection Board website.
We encourage you to contact us first so we can attempt to resolve your concern directly.