Privacy Policy for dplooy Drag-and-Drop Web Hosting

We protect your privacy in our secure web hosting platform for instant website deployment.

Learn how we handle data in static site hosting, multi file hosting, and custom subdomain hosting services.

Last updated: February 16, 2026•Effective: February 16, 2026

Privacy at a Glance for Web Hosting Users

We Minimize Data Collection

We only collect essential information needed to provide our hosting service.

Your Hosting Files Are Secure

All files are encrypted and stored securely in Firebase Storage with SSL included hosting.

You Control Your Hosting Data

Access, export, or delete your data anytime from your account settings.

GDPR & CCPA Compliant Hosting

We comply with major privacy regulations worldwide.

Information We Collect for Web Hosting Services

Account Information for Hosting Platform

•Email address - Required for account creation and authentication
•Display name - Optional, for personalizing your hosting experience
•Profile photo - Optional, if you choose to upload one or sign in with Google
•Authentication data - Encrypted passwords or OAuth tokens

Usage Information for Multi File Hosting

•Files you upload - HTML hosting, CSS, JavaScript, images, PDF sharing, and ZIP file hosting
•Project metadata - File names, sizes, upload dates, and custom subdomain names
•Project analytics - Aggregated visitor data for your hosted projects (see "Project Visitor Analytics" section below for full details)
•Storage usage - Amount of storage used by your hosting projects

Automatically Collected Information

•IP address - Hashed using SHA-256 for anonymous visitor identification and geolocation; we do not store raw IP addresses
•Browser & device information - User agent string used to determine browser name, operating system, and device category (desktop, mobile, tablet)
•Geographic location - Country, region, and city derived from your IP address via a third-party geolocation service (detail level varies by plan)
•Referrer information - The URL that referred you to a hosted project, used for traffic source analytics
•Authentication cookies - Secure HTTP-only cookies for maintaining hosting sessions

We do not collect: Social Security numbers, financial information (payment processing is handled by Stripe), health information, or any special categories of personal data under GDPR.

How We Use Your Information for Hosting Services

To Provide Our Web Hosting Service

• Host and serve your uploaded files with instant website deployment
• Create and manage your custom subdomain hosting
• Process multi file hosting uploads and generate live links
• Enforce storage and bandwidth limits based on your hosting plan

To Improve Our Hosting Platform

• Analyze usage patterns to optimize 60-second deploy performance
• Debug issues and improve hosting reliability
• Develop new features for static site hosting based on user needs
• Prevent abuse and maintain hosting service quality

To Communicate With Hosting Users

• Send service-related emails (password resets, security alerts)
• Notify about expiring files (free hosting tier)
• Respond to hosting support requests
• Send product updates for new hosting features (only if you opt-in)

Project Visitor Analytics

When someone visits a project hosted on dplooy, we collect certain data server-side to provide project owners with analytics about their website traffic. This section explains exactly what is collected, how it is processed, and who can see it.

What We Collect From Visitors

The following data is collected automatically from HTTP request headers when a visitor loads an HTML page on a hosted project:

•IP address — Immediately hashed using SHA-256. The raw IP address is not stored. The hash is used solely to calculate unique visitor counts.
•Device category — Desktop, mobile, or tablet (derived from the user agent string)
•Browser name — e.g., Chrome, Safari, Firefox (available to Plus and Pro plan project owners)
•Operating system — e.g., Windows, macOS, iOS, Android (available to Plus and Pro plan project owners)
•Geographic location — Country (all plans), region/state (Plus and Pro plans), city and coordinates (Pro plan only)
•Referrer URL — The domain that referred the visitor to the hosted project
•Page path — Which page within the project was viewed
•Time of visit — The hour in which the visit occurred, used for hourly traffic breakdowns

Privacy-By-Design Measures

•IP hashing — Raw IP addresses are never stored. We use a one-way SHA-256 hash solely for unique visitor counting.
•Aggregated data only — Analytics are stored as daily aggregates (e.g., "15 visitors from Germany"), not individual visitor records.
•No cross-project tracking — Visitor data is isolated per project. We do not track visitors across different hosted projects.
•No cookies used for tracking — Analytics are collected server-side from request headers. No tracking cookies or scripts are injected into hosted projects.
•Static assets excluded — Only HTML page requests are tracked. CSS, JavaScript, images, and fonts are not counted.

Geolocation Processing

To determine geographic location from IP addresses, we use a third-party geolocation service (ip-api.com). This processing works as follows:

•The visitor's IP address is sent to ip-api.com to retrieve location data
•Results are cached on our server for 24 hours to minimize external API calls
•Only the resulting location data (country, region, city) is stored — the IP address itself is hashed and discarded
•When the geolocation service is unavailable, we fall back to inferring the country from the browser's Accept-Language header

Data Visibility by Plan

Data Point	Free	Plus	Pro
Page views	✓	✓	✓
Device category	✓	✓	✓
Country	✓	✓	✓
Unique visitors	—	✓	✓
Browser & OS	—	✓	✓
Region / State	—	✓	✓
City & coordinates	—	—	✓
Referrer source	—	✓	✓

For visitors to hosted projects: If you visit a website hosted on dplooy, the project owner may see aggregated analytics (e.g., total visitors from your country, device type). They cannot see your IP address, identity, or any personally identifiable information.

Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

Contractual Necessity (Art. 6(1)(b))

Processing necessary to provide the hosting service you signed up for:

• Account creation and authentication
• Hosting and serving your uploaded files
• Managing your subscription and processing payments
• Providing customer support

Legitimate Interest (Art. 6(1)(f))

Processing necessary for our legitimate business interests, balanced against your rights:

• Preventing fraud, abuse, and security threats
• Collecting aggregated, anonymized project visitor analytics (page views, device types, geographic regions, referral sources) to provide project owners with traffic insights
• Analyzing usage patterns to improve service reliability and performance
• Enforcing our Terms of Service
• Sending service-related communications (e.g., expiration notices, security alerts)

Consent (Art. 6(1)(a))

Processing based on your explicit, freely given consent:

• Marketing emails and product update newsletters (only if you opt-in)
• Optional profile information (display name, photo)

You may withdraw your consent at any time by updating your preferences in account settings or contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Legal Obligation (Art. 6(1)(c))

Processing required to comply with applicable laws, such as responding to valid legal requests, tax and accounting obligations, and fraud prevention requirements.

Data Sharing & Third Parties for Hosting Infrastructure

We believe in data minimization and only share your information when necessary.

Our sharing is limited to essential hosting service providers:

Infrastructure Providers for Web Hosting

Firebase (Google Cloud) - Authentication and secure file storage
Vercel - Frontend hosting and edge functions
Railway - Backend API hosting

Payment Processing for Hosting Plans

Stripe - Secure payment processing (we never see your card details)
PayPal - Alternative payment method (future implementation)

Analytics & Geolocation

ip-api.com - IP-based geolocation to determine visitor country, region, and city for project analytics. IP addresses are sent to this service for location lookup; results are cached for 24 hours and the IP is then hashed and discarded.

We never sell, rent, or share your personal information with third parties for marketing purposes.

Legal Requirements

We may disclose your information if required by law, such as:

• To comply with a legal obligation or court order
• To protect our rights, property, or safety
• To prevent fraud or cybersecurity incidents
• To enforce our Terms of Service

Data Security for SSL Included Hosting

We implement industry-standard security measures to protect your hosting data.

Our SSL included hosting ensures all data is protected:

Encryption for Secure Hosting

• All data transmitted via HTTPS/TLS
• Passwords hashed with bcrypt
• Files encrypted at rest in storage

Access Controls

• Two-factor authentication available
• Secure session management
• Regular security audits

While we use best practices to secure your hosting data, no method of transmission over the internet is 100% secure. We encourage you to use strong passwords and enable two-factor authentication when available.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

•Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
•Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Article 34
•Provide details including the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach
•Document all breaches including facts, effects, and remedial actions taken, regardless of whether notification is required

If you believe your account has been compromised or you notice suspicious activity, please contact us immediately at dplooyinc@gmail.com.

Automated Decision-Making & Profiling

In accordance with GDPR Article 22, we want to be transparent about our use of automated processing:

What We Don't Do

• We do not use automated decision-making that produces legal or similarly significant effects on you
• We do not build behavioral or advertising profiles of our users
• We do not use AI or algorithms to make decisions about your account access, pricing, or service availability

Limited Automated Processing

We use basic automated systems only for:

• File type validation — Automatically checking uploaded files match supported formats
• Storage limit enforcement — Automated checks against your plan's storage quota
• Expiration enforcement — Automatically removing free-tier files after 3 days

These are operational processes necessary to run the service and do not constitute profiling or automated decision-making under GDPR Article 22.

Cookies & Tracking for Web Hosting Platform

We use minimal cookies necessary for the hosting service to function:

Authentication Cookies for Hosting

Name: token | Type: HTTP-only | Duration: 7 days

Used to maintain your hosting account login session securely.

Theme Preference

Name: theme | Type: Local Storage | Duration: Persistent

Remembers your light/dark mode preference.

We do not use tracking cookies, advertising cookies, or third-party analytics that track individual users. For more details, see our Cookie Policy.

Your Privacy Rights for Hosting Services

Depending on your location, you have the following rights regarding your hosting data:

For All Hosting Users

✓Access - Download your hosting data from account settings
✓Correction - Update your profile information anytime
✓Deletion - Delete your hosting account and all associated data
✓Portability - Export your hosting data in a standard format

Additional Rights Under GDPR (EU/UK)

✓Withdraw consent - Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing
✓Object to processing - Opt out of processing based on legitimate interests
✓Restrict processing - Limit how we use your data in certain circumstances
✓Not be subject to automated decisions - Right not to be subject to decisions based solely on automated processing that produce legal effects
✓Lodge a complaint - With your local data protection authority

Additional Rights Under CCPA (California)

✓Know what personal information we collect and how we use it
✓Non-discrimination for exercising your privacy rights
✓Opt-out of sale (Note: We do not sell personal information)

How to Exercise Your Rights

Most rights can be exercised directly from your hosting account settings. For other requests:

dplooyinc@gmail.com

Data Retention & Deletion for Hosting Accounts

Active Hosting Accounts

We retain your hosting data as long as your account is active or as needed to provide services.

Free Tier Hosting Files

Files are automatically deleted after 3 days. You'll receive an email notification before deletion.

Project Visitor Analytics

Aggregated analytics data is retained for up to 90 days (Pro plan) or 30 days (Plus plan). Free plan analytics are limited to current totals only. All analytics data is aggregated and does not contain personally identifiable information.

Hosting Account Deletion

When you delete your hosting account, we immediately remove all your personal data, files, and associated project analytics. Geolocation cache entries expire automatically within 24 hours.

Legal Obligations

We may retain certain data longer if required by law or for legitimate business purposes (e.g., fraud prevention, resolving disputes).

International Data Transfers for Global Hosting

dplooy operates globally for worldwide hosting services.

Your data may be transferred to and processed in countries other than your own, including the United States.

We ensure appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses approved by the European Commission
• Ensuring recipients are in countries with adequate data protection laws
• Technical and organizational measures to protect your hosting data

Children's Privacy for Hosting Services

dplooy hosting services are not intended for children under 13 years of age (or 16 in the EU).

We do not knowingly collect personal information from children.

If you believe we have collected information from a child, please contact us immediately at dplooyinc@gmail.com and we will delete the information.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make significant changes:

• We'll update the "Last updated" date at the top
• We'll notify you by email for material changes
• We'll provide a summary of key changes
• We'll give you time to review changes before they take effect

Continued use of dplooy hosting after changes means you accept the updated policy.

Contact Us About Privacy

If you have questions about this Privacy Policy or how we handle your hosting data:

dplooyinc@gmail.com

Privacy & Data Protection

dplooyinc@gmail.com

Response Time

We aim to respond to all privacy inquiries within 30 days.