← Back to LayerDrop

Privacy Policy

Last updated: February 26, 2026

LayerDrop ("we", "us", "our") is operated by the LayerDrop team. This Privacy Policy explains how we collect, use, and protect your information when you use our website at layerdrop.net and the LayerDrop application (the "Service").

We are committed to protecting your privacy. We collect the absolute minimum data necessary to provide the Service and we never sell, share, or rent your personal information to third parties for marketing purposes.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address - Used for authentication, account recovery, and essential service communications only.
• Password - Stored as a cryptographic hash. We never store or have access to your plain-text password.

1.2 Image and Art Data

Images you upload are processed entirely within your web browser using the HTML5 Canvas API. Uploaded art files never leave your device. We do not store or have access to your uploaded images.

AI-generated images: When you use the AI generation feature, your text prompts are sent to a third-party AI service (Replicate) to generate images. The generated images are returned to your browser. We do not store your prompts or generated images on our servers. Replicate may temporarily process your prompts in accordance with their privacy policy.

Generated collections are assembled entirely in your browser. We never see, store, or transmit your final exported collections.

1.3 Automatically Collected Data

We do not use analytics, tracking pixels, fingerprinting, or any third-party tracking services. We do not collect:

• IP addresses for tracking purposes
• Device fingerprints
• Browsing history
• Usage analytics or behavioral data
• Location data

2. How We Use Your Information

Data	Purpose	Legal Basis (GDPR)
Email	Account authentication, password resets, critical service notifications	Contract performance
Password (hashed)	Secure authentication	Contract performance
AI prompts	Sent to Replicate to generate images, not stored by us	Contract performance

We do not send marketing emails, newsletters, or promotional communications unless you explicitly opt in to such communications in the future.

3. Cookies and Local Storage

We use a single session cookie managed by our authentication provider (Supabase) to keep you signed in. This is strictly necessary for the Service to function. We do not use:

• Tracking cookies
• Third-party advertising cookies
• Analytics cookies
• Cross-site tracking of any kind

Your browser's local storage may be used to persist your authentication session. No other data is stored locally by the Service.

4. Third-Party Services

We use the following third-party services:

• Supabase (authentication) - Processes your email and hashed password for account management. Supabase is SOC 2 Type II compliant. Supabase Privacy Policy.
• Stripe (payment processing) - Processes payment information directly. We never see or store your full card number. Stripe is PCI DSS Level 1 compliant. Stripe Privacy Policy.
• Replicate (AI image generation) - Processes your text prompts to generate images when you use the AI feature. Prompts are sent securely and not stored by us. Replicate Privacy Policy.

We do not share your personal data (email, account info) with Replicate. Only text prompts are sent to generate images. We do not use any advertising networks, data brokers, or social media tracking.

5. Data Storage and Security

Your account data (email and hashed password) is stored on Supabase's infrastructure with the following protections:

• Encryption at rest and in transit (TLS 1.2+)
• SOC 2 Type II certified infrastructure
• Row-level security policies
• Regular security audits

Since your images and generated collections never leave your browser, there is no image data to secure on our end.

6. Your Rights

6.1 Rights Under GDPR (EU/EEA/UK Residents)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

• Right of Access - Request a copy of your personal data.
• Right to Rectification - Request correction of inaccurate data.
• Right to Erasure - Request deletion of your account and all associated data.
• Right to Restriction - Request restriction of processing.
• Right to Data Portability - Receive your data in a structured, machine-readable format.
• Right to Object - Object to processing based on legitimate interests.
• Right to Withdraw Consent - Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at admin@layerdrop.net. We will respond within 30 days.

6.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used.
• Request deletion of your personal information.
• Opt out of the sale of personal information. We do not sell your personal information.
• Non-discrimination for exercising your privacy rights.

6.3 Rights Under LGPD (Brazilian Residents)

Brazilian residents have rights similar to GDPR, including access, correction, deletion, and data portability.

6.4 Rights Under POPIA (South African Residents)

South African residents have the right to access, correct, and delete their personal information.

7. International Data Transfers

Your account data may be processed in the United States where our infrastructure providers operate. When data is transferred outside your jurisdiction, it is protected by:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Encryption in transit and at rest
• Service provider agreements with adequate data protection commitments

8. Data Retention

We retain your account data (email, hashed password) for as long as your account is active. Upon account deletion:

• Your email and authentication data are permanently deleted within 30 days.
• There are no images or art files to delete, as we never store them.
• Payment records may be retained as required by applicable tax and financial regulations.

9. Children's Privacy

LayerDrop is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you are under 18, do not use the Service or provide any personal information. If we become aware that we have collected data from a child under 18, we will delete it promptly.

10. Do Not Track

We honor Do Not Track (DNT) browser signals. Since we do not track users in the first place, there is no tracking behavior to disable.

11. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, as required by GDPR and other applicable laws.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice on the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

For privacy questions, data requests, or to exercise your rights:

Email: admin@layerdrop.net

Data Controller: the LayerDrop team