Legal

Privacy Policy

Effective April 21, 2026

DroConnect, Inc. (“DroConnect,” “we,” “us,” or “our”), a Delaware C-corporation, operates the DroConnect mobile application and the website at droconnect.com(collectively, the “Service”), a two-sided marketplace connecting clients (“Clients”) with FAA-certified drone pilots (“Pilots”).

This Privacy Policy explains what information we collect, how we use it, with whom we share it, how long we keep it, and what rights you have. By creating a DroConnect account or using the Service, you agree to the practices described here.

If you have questions about this Policy or our data practices, contact us at privacy@droconnect.com.

01Quick summary

We collect information you give us (name, email, phone, password, profile details), information we collect automatically (device data, usage data, precise location with your permission), and information from our service providers (identity verification and payment status from Stripe).
We use this information to operate the marketplace, match Pilots to Missions, process payments, verify FAA and identity credentials, prevent fraud, and support you.
We do not sell personal information.
We share information only (a) with the other party on a Mission you're participating in, (b) with service providers that power the Service, (c) when required by law, and (d) in connection with a business transaction.
You can access, correct, or delete your information from the in-app Settings at any time.

02Who we are

“DroConnect” refers to DroConnect, Inc., a Delaware corporation. Our mailing address is 101 Federal St, Suite 1900, Boston, Massachusetts 02110-1817, United States. You can reach us at privacy@droconnect.com for any privacy-related question, including to exercise your rights under California law.

03Information we collect

3.1 Information you provide directly

Category	Examples
Account identifiers	Full name, email address, phone number, password (stored only as a salted hash — we never see your plaintext password)
Profile	Profile photo, bio, service area (for Pilots), service radius, role (Client or Pilot)
Pilot verification	FAA Part 107 certificate image, drone models, camera specifications, equipment photos
Mission data	Addresses, site access instructions, Mission descriptions, scheduling details, deliverable files (photos, videos) you upload
Communications	Messages you send through in-app chat, reviews and ratings you write about other users
Support	Contents of support requests, feedback, incident reports

3.2 Information collected automatically

Category	Examples
Device	Device model, operating system, app version, language settings, time zone, device identifiers
Usage	Screens viewed, features used, session length, crash reports, diagnostic logs
Location	With your permission, precise GPS location (to show nearby Missions or compute Mission distance). You can revoke permission in your device settings at any time.
Network	IP address and general network information
Push tokens	Device push-notification tokens, used to deliver Mission updates

3.3 Information collected from service providers

Provider	What we receive
Stripe Identity	Identity verification status (verified, processing, requires input). Stripe collects and holds your government-issued ID documents — DroConnect never sees them.
Stripe Payments & Connect	Payment and payout account references, transaction status. Stripe handles card and bank account details — we never see full card numbers, CVVs, or bank account numbers.
Apple / Google	Crash diagnostics if you opt in via your device settings.

04How we use your information

We use your information to:

Operate the marketplace— match Missions to Pilots by service radius, manage Mission state, deliver messages and notifications, show the right screens to the right role.
Process payments and payouts— hold Client funds in escrow via Stripe, release Pilot earnings after Mission approval, issue refunds.
Verify credentials— confirm Pilot identity (via Stripe Identity) and FAA Part 107 certification.
Prevent fraud, abuse, and violationsof our Terms — detect duplicate accounts, monitor suspicious activity, enforce Pilot strikes and suspensions.
Resolve disputes— review deliverables, mediate Client–Pilot conflicts, issue refunds or partial captures.
Improve the Service— diagnose bugs, measure performance, understand feature adoption.
Communicate with you— send transactional emails (account, Mission, payment) and, if you opt in, product updates. Every marketing email includes an unsubscribe link.
Comply with law— respond to lawful requests, issue tax forms (1099-K for Pilots who exceed IRS thresholds), retain records for tax and accounting.

Legal basis

We rely on the following legal bases for processing:

Performance of a contract— to provide the Service you asked for.
Legitimate interest— to secure our platform, prevent fraud, and improve the product.
Consent— for location access, push notifications, and marketing email (each revocable).
Legal obligation— to comply with tax, accounting, and regulatory requirements.

05Third parties and service providers

We share information with the following service providers strictly to operate the Service:

Provider	Purpose	Data shared	Privacy policy
Supabase	Database, authentication, storage, realtime	All app data	Link
Vercel	Website hosting, edge compute, analytics	Website request logs, IP, user agent	Link
Stripe	Payments, payouts, identity verification	Name, email, payment info, ID documents (held by Stripe)	Link
Twilio	SMS one-time codes (via Supabase Auth)	Phone number	Link
Resend	Transactional email	Email address, email content	Link
Expo	Build and push-notification delivery	Device push tokens	Link
Google Maps / Places	Maps, geocoding, address search	Approximate or precise location	Link
Google Analytics	Website usage measurement	Aggregated pageviews, device, country	Link
Open-Meteo	Weather forecasts for Mission scheduling	Approximate Mission location only	Link
Apple Push Notification Service	Push delivery on iOS	Device push tokens	Link
Sentry	Crash and error reporting	Diagnostic logs	Link

We enter into data-processing agreements with service providers where legally required. We review the list of providers at least annually.

We share information only in these circumstances:

6.1 With the other party on a Mission

Once a Pilot claims a Mission, the Client and Pilot see each other's names, profile photos, ratings, reviews, and Mission-relevant contact information. The Client's exact site address is revealed to the assigned Pilot only. Before a Pilot is assigned, only approximate Mission location is visible.

6.2 With our service providers

As listed in Section 5 — strictly to operate the Service.

6.3 In response to legal requests

We may disclose information if legally required (subpoena, court order, other valid legal process) or if we believe disclosure is reasonably necessary to protect our rights, your safety, or the safety of others.

6.4 In a business transaction

If DroConnect, Inc. is acquired, merged, or reorganized, your information may be transferred to the successor entity. We will notify users by email or in-app notice before such a transfer becomes effective.

6.5 With your consent

If you explicitly authorize sharing (for example, connecting a third-party integration in a future release), we will share only what you have authorized.

We do not sell personal information.We have not sold personal information in the past 12 months, and we have no plans to. If that ever changes, we will post a prominent “Do Not Sell or Share My Personal Information” link at the top of this page and update this Policy.

07Retention

Data type	Retention period
Account and profile	While your account is active; deleted within 30 days of account-deletion request
Mission records (payments, reviews, deliverables)	7 years — required for IRS, financial, and audit compliance
Chat messages	2 years after the Mission completes
Push tokens	90 days after last active session
Crash logs and analytics	12 months
Tax and payout records	7 years

Records we are required to retain under U.S. tax, anti-fraud, or other legal obligations will be kept for the required period even after you delete your account.

08Your rights

You can exercise the following rights from the in-app Settings screen or by emailing privacy@droconnect.com:

Access— request a copy of the personal information we hold about you.
Correction— update inaccurate information directly in the app.
Deletion— delete your account (Settings → Delete account). Subject to the retention exceptions in Section 7.
Opt out of marketing email— unsubscribe link in every marketing message.
Revoke location or notification permissions— at any time in your device settings.

We respond to verifiable requests within 30 days.

8.1 California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the additional rights below. To exercise any of these, email privacy@droconnect.com with the subject “California privacy request.”

Right to know— what personal information we collect about you, where it came from, what we do with it, and with whom we share it.
Right to delete— ask us to delete personal information we have collected, subject to legal exceptions.
Right to correct— ask us to correct inaccurate personal information.
Right to opt out of sale or sharing— we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of.
Right to limit use of sensitive information— we do not use sensitive personal information for purposes other than those necessary to operate the Service.
Right to non-discrimination— we will not deny service, charge you more, or give you lower-quality service for exercising any of these rights.

We verify your identity before responding by matching the information you provide with the account on file. Authorized agents must submit written authorization plus proof of identity.

8.2 “Shine the Light” (California Civil Code §1798.83)

California residents may request a list of third parties to whom we have disclosed personal information for direct marketing purposes in the preceding calendar year. We do not share personal information with third parties for their direct marketing purposes, so this list will be empty.

09Security

We protect your information using:

Encryption in transit (HTTPS/TLS for all network traffic)
Encryption at rest for database and file storage
Row-Level Security (RLS) policies on every database table — users can only read data they are entitled to
Scoped API keys for third-party integrations
Webhook signature verification for all inbound Stripe events
Secure handling of push-notification tokens (Apple APNs, Firebase FCM)
Regular security audits against the OWASP top 10

No system is 100% secure. If you believe your account has been compromised, contact us immediately at security@droconnect.com.

10Children's privacy

The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account or provided us with personal information, contact us at privacy@droconnect.com and we will delete the account and associated data.

11International users

DroConnect currently operates only in the United States. Our servers and service providers are located in the United States. If you access the Service from outside the United States, you consent to the transfer and processing of your information in the United States, which may have different data-protection laws than your country.

We do not currently offer the Service in the European Union, United Kingdom, or other jurisdictions with comprehensive data-protection frameworks such as GDPR or UK DPA. If we expand, we will update this Policy and notify users.

12Cookies and similar technologies (website)

Our mobile app does not use cookies. Our website at droconnect.com uses:

Essential cookies— required for the site to function (session management, CSRF protection).
Analytics cookies— to understand how visitors use the site (Google Analytics, Vercel Analytics). These collect aggregated, anonymized data.

You can disable cookies in your browser settings. Disabling essential cookies may prevent some site features from working.

13DMCA notice

If you believe content on DroConnect infringes your copyright, send a notice that complies with the U.S. Digital Millennium Copyright Act (17 U.S.C. §512) to dmca@droconnect.com. The notice must include:

Your physical or electronic signature.
Identification of the copyrighted work you claim has been infringed.
Identification of the allegedly infringing material, with enough detail for us to locate it.
Your contact information (address, phone number, email).
A statement that you have a good-faith belief the use is not authorized by the copyright owner, its agent, or the law.
A statement, under penalty of perjury, that the information is accurate and you are authorized to act on behalf of the copyright owner.

We will investigate and remove infringing content in accordance with the DMCA safe-harbor process. We may also terminate accounts of repeat infringers.

14Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify users by email (to the address on file) and with an in-app notice at least 30 daysbefore the changes take effect. The “Effective” date at the top of this Policy reflects the most recent revision. Continued use of the Service after the effective date of a revision means you accept the revised Policy.

15Contact us

Privacy: privacy@droconnect.com

Security: security@droconnect.com

DMCA: dmca@droconnect.com

General support: support@droconnect.com

Mailing address: 101 Federal St, Suite 1900, Boston, Massachusetts 02110-1817, United States

DroConnect, Inc. — a Delaware corporation.