Back to Home

Privacy Policy

Last updated: February 18, 2026

Introduction

Droplink ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at droplink.fm (the "Service").

By using Droplink, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

Information We Collect

We collect several types of information to provide and improve our Service:

Account Information

When you create an account, we collect your email address, name, and authentication credentials (password hash or OAuth tokens).

Landing Page Data

Spotify URLs, track/playlist/album/artist IDs, custom text content, design preferences, and configuration settings you provide when creating landing pages.

Conversion Tracking Data

Meta Pixel IDs, Conversions API (CAPI) access tokens (encrypted), custom event names, and conversion event data.

Analytics and Usage Data

Page views, click events, visitor IP addresses (anonymized), browser type, device information, and aggregated statistics.

Payment Information

Billing details processed through Stripe. We do not store credit card numbers on our servers.

How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, maintain, and improve our Service
  • To create and manage your landing pages
  • To process conversion tracking through Meta Pixel and CAPI
  • To process payments and manage subscriptions
  • To send service-related communications (updates, security alerts)
  • To provide customer support
  • To analyze usage patterns and optimize performance
  • To detect and prevent fraud or abuse
  • To comply with legal obligations

Spotify Integration and Fan Gates

Some landing pages created on Droplink include a "fan gate" — a feature that requires a visitor to complete a Spotify action (such as following an artist or saving a track) in order to access exclusive content. This section explains exactly what data we access, why, and how we handle it.

Public Metadata (No User Login Required)

We use the Spotify Web API with server-side Client Credentials (app-level authentication) to fetch publicly available metadata about tracks, playlists, albums, and artists. This includes track titles, artwork, artist names, and playlist contents. No Spotify user account is involved in this process.

Visitor Spotify OAuth (Fan Gate Flow)

When a landing page has a Spotify fan gate, visitors are invited — but never required — to connect their Spotify account to unlock exclusive content. If a visitor chooses to connect, the following occurs:

  • The visitor is redirected to Spotify's official authorization page, where Spotify presents a consent screen describing the permissions being requested
  • The visitor explicitly approves the requested permissions on Spotify's own interface
  • Spotify issues a short-lived access token that is returned to our server
  • We use that access token to perform exactly the action shown (follow an artist, save a track, or follow a playlist) on the visitor's behalf
  • The access token is immediately encrypted (AES-256-GCM) and stored temporarily for up to 5 minutes solely to complete verification
  • Once verification is complete, the token is permanently deleted from our systems
  • We never store, log, or share the visitor's Spotify username, profile information, listening history, or any other Spotify data beyond what is strictly necessary to confirm the action was completed

Spotify Permissions (Scopes) We Request

Depending on the gate type configured by the landing page creator, we may request the following Spotify permissions from visitor accounts:

user-follow-readTo check if you already follow the artist (avoids duplicate action)
user-follow-modifyTo follow the artist on your behalf when you approve the gate
user-library-readTo check if you already saved the track (avoids duplicate action)
user-library-modifyTo save the track to your library when you approve the gate
playlist-modify-publicTo follow a public playlist on your behalf when you approve the gate
playlist-modify-privateTo follow a private playlist on your behalf when you approve the gate

We only perform the specific action shown in the gate UI. We do not access your playlists, listening history, followers, or any other Spotify data. We do not retain your Spotify access token after verification is complete.

Data Retention for Spotify Tokens

Visitor Spotify access tokens are stored encrypted in our database for a maximum of 5 minutes. They are deleted immediately upon successful verification, or automatically purged by our cleanup process if verification does not occur within that window. We never store Spotify refresh tokens from visitor OAuth sessions.

What We Do Not Do With Spotify Data

  • We do not sell, share, or transfer Spotify user data to any third party
  • We do not use Spotify data for advertising or profiling
  • We do not store Spotify user profile information (name, email, profile image)
  • We do not retain access tokens beyond 5 minutes
  • We do not perform any Spotify actions beyond what the visitor explicitly approves
  • We do not access your saved tracks, playlists, or listening activity for any purpose other than the specific idempotency check (to avoid performing an action you've already completed)

Opting Out of Spotify Fan Gates

Connecting your Spotify account to a fan gate is always voluntary. If you do not wish to connect your Spotify account, you may choose not to use the gated content feature on the landing page. Declining does not affect your ability to view the rest of the landing page.

Third-Party Services

We work with trusted third-party service providers to operate our Service:

Vercel (Hosting & Infrastructure)

Our application is hosted on Vercel. Data is stored in secure data centers.

Stripe (Payment Processing)

Payment information is processed by Stripe. We do not store credit card details.

Resend (Email Communications)

Transactional emails are sent via Resend. We share your email address for this purpose.

Meta (Facebook/Instagram)

If you configure Meta Pixel integration, conversion events are sent to Meta's servers according to your settings. We act as a data processor for this functionality.

Spotify

We use the Spotify Web API to fetch public metadata (tracks, albums, playlists, artists) and, for fan gate features, to perform authorized actions on behalf of visitors who explicitly consent via Spotify's OAuth flow. See the "Spotify Integration and Fan Gates" section above for complete details. Spotify's own Privacy Policy governs data processed through their platform.

Data Storage and Security

We implement industry-standard security measures to protect your data:

  • All data is transmitted over HTTPS encryption
  • Passwords are hashed using bcrypt
  • CAPI tokens are encrypted using AES-256-GCM before storage
  • Database access is restricted and audited
  • Regular security updates and monitoring

While we strive to protect your information, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

Data Retention and Deletion

We retain your information for as long as your account is active or as needed to provide our Service. You may delete your account at any time from your account settings.

When you delete your account:

  • All landing pages and associated data are permanently deleted
  • Your personal information is removed from our active databases
  • Encrypted CAPI tokens are destroyed
  • Aggregated analytics may be retained for statistical purposes (anonymized)

Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data
  • Portability: Request your data in a machine-readable format
  • Objection: Object to certain processing activities
  • Restriction: Request restriction of processing

GDPR Rights (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to be informed about data collection and use
  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making

To exercise any of these rights, please contact us at support@droplink.fm.

CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to say no to the sale of personal information (we do not sell data)
  • Right to access your personal information
  • Right to delete your personal information
  • Right to equal service and price (no discrimination)

We do not sell your personal information to third parties.

Cookies and Tracking

We use cookies and similar tracking technologies. For detailed information, please see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

We encourage you to review this Privacy Policy periodically for any changes. Changes are effective when posted on this page.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: support@droplink.fm

Back to Top