DSAR

Acces, export, corecție, ștergere. Numele legal e Data Subject Access Request — DSAR. Cel mai rapid: deschide Dripp pe telefon și apasă Setări → Confidențialitate → Șterge contul. Pagina asta e drumul lung.

Intrare în vigoare
May 19, 2026
Versiune
v1.0
Entitate
Dripp Labs S.R.L.
01

The fastest path — delete from the app

The single fastest way to exercise the right to erasure is from inside the app. We built it so you don't need permission to leave:

  • Open Dripp on your phone, tap Settings → Privacy → Delete account, confirm.
  • The app calls our backend, which fires the full erasure pipeline: Postgres rows purged, R2 objects (input + output images) deleted, Redis session and rate-limit keys flushed.
  • A redacted audit log is written to a separate table so we can prove the deletion happened — it contains a hashed user id, the timestamp, and the request id. No email, no photo, no prompt.

Target sync inside 60 seconds. Statutory window if anything sticks: 30 days.

We aim for 60 seconds end-to-end. If a vendor is slow or a queue is backed up, the statutory window is 30 days— but in practice it's usually done before you've closed the app. You'll get an in-app confirmation when the pipeline finishes.

Read on if you can't reach the app (account locked, phone lost, never installed it), if you want something other than erasure, or if you'd rather have a paper trail.

02

What you can ask for

Under the EU GDPR, UK GDPR, and Switzerland's nFADP, you have the right to:

  • Access — get a copy of the personal data we process about you and the context (purposes, recipients, sources, retention).
  • Rectification — correct inaccurate or incomplete data we hold.
  • Erasure— the “right to be forgotten”.
  • Restriction of processing — tell us to stop processing while a dispute is sorted out.
  • Data portability — receive your data in a structured, machine-readable format you can take elsewhere.
  • Objection — object to processing based on our legitimate interests (e.g. anti-abuse signals).
  • Withdraw consent— for anything we do on a consent basis (analytics, mostly). Withdrawing doesn't invalidate what we did with consent before.
  • Not be subject to solely automated decision-making with legal or similarly significant effects.

California residents under the CCPA / CPRA also get:

  • Right to know — what we collect, for what purposes, and who we share it with.
  • Right to delete — same as erasure, above.
  • Right to opt out of sale or sharing— Dripp doesn't sell personal data and doesn't share it for cross-context behavioural advertising. The opt-out is therefore automatic, but you can confirm it in writing if you want a paper trail.
  • Right to non-discrimination— we won't charge you more, give you less, or downgrade your experience for using any of these rights.
03

What we need from you

To make sure we're responding to the right person — and not handing your data to someone pretending to be you — we ask for a minimal verification bundle:

  • The email address associated with your Dripp account. We match it against our Supabase auth records.
  • A recent device or transaction identifier. Any one of: the timestamp of a recent edit you generated, your App Store originalTransactionId, or the device model + iOS version you last used Dripp on. This is how we tell genuine requests from speculative ones.
  • For non-account requests— i.e. you've never had an account but think we might still hold data about you — enough information for us to look. Tell us what data you think we have and why.

We may write back with follow-up questions if we can't confidently match you. We won't guess. If we can't verify you after a reasonable exchange, we'll tell you so and explain what alternatives exist.

04

The request form

Fill the fields below — they'll pre-fill the email body when you tap the send button. Edit anything you want before sending.

Your email
Request type
Details
Send to privacy@trydripp.com

Opens your mail client

The form is intentionally static — no JavaScript, no server-side handler, no analytics on this page. The button opens your default mail client with a pre-filled message; the request lands as a real email, and we reply within the statutory window described below.

05

Our timeline

Under the GDPR and UK GDPR we have one calendar month from receipt of your request to respond. For particularly complex or numerous requests we may extend the deadline by a further two months— if we do, we'll tell you within the first month, explain why, and give you a revised date.

Under the CCPA we have 45 daysfrom receipt, extendable by a further 45 days where reasonably necessary. We'll notify you of the extension and the reason.

In practice, deletion requests usually complete inside a minute (see section 01) and access requests inside five working days. The legal windows are ceilings, not targets.

06

How we verify you

The verification flow is deliberately minimal:

  • We cross-check the email address you write from against our Supabase auth records. If it matches an account, that's a strong first signal.
  • If you mentioned a transaction or App Store originalTransactionId, we verify it against RevenueCat. This is the highest-trust signal because Apple controls the chain.
  • For non-account requests we'll ask follow-up questions scoped to what we'd need to find anything about you.

We do not ask for government ID— collecting it would be disproportionate to the risk and would itself create a privacy problem. If our normal verification fails, we'll tell you what specifically we couldn't match and offer reasonable alternatives.

07

Authorized agents

California residents may designate an authorized agent to submit a CCPA / CPRA request on their behalf. The agent must provide:

  • Written, signed permission from you authorizing them to act for you, or proof of power of attorney under the California Probate Code.
  • Confirmation of the agent's own identity.

Even with a valid agent in place, we may still contact you directly to confirm that you've authorized the agent and that you want us to process the request — this is a CCPA-permitted safeguard against impersonation.

08

No charge, unless excessive

Your first DSAR in a 12-month period is free, as required by both GDPR and CCPA. If a request is manifestly unfounded, excessive, or repetitive — for example, the same access request fired weekly — we may:

  • Charge a reasonable fee that reflects our administrative cost of responding; or
  • Refuse to act on the request and explain why, and tell you how to complain about that decision.

We'll explain our reasoning in writing before doing either, and we won't use this clause to wear you down.

09

Appeal or complain

If our response doesn't meet your expectations, you have the right to lodge a complaint with the supervisory authority in your country of residence, work, or alleged infringement. For our home jurisdiction:

Romania (lead)
ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
B-dul G-ral. Gheorghe Magheru 28-30
Sector 1, București, Romania
dataprotection.ro
California (US)
California Privacy Protection Agency (CPPA)
cppa.ca.gov
Other EEA / UK
Your local data protection authority — every EEA member state and the UK have one, and you may file with any of them.

We'd much rather hear from you first and try to fix it ourselves — email privacy@trydripp.com and we'll do our best — but the right to complain to a regulator is yours regardless.

10

Contact

DSAR inbox
privacy@trydripp.com
Controller
Dripp Labs S.R.L.
Postal address
Calea Victoriei 33
București 010071
Romania

For everything that isn't a rights request — support, billing, press, partnerships — see /contact.

Întrebări reale

Scrie-ne. Răspundem ca oamenii.

Mai departe

Contact