Privacy policy

General information only. This policy describes how The DropMuse collects and processes personal data. It is provided for informational purposes and does not constitute legal advice. The platform is not responsible for compliance with applicable laws by users, sellers, or buyers. Updates may occur periodically; continued use of the service indicates acknowledgment of the updated policy where permitted by law.

1. Who we are

The DropMuse (“we,” “us”) operates the website and marketplace services at thedropmuse.com. The DropMuse is responsible for the personal information collected through this Platform. For privacy inquiries, email [email protected] or use our Contact page.

2. What we collect

• Account data: name, email, password (stored only as a one-way cryptographic hash—we do not store your password in plain text), profile details you choose to add, and similar account fields.
• Transaction data: orders, shipping addresses, payment references (payment card data is handled by our payment processors; we do not store full card numbers).
• Verification data: where you complete phone or identity checks, we or our providers may process verification signals, document metadata, or status flags needed for fraud prevention, compliance, and payouts.
• Content you upload: images, listings, messages sent through the platform.
• Technical data: IP address, device/browser type, cookies or similar identifiers, logs for security and debugging.
• Communications: emails or support tickets you send us.

3. Why we use data

• Provide and improve marketplace functionality
• Process payments; detect and prevent fraud, abuse, money laundering, or platform manipulation
• Comply with legal obligations and respond to lawful requests
• Send service-related notices (marketing emails only if opted-in)
• Aggregate or pseudonymous analytics to understand usage trends

4. Sharing

We may share data with:

• Service providers (hosting, email, analytics, payment processors) under confidentiality agreements
• Payment and identity partners — primarily Stripe (or successors we disclose) for card payments, payouts, Connect accounts, and identity verification flows. Their use of data is governed by their policies and our agreements with them.
• SMS provider — Twilio (or successors we disclose) for sending one-time passcodes (OTPs) to the phone number you provide during verification. Your phone number is transmitted to Twilio solely to deliver that SMS message.
• Sellers for order fulfillment (e.g., shipping address)
• Authorities when required by law or to protect rights and safety
• Business transfers if we merge or sell assets (with continued data protection obligations)

We do not sell your personal information. We do not sell or share your personal information for cross-context behavioral advertising purposes. No opt-out mechanism is required as we do not engage in such activities. Where “sale” or “sharing” has a legal meaning under applicable law (including CPRA), we aim to honor opt-out rights where required.

5. Cookies

We use session cookies solely to keep you signed in while you use the Platform. We do not use advertising, tracking, or third-party analytics cookies. Disabling cookies in your browser will prevent sign-in from working.

6. Retention

We retain data only as long as necessary for operational, legal, tax, anti-fraud, and dispute purposes:

• Account/profile data: while active, then up to 24 months post-closure for fraud/dispute/legal defense
• Orders and payment records: generally 7 years for accounting/tax/compliance
• Messages and moderation logs: retained as long as necessary for dispute resolution, fraud prevention, and legal compliance
• Security logs: retained as long as operationally necessary
• Backups: rolling snapshots for a limited period, then overwritten

7. Legal bases (where applicable)

Depending on your jurisdiction, processing may rely on one or more of: performance of a contract (operating your account and orders), legitimate interests (security, fraud prevention, service improvement, and analytics in non-intrusive form), legal obligation (tax, payment rules, lawful requests), and consent where we expressly ask for it (for example, optional marketing). Where consent is withdrawn, we will stop processing that depends on it unless another basis applies.

8. Automated processing and fraud prevention

We may use automated rules, risk scores, caps, or signals (for example, relating to orders, cancellations, verification status, or account behavior) to protect users, meet payment-partner requirements, and maintain platform integrity. These measures are not intended to produce legal or similarly significant effects about you without human oversight where required by law; you may contact us to understand how a decision affected you.

9. Your choices & rights

Depending on location, you may have rights to access, correct, delete, restrict, object to, or port your data, and to lodge a complaint with a supervisory authority. U.S. state privacy laws: Residents of certain states (including California) may have additional rights such as knowing categories of personal information collected, requesting deletion subject to exceptions, opting out of “sale” or “sharing” as defined by law, and non-discrimination for exercising rights. We do not sell personal information as defined in the common “sale” sense; see “Sharing” above.

Account deletion (right to be forgotten): You may delete your account at any time from your Profile settings under “Delete Account.” This permanently removes your personal information (name, email, phone, address) from our systems. Order and transaction records are anonymised and retained only as required for accounting, legal, and fraud-prevention purposes. To prevent abuse, a one-way cryptographic fingerprint of your sign-in identity is retained after deletion solely to block re-registration; this fingerprint cannot be used to identify you and is not shared. Account deletion may not be available while you have open orders, pending payouts, unresolved disputes, or an outstanding adjustment balance — these must be resolved before deletion can proceed.

To submit a request, use our Contact page or email [email protected] (no login required for privacy rights requests). We may verify your identity before fulfilling requests. Excessive, unfounded, or illegal requests may be declined. You may designate an authorized agent where your law allows, subject to verification.

10. International transfers

If you access the service outside the operator’s primary country, your data may be processed elsewhere with legally required safeguards (e.g., standard contractual clauses).

11. Children

The Platform is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that a user is under 18, we will terminate their account.

12. How we store and protect information

We use a combination of technical and organizational measures designed to reduce risk. No method of storage or transmission is 100% secure; we cannot guarantee absolute security.

• Passwords and one-time codes: Account passwords and similar secrets (for example, one-time verification codes where used) are processed with one-way cryptographic hashing (e.g., bcrypt). We do not store those secrets in reversible plain text in our databases.
• Encryption and sensitive fields: Certain categories of personal information may be stored using application-layer encryption or similar controls while at rest on our systems. Encryption keys are managed on the server side. This reduces exposure if storage is compromised but, like all systems, is not a guarantee against misuse or breach.
• Hashes for operations: Where needed for security, administration, or deduplication (for example, non-reversible fingerprints for lookup in internal tools), we may store cryptographic hashes derived from specific fields. Those hashes are not intended to be usable to reconstruct the original value without access to secret material.
• Data in transit: We use HTTPS (TLS) for connections between your browser and our services in normal operation, which helps protect data from casual interception on the network.
• Sessions and authentication: Logged-in sessions are managed with server-side session mechanisms and related controls. Session identifiers should be treated as sensitive.
• Payment card data: Card numbers and CVC codes are handled by qualified payment processors (e.g., Stripe). We typically receive only limited references (such as payment intent or charge identifiers) needed to operate orders, refunds, and disputes—not full card data.
• Identity verification: Government ID or similar checks you complete through our providers are subject to those providers’ security and retention practices, in addition to what we retain as required for compliance and fraud prevention.

13. Security (summary)

We maintain reasonable safeguards appropriate to the nature of the service. You are responsible for choosing a strong password, keeping credentials confidential, and notifying us if you suspect unauthorized access.

14. Incident response and account protection

Suspicious account takeover or security abuse may lead to session invalidation, credential reset, temporary action limits, and security notices. Evidence may be preserved for fraud, abuse, or legal claims.

15. Moderation and platform integrity

Trust & safety processing (e.g., message flags, reports) is used solely for fraud prevention, legal compliance, and platform integrity. Retention aligns with this Privacy Policy and our Support / Terms pages.

16. Responsibility disclaimer

The DropMuse provides the platform for buyers and sellers. We are not responsible for seller or buyer compliance with privacy laws, transaction disputes, refunds, or user conduct. Users interact and share information at their own discretion.

17. Changes to this policy

We may update this Privacy Policy to reflect changes in law, our practices, or product features. We will post the revised policy on this page and update the effective date on this page. Where required by law or where changes are material, we may provide additional notice (for example, by email or an in-product message). Continued use of the service after the effective date may constitute acceptance where permitted by law.

Effective from: June 1, 2026