Updated June 2026
Privacy
What personal data Drops processes, why, how we protect it, and the rights available to the people whose data we handle.
Who this covers
Drops, operated by Latent Supply Pty Ltd, helps businesses respond to comments and direct messages on their own connected social accounts. Two groups have data in Drops: customers, the businesses who sign up and connect their accounts, and end users, the people who comment on or message a customer's connected account.
We act as a data processor on behalf of our customers for end-user conversation data, and as a data controller for customer account data.
What we collect and why
- Customer name and email, from Google sign-in, to authenticate you and operate your account.
- Connected account details and OAuth tokens, from the platform you connect, to read comments and messages and send the replies you configure.
- End-user messages, comments, and platform identity (username, display name, profile image, platform user ID), to trigger automations, populate your inbox, and let you reply.
- Contacts, automation rules, drops, and activity logs, from your configuration and the service running, so you can manage conversations and monitor your workspace.
- Billing details, via Stripe, to take payment.
We collect only what these purposes require. We do not sell personal data, do not use it for third-party advertising, and do not use end-user message content to train machine-learning models.
How automated replies work
AI-drafted replies are off by default. They run only when you explicitly enable an AI-reply action on a specific automation; fixed templates and manual replies never involve AI. When AI drafting is enabled, that automation's triggering message and your prompt are sent to the Vercel AI Gateway, which operates under zero data retention and does not use the content to train models.
Subprocessors
We share personal data only with the infrastructure providers required to run the service:
- Convex for the application backend and database (hosting, storage, scheduled jobs).
- Vercel for web application and API hosting, and the AI Gateway for opt-in AI-drafted replies.
- Google for customer sign-in.
- Stripe for payments.
- Meta (Instagram) and TikTok, the platforms whose accounts customers connect.
Each subprocessor is bound by its own data-processing terms. We maintain this list and update it before adding a new subprocessor.
Security
All data in transit uses TLS 1.2 or higher. OAuth tokens are encrypted at the application layer with AES-256-GCM before storage and are never exposed to browsers. Access is least-privilege and protected by multi-factor authentication, platform webhooks are verified with HMAC signatures, and logs never contain tokens, secrets, or message content.
Retention and deletion
We do not keep end-user content indefinitely. Conversation threads, messages, automation logs, and delivery records are deleted 180 days after their last activity (a configurable period), and event-deduplication markers after 30 days. Connected-account tokens are kept only while the channel is connected.
Disconnecting a channel revokes its token at the platform and permanently deletes that channel and its conversation data immediately. Deleting your workspace revokes every token and erases all channels, automations, drops, message threads, and activity logs.
Your rights
Depending on where you live, including under the GDPR and the CPRA, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. Customers can export a complete copy of their workspace data as a JSON file from Settings, disconnect any channel, or delete the entire workspace at any time.
End users can ask the relevant business they messaged, or contact us at admin@latentsupply.com, and we will action deletion of the data we hold. See our data deletion page.
International transfers
Our subprocessors may store and process data in the United States and other regions, and we rely on each provider's transfer safeguards. The service supports US-based business accounts and meets the additional US data-security requirements that apply to them.
Changes and contact
We will update this notice when our processing changes and revise the date above. For any privacy question or request, contact admin@latentsupply.com.