Privacy Policy

Effective Date: February 2026

Introduction

DropSupport is an AI-powered customer support automation service for D2C e-commerce brands, operated by Meridian Studio (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, store, and protect personal data when you use our service, including data belonging to your customers, prospective customers, and visitors to your Shopify store.

Data Minimization

We only collect and process the minimum personal data necessary to provide our service. We access only the data fields required for ticket classification, response generation, and order context lookup. We do not collect or store personal data that is not directly required for these purposes.

Personal Data We Process

We are transparent about the personal data we process and our purposes for processing it:

Merchant Account Information

When you create an account, we collect your email address and name via authentication. This is used solely for account management and service access.

Customer Email Content

We access and store customer support emails from your connected email account via IMAP. This includes email subject lines, body content, sender/recipient email addresses, customer names, and timestamps. Purpose: To classify support tickets and generate AI-assisted draft responses.

Shopify Customer Data

When you connect your Shopify store, we access read-only data including:

  • Order information: Order numbers, statuses, line items, totals, fulfillment and tracking details. Purpose: To provide order context in support responses.
  • Customer information: Names, email addresses, order history, lifetime value, and tags. Purpose: To identify customers and provide relevant context.
  • Product information: Titles, SKUs, and variants. Purpose: To reference products in support responses.

AI-Generated Content

We store AI-generated classifications, ticket categories, sentiment analysis, confidence scores, and draft responses. Purpose: To automate support workflows and provide analytics.

Purpose Limitation

We limit the use of all personal data strictly to the purposes described above. We do not use personal data for marketing, advertising, profiling, or any purpose other than providing and improving the DropSupport service for your store.

Customer Consent and Rights

Respecting Customer Consent

We respect and apply the consent decisions made by your customers. If a customer has opted out of communications or data processing through your store, we honor those preferences. We do not override or bypass any consent settings established by merchants or their customers.

No Sale of Personal Data

We do NOT sell, rent, trade, or otherwise monetize personal data belonging to merchants, their customers, or store visitors. We respect and apply any customer decisions to opt out of having their data sold, though this is not applicable as we never sell data under any circumstances.

Automated Decision-Making

DropSupport uses AI to classify support tickets and generate draft responses. These automated decisions do not have legal or similarly significant effects on customers—they are internal workflow tools that assist merchants in responding to support inquiries. All AI-generated responses must be reviewed and approved by a human before being sent to customers. If you believe an automated decision has affected you, contact us at support@meridianstudio.dev to request a review.

AI Processing

We use third-party AI services to power our automation features:

  • Google Gemini for text classification and response generation
  • OpenAI for text embeddings and semantic search

Email content and Shopify data are sent to these services for processing. We do NOT allow these providers to use your data to train their AI models. Data is processed in real-time and not retained by the AI providers beyond the duration of the API call.

Data Storage and Security

Encryption

  • Encryption in transit: All data transmitted between your browser, our servers, and third-party services is encrypted using TLS/HTTPS.
  • Encryption at rest: All database data is encrypted at rest using AES-256. Sensitive credentials (email passwords, Shopify access tokens) are additionally encrypted with AES-256-GCM before storage.
  • Backup encryption: All database backups are encrypted using the same AES-256 encryption standards.

Infrastructure

  • Database hosted on Supabase (PostgreSQL) with Row-Level Security (RLS) policies enforcing strict multi-tenant isolation—each merchant can only access their own data.
  • Web application hosted on Vercel with automatic HTTPS and DDoS protection.

Environment Separation

We maintain strict separation between test/development environments and production environments. Test data and production data are stored in separate database instances. No real customer data is used in testing or development.

Data Loss Prevention

We maintain a comprehensive data loss prevention strategy including: automated daily database backups with point-in-time recovery, database replication for high availability, monitoring and alerting for anomalous data access patterns, and regular review of access controls and permissions.

Access Controls

Staff Access Limitations

Access to customer personal data is strictly limited to authorized personnel who require it for service operation and support. We follow the principle of least privilege—staff members only have access to the minimum data necessary for their role.

Authentication and Passwords

All staff accounts require strong passwords (minimum 12 characters with complexity requirements) and multi-factor authentication (MFA). Service accounts use API keys with scoped permissions.

Access Logging

We maintain comprehensive audit logs of all access to personal data, including who accessed the data, when, and what operations were performed. These logs are retained for 12 months and reviewed regularly for anomalies.

Security Incident Response

We maintain a security incident response policy that includes:

  • Defined procedures for identifying, containing, and remediating security incidents
  • Notification of affected merchants within 72 hours of discovering a data breach
  • Post-incident review and documentation to prevent recurrence
  • Coordination with Shopify and relevant authorities as required

Data Sharing

We do NOT sell, rent, or trade your data. We share data only with:

  • Infrastructure providers: Supabase (database), Google Cloud (Gemini AI), OpenAI (embeddings), Vercel (hosting)—solely for service operation
  • Shopify: We access your store data via their official API with your explicit consent
  • Legal requirements: If required by law, court order, or government regulation

Data Retention

We enforce retention periods to ensure personal data is not kept longer than necessary:

  • Account data: Retained while your account is active. Deleted within 30 days of account closure.
  • Support ticket data: Retained for 12 months after last activity, then automatically deleted.
  • Audit logs: Retained for 12 months, then automatically deleted.
  • AI-generated content: Deleted when the associated ticket data is deleted.
  • Shopify customer/redact: We honor Shopify's mandatory privacy webhooks and delete customer data within 30 days of receiving a redaction request.
  • Shopify shop/redact: We delete all store data within 30 days of app uninstallation.

Your Rights

You have the right to:

  • Request data export: We honor Shopify customers/data_request webhooks and can provide a copy of your data in JSON format.
  • Request data deletion: We honor Shopify customers/redact and shop/redact webhooks, deleting data within 30 days.
  • Disconnect integrations: Revoke our access to your Shopify store or email account at any time from your settings.
  • Delete your account: Permanently delete your DropSupport account and all associated data.
  • Withdraw consent: You may withdraw consent for data processing at any time by disconnecting integrations or deleting your account.

Contact

For privacy-related questions, data requests, security concerns, or to exercise any of your rights, contact us at:
support@meridianstudio.dev

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. Continued use of the service after changes constitutes acceptance of the updated policy.