Last updated · February 2026
We collect the minimum data needed to run The Drop Calendar. If you never sign in, we store nothing about you on our servers — your watchlist lives only in your browser.
If you sign in with Google, we store your email, name, and profile picture so we can sync your watchlist and (optionally) email you launch reminders.
We don't sell your data. We don't run ads. We don't share your data with third parties except the strict service providers listed below.
The Drop Calendar uses a small number of processors, each strictly for a stated purpose:
We use one first-party cookie: a session token (httpOnly, Secure, SameSite=None) that keeps you signed in for 7 days. It is not used for tracking or advertising.
We do not use third-party analytics or advertising cookies.
You can, at any time:
Account data: kept while your account is active. Deleted within 30 days of an account-deletion request.
Session tokens: expire after 7 days automatically.
Server logs: rotated within 30 days.
Aggregated interaction counters (poll votes, hype meter): retained indefinitely because they're not tied to any individual.
The Drop Calendar is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us information, please contact us and we will delete it.
All traffic is served over HTTPS. Passwords are never stored (Google OAuth). Session cookies are httpOnly and Secure. Access to the database is restricted to the backend service.
No system is perfectly secure. We aim to disclose any material breach to affected users within 72 hours of discovery.
If we make material changes, we will update the 'Last updated' date and, for signed-in users, surface a one-time notice in the app before the changes take effect.
Questions, deletion requests, or data exports: reach the maintainer directly at the email associated with the admin account. Response time is typically within a few business days.