GDPR Compliance

1. Introduction

Ampium LLC, the operator of Hotdrop, is committed to protecting the privacy and personal data of users in the European Economic Area (EEA), United Kingdom, and Switzerland.

This page explains how we comply with the General Data Protection Regulation (GDPR) and your rights as a data subject under the GDPR.

2. Data Controller Information

Data Controller:
Ampium LLC
1085 Herkness Drive
Meadowbrook, PA 19046
United States

Contact:
Email: privacy@hotdrop.ai
Privacy Contact: privacy@hotdrop.ai

3. Legal Basis for Processing

We process your personal data under the following legal bases:

3.1 Contractual Necessity (Article 6(1)(b))

Processing is necessary to perform our contract with you, including:

Creating and managing your account
Providing AI-powered content optimization services
Processing credit transactions and subscription payments
Providing customer support

3.2 Legitimate Interests (Article 6(1)(f))

Processing is necessary for our legitimate interests, including:

Improving the Service and developing new features
Analyzing usage patterns to enhance user experience
Preventing fraud, abuse, and security threats
Conducting business analytics

3.3 Legal Obligations (Article 6(1)(c))

Processing is necessary to comply with legal obligations, such as:

Retaining financial records for tax purposes
Complying with lawful requests from authorities
Maintaining audit logs for compliance purposes

3.4 Consent (Article 6(1)(a))

For certain optional processing activities (e.g., marketing communications), we obtain your explicit consent. You may withdraw consent at any time without affecting other processing.

4. What Personal Data We Collect

Category	Data Types	Legal Basis
Identity Data	Name, email, user ID	Contractual necessity
Authentication	Passwords, OAuth tokens	Contractual necessity
Content Data	Posts, emails, comments	Contractual necessity
Usage Data	Features used, credits	Legitimate interests
Technical Data	IP address, browser info	Legitimate interests
Calendar Data	Event titles, descriptions, attendee names and emails, start/end times	Contractual necessity
Relationship Intelligence	Contact and company records derived from calendar attendees, publicly available research signals	Legitimate interests
Style Learning	Edits to AI outputs, writing style metrics	Contractual necessity

5. International Data Transfers

Hotdrop is operated from the United States. Your personal data will be transferred to, stored, and processed in the United States and other countries where our service providers operate.

5.1 Safeguards

For data transfers from the EEA, UK, and Switzerland to the United States, we rely on:

Standard Contractual Clauses (SCCs): European Commission-approved clauses for data transfers
Data Processing Agreements: With all third-party processors including Google Cloud, Google, OpenAI, Anthropic, and xAI
Encryption: Data in transit (TLS/SSL) and at rest
Access Controls: Strict authentication and authorization mechanisms

6. Your Rights Under GDPR

As a data subject in the EEA, UK, or Switzerland, you have the following rights:

6.1 Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and obtain a copy of your data.

How to Exercise: Use "Export My Data" in Settings → Privacy & Data, or email privacy@hotdrop.ai.

6.2 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data.

How to Exercise: Update your information in Settings → Account.

6.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in certain circumstances.

How to Exercise: Use "Delete My Account" in Settings → Privacy & Data.

Grace Period: Account deletion requests are subject to a 7-14 day grace period. After this period, your data is permanently deleted.

6.4 Right to Restriction of Processing (Article 18)

You have the right to request that we limit how we use your personal data in certain circumstances.

How to Exercise: Contact privacy@hotdrop.ai.

6.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format. You can export your AI generation history (inputs and outputs from the past 90 days) in JSON format. For a broader data summary, contact us.

How to Exercise: Use "Export My Data" in Settings → Privacy & Data, or email privacy@hotdrop.ai.

6.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

How to Exercise: Contact privacy@hotdrop.ai.

6.7 Right to Withdraw Consent (Article 7(3))

If we process your data based on consent, you may withdraw that consent at any time.

6.8 Right to Lodge a Complaint (Article 77)

You have the right to file a complaint with a supervisory authority in your country if you believe we have violated the GDPR.

EEA: List of EU Data Protection Authorities
UK: Information Commissioner's Office (ICO)
Switzerland: FDPIC

7. Data Retention

Data Type	Retention Period	Reason
User Inputs	90 days	Privacy & data minimization
AI Outputs	Indefinitely (unless deleted)	Service functionality
Account Info	While account is active	Service provision
Credit Ledger	Indefinitely	Audit & billing compliance
Calendar Events	Deleted shortly after meeting end	Data minimization
Contact & Company Records	Until manually deleted or account deletion	Service functionality
Style Learning Data	Indefinitely (until account deletion)	Service personalization
AI-Generated Images	30 days	Data minimization
Deleted Account	7-14 day grace period	User control & privacy

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Encryption: TLS 1.3 for data in transit, AES-256 for sensitive data at rest
Access Controls: Role-based access controls (RBAC)
Authentication: Multi-factor authentication for administrative access
Monitoring: Continuous monitoring for security threats
Staff Training: GDPR and privacy training for employees
Incident Response: Procedures for detecting and reporting data breaches

Data Breach Notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and notify affected individuals if the breach poses a high risk.

9. Third-Party AI Processors

Your content is processed by third-party AI providers. The specific provider used may vary based on the nature of your request, and we may change providers at any time to improve service quality. We do not authorize any provider to use your content for their own model training purposes.

9.1 Google (Google LLC)

Purpose: AI content generation and optimization
Data Shared: Content you submit for processing
Safeguards: Data Processing Agreement, Standard Contractual Clauses
Privacy Policy: Google Privacy Policy

9.2 OpenAI (OpenAI, L.L.C.)

Purpose: AI content generation and optimization
Data Shared: Content you submit for processing
Safeguards: Data Processing Agreement, Standard Contractual Clauses
Privacy Policy: OpenAI Privacy Policy

9.3 xAI (xAI Corp.)

Purpose: AI content generation, optimization, and meeting brief research using publicly available signals from news and other open sources
Data Shared: Content you submit for processing; meeting context for brief generation
Safeguards: Data Processing Agreement, Standard Contractual Clauses
Privacy Policy: xAI Privacy Policy

9.4 Anthropic (Anthropic, PBC)

Purpose: AI content generation and optimization
Data Shared: Content you submit for processing
Safeguards: Data Processing Agreement, Standard Contractual Clauses
Privacy Policy: Anthropic Privacy Policy

10. Contact and Requests

To exercise your rights or ask questions about our GDPR compliance:

Email: privacy@hotdrop.ai (include "GDPR Request" in the subject line)
Mail: Ampium LLC, Attn: Privacy Team, 1085 Herkness Drive, Meadowbrook, PA 19046
Response Time: We will respond to requests within 30 days as required by the GDPR

Ampium LLC is committed to transparency, accountability, and protecting your personal data in accordance with the GDPR.