Paytronic
DropZone

Privacy Policy

How DropZone protects your privacy and handles your data. Learn about our privacy-first approach and data security practices.

Effective date: September 12, 2025
Applies to: The DropZone Chrome extension

1) Who we are

Controller for extension operations: Paytronic LLC
Address: 9304 Ashbourne Dr, Sandy, UT 84094
Email: cory@paytronic.com

This policy describes how the DropZone extension handles personal data.

2) How DropZone works

  • Client only. No vendor servers.
  • You capture files, links, page URLs, and notes.
  • The extension writes content to your Google Drive and Google Sheets.
  • Authentication uses the Chrome Identity API.
  • We do not collect browsing history. We act only on user actions.

3) Roles

  • Customer content in Google Drive and Sheets: You are the controller.
    • If you use Google Workspace, Google acts as your processor under your Workspace terms.
    • If you use a personal Google Account, Google may act as an independent controller for its services.
  • Extension operations and support communications: Paytronic LLC is the controller for minimal account data and support messages.

4) Data we process

4.1 User-provided content

  • Files you drop or upload.
  • Links and current page URLs you capture.
  • Plain-text notes and descriptions.
  • Metadata such as timestamps, titles, file sizes, file types, and URLs.
    Storage location: Your Google Drive and your Google Sheet.

4.2 Account identifiers

  • Google profile name, email, and profile image URL.
    Purpose: Sign-in, UI display, and to identify your Google account.
    Storage: Not stored on our servers. May be cached locally by Chrome for the active session. Profile images load from lh3.googleusercontent.com.

4.3 Local extension data

  • Extension settings.
  • IDs for the target Drive folder and log Sheet.
    Storage: chrome.storage on your device.
    Deletion: Cleared on uninstall. You can also sign out to reset state.

4.4 Authentication tokens

  • Obtained via the Chrome Identity API on demand.
  • Tokens are cached by Chrome.
  • We do not store tokens in chrome.storage.
  • On sign out we call chrome.identity.removeCachedAuthToken and revoke tokens with Google.

4.5 Device and network data

  • When the extension calls Google APIs or loads Google Fonts or profile images, your browser sends IP address, user agent, and request headers to those services.
  • We do not receive or store server logs for these calls.

4.6 Support communications

  • If you email us, we process your contact details and message contents to respond.

We do not sell data. We do not share data for cross-context behavioral advertising. We do not run analytics or ads.

5) Purposes and legal bases

  • Provide the extension’s core features.
  • Authenticate the user.
  • Maintain security and abuse prevention.
  • Offer user support.

EEA and UK legal bases: performance of a contract, legitimate interests, or consent where required.

6) Chrome and Google permissions in use

Chrome permissions

  • identity: obtain Google OAuth tokens using Chrome Identity.
  • storage: save extension settings and selected Drive and Sheet IDs.
  • sidePanel: render the extension UI.
  • activeTab: capture the current tab’s URL and title when you click capture.
  • tabs: used to access tab information for page capture and UI. We do not read your full browsing history.

Host permissions and endpoints

  • https://www.googleapis.com/* for Google APIs including Drive and Sheets.
  • https://fonts.googleapis.com/* and https://fonts.gstatic.com/* for UI fonts.
  • https://lh3.googleusercontent.com/* for profile images.
    Chrome Identity may contact Google authentication endpoints as part of sign-in.

Google OAuth scopes

  • https://www.googleapis.com/auth/drive.file to create and manage files the extension creates.
  • https://www.googleapis.com/auth/drive.readonly to read Drive metadata during user-initiated actions such as selecting an existing folder or confirming a target location. We do not scan Drive in the background.
  • https://www.googleapis.com/auth/spreadsheets to write rows to your log Sheet and read the Sheet when needed for display.
  • https://www.googleapis.com/auth/userinfo.email and https://www.googleapis.com/auth/userinfo.profile to identify your Google account and show your profile.

We apply least privilege in practice. All Drive and Sheet access is triggered by your actions.

7) Storage, retention, and deletion

  • Your content: Lives only in your Google Drive and Sheet until you delete it.
  • Local extension data: Remains until you sign out or uninstall, then it is cleared.
  • Tokens: Cached by Chrome, removed on sign out or revoke.
  • Support emails: Retained as needed to resolve your request, then archived per our retention policy.

You can delete Drive files, Sheets rows, or the DropZone folder at any time.

8) Security

  • Manifest V3 service worker.
  • All API calls use HTTPS.
  • Tokens managed by Chrome Identity. No refresh tokens stored by the extension.
  • No remotely hosted executable code is executed by the extension.
  • We review requested permissions and scopes and keep them minimal for the feature set.

9) Google API Services and Limited Use

DropZone’s use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

  • We use Google data only to provide the features you request.
  • We do not sell or transfer Google user data to third parties.
  • We do not allow human access to your Google content except if you explicitly ask for support and grant temporary access.
  • We do not use Google user data for advertising.

10) International data transfers

We do not operate servers that store your content. Your Google content remains in your Google account and is subject to your Google or Google Workspace data region settings. Google may process data on servers outside your region as described in its terms.

11) Subprocessors and third-party services

We do not engage subprocessors to store or process your content.
Your browser connects directly to:

  • Google Drive and Google Sheets APIs.
  • Google Identity and OAuth endpoints.
  • Google Fonts CDN.
  • Google profile image CDN.

These services receive network metadata when requested by your browser.

12) Data subject and consumer rights

You can exercise rights under GDPR, UK GDPR, and US state laws.

  • Access, correction, deletion. You can access or delete content in Drive or Sheets directly. You can also contact us for any account data we hold.
  • Portability. Export your content from Drive or Sheets.
  • Restriction or objection. Contact us to request restriction or object to processing where applicable.
  • California. We do not sell or share personal information. You may submit requests to know, delete, or correct. We acknowledge requests within 10 business days and respond within 45 days.
  • EEA and UK. We respond without undue delay and within one month.

Submit requests to cory@paytronic.com. We will verify your identity before acting.

13) Children

The extension is not directed to children under 13, or under the age required by local law. We do not knowingly collect data from children.

14) Breach notification

If we become aware of a personal data breach affecting data we control, we will notify affected users without undue delay. Where GDPR applies, we will notify the competent supervisory authority within 72 hours when required.

15) Enterprise controls

Administrators can:

  • Force-install or block the extension using Chrome Enterprise policies.
  • Restrict OAuth scope access using Google Workspace App Access Control.
  • Control which Google accounts can sign in.

Contact us for deployment guidance if needed.

16) Changes to this policy

We will post updates in this document with a new effective date. Material changes will be highlighted.

17) Contact

Privacy contact: cory@paytronic.com
Postal address: Paytronic LLC, 9304 Ashbourne Dr, Sandy, UT 84094

18) California notice at collection

Categories collected

  • Identifiers. Google account name, email, profile image URL.
  • Internet or network activity. Requests your browser sends to Google APIs, Fonts, and profile image endpoints.
  • User content. Files, links, notes, and metadata that you instruct the extension to write to your Google Drive and Sheet.

Sources
Directly from you and from your Google account after you sign in.

Business purposes
Provide the extension, authenticate, write to your Drive and Sheets, show UI elements.

Retention

  • User content remains in your Google account until you delete it.
  • Local settings remain until sign out or uninstall.
  • Tokens are cached by Chrome and removed on sign out or revoke.
  • Support emails are retained as needed to resolve requests.

Sale or sharing for cross-context advertising
No.

19) Definitions

  • Customer content: Files, links, notes, and metadata you direct the extension to save.
  • Local extension data: Settings and identifiers stored in Chrome on your device.
  • Google user data: Data accessed via Google APIs under the scopes listed above.

Terms of Service

Legal terms and conditions for using DropZone Chrome extension. Learn about your rights, responsibilities, and our service agreement.

Notion Sidecar

Coming soon - A powerful companion tool for Notion users.