TrainDrop

Privacy Policy

Effective Date: March 19, 2026

TrainDrop ("we," "us," or "our") is committed to protecting the privacy of our users and their employees. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have.

This policy applies to two types of users: Account Users (business owners or managers who create a TrainDrop account) and Team Members (employees who access training content through links shared by an Account User). Both types are covered by this policy.

Contents

  1. 1. Information We Collect
  2. 2. How We Collect Information
  3. 3. How We Use Your Information
  4. 4. AI Processing of Your Content
  5. 5. Employee and Team Member Data
  6. 6. Third-Party Services and Data Sharing
  7. 7. Data Storage and Security
  8. 8. Data Retention and Deletion
  9. 9. Your Rights and Choices
  10. 10. Cookies and Tracking Technologies
  11. 11. Children's Privacy
  12. 12. California Residents (CCPA)
  13. 13. International Users and GDPR
  14. 14. Changes to This Policy
  15. 15. Contact Us

1. Information We Collect

A. Account Users (Business Owners and Managers)

When you create and use a TrainDrop account, we collect:

  • Account information: email address, business name, and password (stored as a secure hash — we never store your plain-text password)
  • Payment information: billing details are collected and stored by Stripe, our payment processor. We store only a Stripe customer ID — we never see or store your full credit card number
  • Subscription data: your plan tier, billing history, and trial status

B. Team Members (Employees)

When an Account User adds employees to TrainDrop, we collect and store the following on their behalf:

  • Name and email address (provided by the Account User, not the employee directly)
  • Training activity: whether they viewed and completed each module, timestamps of completion, and time spent on each module
  • Link access data: when they clicked training links and basic device/browser metadata at the time of access

Team Members do not create TrainDrop accounts. Their data is entered by the Account User (their employer) and associated with that Account User's account.

C. Content You Upload

We collect and process content you upload, including:

  • Video files uploaded via your browser (stored in Supabase Storage)
  • Audio files extracted from video in your browser before upload (used for transcription, then retained as part of the module)
  • PDF and DOCX files you import for SOP generation
  • Typed text — notes or process descriptions you enter directly

D. Automatically Collected Information

When you use the Service, we automatically collect:

  • Log data: IP address, browser type, operating system, pages visited, and time and date of access
  • Device information: browser version, screen size, and device type
  • Cookies and similar tracking technologies (see Section 10)

2. How We Collect Information

  • Directly from you when you create an account, add team members, or upload content
  • Automatically when you interact with the Service (via cookies and server logs)
  • From your employees when they click training links (limited to access timestamps and completion events)
  • From Stripe when you complete a payment transaction (Stripe confirms payment status; we do not receive raw card data)

3. How We Use Your Information

We use your information to:

  • Create and manage your account and subscription
  • Process your uploaded content using AI to generate training modules
  • Send training links to your team members and record their completion
  • Send transactional emails (account confirmation, password reset, and team member training invitations)
  • Process payments and manage billing
  • Provide customer support
  • Monitor for abuse, fraud, and security threats
  • Comply with legal obligations
  • Improve the Service using aggregated, anonymized usage data

We do not sell your personal information to third parties. We do not use your content or your employees' data to train AI models.

4. AI Processing of Your Content

When you upload a video or document to TrainDrop, portions of that content are sent to third-party AI services for processing. Here is exactly what each service receives:

OpenAI Whisper — Transcription

Audio extracted from your video is sent to OpenAI's Whisper API for speech-to-text transcription. OpenAI receives the audio file and returns a text transcript. OpenAI does not receive the original video file.

Anthropic Claude — SOP Generation

The transcript text (or your typed notes) is sent to Anthropic's Claude API to generate a structured SOP. Anthropic receives text only — not the original video or audio file.

Video Processing — Encoding and Captions

Your video file is processed using FFmpeg for encoding and caption-burning. This processing occurs on server infrastructure and does not involve sharing your video with an AI language model.

As of the effective date of this policy, neither OpenAI nor Anthropic uses data submitted via their APIs to train their models by default. However, you should review their respective privacy policies for the most current information.

5. Employee and Team Member Data

This section specifically addresses how we handle data about the employees you add to TrainDrop.

You control your employees' data. As an Account User, you are the data controller for your employees' personal information stored in TrainDrop. TrainDrop acts as a data processor, handling that data on your behalf and according to your instructions.

Your responsibilities. By adding employee data to TrainDrop, you represent that you have the appropriate authority — and, where required by law, consent — from your employees to collect and process their names, email addresses, and training activity data.

What we collect about employees. Name (provided by you), email address (provided by you), training link access timestamps, module completion status, and time spent on each module.

How employees access training. Employees receive email links containing unique access tokens. They access training content through these links without creating a TrainDrop account. The token is tied to their email address so completion can be recorded.

Employee data deletion. An employee who wants their data removed should contact you (their employer). You can delete individual employee records from the team management section of your dashboard, or you can delete your entire account to remove all associated employee data.

6. Third-Party Services and Data Sharing

We share your information with the following third-party services as necessary to provide the Service. Each service operates under its own privacy policy.

Supabase

Purpose: Database, authentication, and file storage

Data shared: All account data, uploaded files, team member records, and completion data

Vercel

Purpose: Application hosting and serverless functions

Data shared: Request metadata and server logs

Anthropic (Claude API)

Purpose: AI-powered SOP generation and text refinement

Data shared: Transcription text and typed notes — no video or audio

OpenAI (Whisper API)

Purpose: Audio transcription

Data shared: Audio files extracted from uploaded videos

Replicate

Purpose: Video processing and encoding

Data shared: Video files

Stripe

Purpose: Payment processing

Data shared: Billing details and payment transaction data

Resend

Purpose: Transactional email delivery

Data shared: Team member names, email addresses, and email content

We do not share your personal information with any other third parties except:

  • When required by law, court order, or governmental authority
  • To protect the rights, safety, or property of TrainDrop, its users, or the public
  • In connection with a merger, acquisition, or sale of assets, with prior notice to you

7. Data Storage and Security

All TrainDrop data is stored in the United States on Supabase infrastructure (hosted on AWS). Uploaded files — videos, audio, and documents — are stored in Supabase Storage.

Security measures we use:

  • All data in transit is encrypted via HTTPS/TLS
  • Passwords are hashed using industry-standard bcrypt — we never store plain-text passwords
  • Database access is restricted and authenticated
  • Supabase Row Level Security (RLS) ensures each account can only access its own data
  • Employee training links use unique, cryptographically generated tokens

While we take security seriously and follow industry best practices, no system is perfectly secure. We cannot guarantee the absolute security of your data. In the event of a security breach that affects your personal data, we will notify you as required by applicable law.

8. Data Retention and Deletion

  • Active accounts: Your data is retained as long as your account is active.
  • After cancellation: If you cancel your subscription, your account enters a paused state and your data is retained for 90 days, after which it is permanently deleted.
  • Account deletion: If you delete your account from your settings, all data — including modules, videos, employee records, and completion data — is permanently deleted within 30 days.
  • Uploaded files: Video and audio files are deleted when you delete the associated module or close your account.
  • Billing records: We may retain certain billing and transaction records longer than 90 days as required by tax and accounting laws.
  • Anonymized data: We may retain aggregated, anonymized usage statistics indefinitely for business analytics. This data cannot be linked back to you.

9. Your Rights and Choices

Depending on where you live, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information ("right to be forgotten").
  • Portability: Request a copy of your data in a portable, machine-readable format.
  • Objection: Object to certain processing of your data in circumstances where we rely on legitimate interests as our legal basis.

To exercise any of these rights, email us at privacy@traindrop.app. We will respond within 30 days. For many account-level actions, you can also manage your data directly in your account settings.

Team Members (employees) who want to access, correct, or delete their data should contact their employer (the Account User who added them to TrainDrop), as the employer controls that data.

10. Cookies and Tracking Technologies

TrainDrop uses cookies and similar technologies as follows:

Essential cookies

Required for the Service to function. These include authentication tokens (session cookies) that keep you logged in. You cannot disable essential cookies without preventing login.

Analytics

We may use privacy-respecting analytics tools to understand aggregate usage patterns (for example, which features are most used). These do not track you across other websites.

Third-party cookies

Stripe and other third-party services may set their own cookies when you interact with payment or other embedded features. These are governed by their respective privacy policies.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies will prevent you from logging in to the Service.

11. Children's Privacy

TrainDrop is not directed at children under the age of 13 and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected personal information from a child under 13, please contact us at privacy@traindrop.app and we will delete it promptly.

Employees under 18: Some businesses that use TrainDrop — such as restaurants, retail stores, or family-owned businesses — may employ workers under the age of 18. If your team members include minors, you are responsible for: (a) ensuring appropriate parental or guardian consent has been obtained where required by applicable law, and (b) complying with all laws in your jurisdiction governing the collection of personal information from minors. TrainDrop does not independently verify the ages of Team Members.

12. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights.

Categories of personal information we collect (from Account Users): identifiers (name, email address, IP address); commercial information (subscription and billing data); internet or other electronic network activity (usage logs, pages visited); and inferences drawn from the above.

Your CCPA rights:

  • Right to know: request disclosure of the personal data we have collected about you and how we use and share it
  • Right to delete: request deletion of your personal data, subject to certain legal exceptions
  • Right to opt out of sale: TrainDrop does not sell your personal information
  • Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights

To exercise your rights, email privacy@traindrop.app. We will verify your identity before responding.

Shine the Light: California residents may request information about any sharing of personal information with third parties for their direct marketing purposes under California Civil Code Section 1798.83. TrainDrop does not share personal information with third parties for direct marketing purposes.

13. International Users and GDPR

TrainDrop is operated from the United States. If you are accessing the Service from the European Union, European Economic Area, or United Kingdom, please be aware that your data will be transferred to and processed in the United States, which may not have the same data protection laws as your country.

Legal basis for processing (GDPR):

  • Contract performance: processing necessary to provide the Service you requested (account management, training module generation)
  • Legitimate interests: service improvement, security monitoring, and fraud prevention
  • Legal obligation: compliance with applicable law

Your GDPR rights include the right to access, rectification, erasure, restriction of processing, data portability, and the right to object. To exercise these rights, email privacy@traindrop.app.

Data Processing Addendum (DPA): If you are an EU/EEA business that adds EU-based employees to TrainDrop, you may be required under GDPR to have a data processing agreement in place with us. Contact privacy@traindrop.app to request a DPA.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Post the updated policy on this page with a new effective date
  • Send an email notification to your account email address

Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy. If you do not agree to the changes, you must stop using the Service.

15. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Privacy inquiries: privacy@traindrop.app

General support: support@traindrop.app

Location: Lincoln, Nebraska, United States

← Back to TrainDrop