Internal Compliance Check

Version: 1.0.0 | Last Reviewed: April 3, 2026

This internal document outlines Drophunt's processes for ensuring data protection and compliance with global privacy regulations.

1. Data Protection Officer (DPO)

The appointed Data Protection Officer for Drophunt is:

  • Name: Blu-Bot
  • Contact: juangreycat@proton.me
  • Responsibilities: Overseeing data security, responding to privacy inquiries, and managing data deletion requests.

2. Data Deletion Protocol

We follow a strict protocol for "Right to be Forgotten" requests (GDPR compliance):

  1. Verification: Confirm the identity of the user making the request via Clerk authentication.
  2. Execution: Manually delete all rows in Supabase associated with the user's Clerk user_id.
  3. Third-Party Cleanup: Ensure any user-specific data is purged from Resend and logs.
  4. Confirmation: Notify the user once the deletion is complete (within 30 days).

3. Data Processing Map

  • Client Side: Clerk captures and manages identity.
  • Server Side: Next.js Route Handlers process data through Anthropic (Claude) and Firecrawl.
  • Persistence Layer: Supabase stores structured data.
  • Notification Layer: Resend handles transactional and alert emails.

4. Security Measures

  • Encryption at Rest: Handled by Supabase.
  • Encryption in Transit: All communications are performed over HTTPS.
  • Environment Secrets: All API keys are managed via Vercel Environment Variables.

5. Automated Decision-Making & Human Oversight

Drophunt uses LLM-based agents (Anthropic Claude) to interpret webpage data. Users can manually override or report incorrect price detections. We perform periodic audits of AI-extracted data to ensure fairness and accuracy in line with Ontario's 2026 Principles for Responsible AI.

6. Continuous Monitoring

  • Regular audits of Supabase RLS (Row Level Security) policies to ensure data isolation.
  • Periodic review of third-party API usage and privacy updates.