DropIn

Privacy Policy

Last updated: May 9, 2026

Your privacy is important to us. That might be the kind of thing all these notices say, but we mean it. You place your trust in us by using DropIn services, and we value that trust. That means we are committed to protecting and safeguarding any personal data you give us. We act in our customers' interest and are transparent about the processing of your personal data.

This document describes how we use and process your personal data, provided in a readable and transparent manner. It also tells you what rights you can exercise in relation to your personal data (such as the right to object) and how to contact us. Please also read our Cookie Statement, which tells you how DropIn uses cookies and other similar technologies. DropIn Platform Role: DropIn processes personal data exclusively as a technology service provider facilitating transactions between users and independent Providers. DropIn is not a child care provider, does not deliver care services, and does not use personal data to make care-related decisions. DropIn acts as a passive data transmission and hosting service — data collected from Parent/Guardian is transmitted to the selected independent Provider without review, interpretation, or decision-making by DropIn. Important — Platform Is a Tool Only: The DropIn platform is a neutral technology tool that enables users to independently search for and book independent child care providers. DropIn does not provide child care, does not guarantee the quality or safety of any Provider, and does not owe any duty of care to users or their children. This Privacy Policy describes how DropIn processes personal data solely in connection with marketplace functionality — not in connection with the delivery of child care services.

We may amend this Privacy Policy v12 from time to time. If we make changes to the Privacy Policy which will have an impact on you (e.g. if we intend to process your personal data for other purposes than previously communicated), we will notify you of these changes before the new activities begin.

If you disagree with this Privacy Policy v12, you should discontinue using our services. If you agree with our Privacy Policy, then you are all set to book your next Child Care Provider through the DropIn marketplace.

Contact our Data Protection Officer at any time: [email protected]

Terms Used in This Privacy Policy

"Child Care" refers to the various different child care services that can be ordered, acquired, purchased, bought, paid, rented, provided, reserved, combined, or consummated by you from the Child Care Provider.

"Child Care Provider" refers to the provider of Child Care Services (Day Care, Home Child Care, Child Care Center), and any other child care provider related service as from time to time available for Child Care Reservation on the platform.

"Child Care Service" refers to the online purchase, order, (facilitated) payment, or reservation service as offered or enabled by DropIn in regard to various products and services as from time to time made available by Child Care Providers on the platform.

"Child Care Reservation" refers to the order, purchase, payment, booking, or reservation of a Child Care Service.

1. What Personal Data Does DropIn Collect?

We cannot help you find the right Child Care Provider without information, so when you use our services there are certain things we ask for. This is typically routine info — your name, preferred contact details, the names of the children on the booking, and your payment info. You might also decide to submit additional info related to your upcoming Child Care booking (e.g. your anticipated arrival time).

In addition to this, we also collect info from the computer, phone, tablet, or other device you use to access our services. This includes the IP address, the browser used, and your language settings. There are also situations when we receive info about you from others or automatically collect other info.

Personal data you give to us directly

DropIn collects and uses the info you provide us. When you make a Child Care Reservation, you are (at a minimum) asked for your name and email address. Depending on the Child Care Reservation, we might also ask for your home address, phone number, payment info, date of birth, the names of Children on the DropIn Booking, health information and medical data relevant to the care of your child, and any preferences (e.g. dietary restrictions, mobility restrictions, or medical needs) you have for your Child Care.

If you need to get in touch with our customer service team, contact your Child Care Provider through us, or reach out to us in a different way (e.g. social media), we will collect info from you there, too. This applies whether you are contacting us with feedback or asking for help using our services.

You might also be invited to write reviews to help inform others about the experiences you had on your Child Care. When you write a review on the DropIn platform, we will collect any info you have included, along with your display name and avatar (if you choose one).

There are other instances where you will provide us with info, as well. For example, if you are browsing with your mobile device, you can decide to allow DropIn to see your current location or grant us access to your contacts. This helps us give you the best possible service and experience by, for example, showing you Child Care options close to your location, or making other recommendations.

If you create a user account, we will also store your personal settings, uploaded photos, and reviews of previous bookings. This saved data can be used to help you plan and manage future Child Care Reservations or benefit from other features only available to account holders, such as incentives or other benefits. We may offer you referral programs or sweepstakes. Participating in these will involve providing us with relevant personal data.

Personal data you give us about others

Of course, you might not just be making a Child Care Reservation for yourself. You might be making a reservation on someone else's behalf. In both scenarios, you will provide their details as part of the Child Care Reservation.

In some cases, you might use DropIn to share info with others. This can take the form of sharing a wish list or participating in a referral program, as described when you use the relevant feature. At this point, we have to make it clear that it is your responsibility to ensure that the person or people you provide personal data about are aware that you have done so and that they have understood and accepted how DropIn uses their info (as described in this Privacy Policy v12).

Personal data we collect automatically

Whether or not you end up making a Child Care Reservation, when you visit our websites or apps, we automatically collect certain info. This includes your IP address, the date and time you accessed our services, the hardware, software, or internet browser you used, and info about your computer's operating system like application versions and your language settings. We also collect information about clicks and which pages were shown to you.

If you are using a mobile device, we collect data that identifies the device, as well as data about your device- specific settings and characteristics, app crashes, and other system activity. When you make a Child Care Reservation using this kind of device, our system registers how you made your reservation (on which website), and/or which site you came from when you entered the DropIn website or app.

Personal data we receive from other sources

It is not just the things you tell us, though — we may also receive info about you from other sources. These include business partners, such as affiliate partners, subsidiaries of the DropIn corporate group, other affiliates of the DropIn AI Inc. corporate group, and other independent third parties.

Anything we receive from these partners may be combined with info provided by you. For example, DropIn Child Care Reservation services are not only made available via DropIn and the DropIn apps, but are also integrated into services of affiliate partners you can find online. When you use any of these services, you provide the reservation details to our business partners who then forward your details to us.

We also integrate with third party service providers to facilitate payments between you and Child Care Providers. These service providers share payment information, so we can administer and handle your Child Care Reservation, making sure everything goes as smoothly as possible for you.

We also collect info when we receive a complaint about you from a Child Care Provider (e.g. in the case of misconduct). Another way we might receive data about you is through the communication services integrated into our platforms. These communication services offer you a way to contact the Child Care Provider you have booked with to discuss your booking. In some cases, we receive metadata about these communication activities (e.g. who you are, where you called from, and the date and length of the call).

We may also receive info about you in order to show you more relevant ads, such as the additional cookie data DropIn social media partners make available to us. When you link your DropIn user account to a social media account, you might exchange data between DropIn and that social media provider. You can always choose not to share that data. Child Care Providers may share info about you with DropIn, too. This could happen if you have support questions about a pending Child Care Reservation, or if disputes or other issues arise about a Child Care Reservation.

2. Children's Privacy — COPPA and All Minors

DropIn operates exclusively as a child care marketplace. Every child whose data is processed through our platform is a minor whose parent or legal guardian has registered them and provided explicit, verified consent before any data collection occurs. We treat all children enrolled on the platform — regardless of age — with the highest level of privacy protection.

Federal law — COPPA (US)

Under the Children's Online Privacy Protection Act (COPPA), operators must obtain verifiable parental consent before collecting personal information from children under the age of 13. DropIn is a booking marketplace; it does not provide child care services. DropIn collects personal information — including health records, immunization history, and medical authorizations — from Parent/Guardian for the sole purpose of facilitating bookings and transmitting required records to the independent Child Care Provider selected for each booking. Because some of this information relates to children under 13, DropIn applies COPPA-compliant verifiable parental consent requirements to all children enrolled on the platform, not only those under 13.

We do not knowingly collect data from children under 13 without prior verifiable parental or guardian consent. If we discover we have done so, we will delete the information promptly.

Evolving teen privacy law — COPPA 2.0

US Congress is actively expanding federal children's privacy protections to cover teens up to age 17. DropIn's existing consent framework already provides protections consistent with these emerging standards. No child or teen enrolled on our platform has their data collected, used, or shared without prior explicit parental or guardian consent.

What this means in practice

  • Parental or guardian consent is obtained before any data collection for every enrolled child, with no age exceptions.

  • Children's health data — including immunization records, medical authorizations, and developmental history — is treated as sensitive data subject to heightened security and strict access controls.

  • We do not use children's personal data for targeted advertising, profiling, or any purpose other than facilitating bookings between Parent/Guardian and independent licensed or lawfully license-exempt Child Care Providers, and transmitting required records to the booked Provider.

  • We do not sell or share children's personal data with third parties for commercial purposes. Sharing is limited to the specific licensed child care provider named in a confirmed booking, and only to the extent necessary to fulfill that booking.

  • We retain children's personal data only for as long as necessary to fulfill the purpose for which it was collected, consistent with applicable licensing record-keeping requirements.

  • Parents may request access to, correction of, or deletion of their child's data at any time by contacting [email protected].

3. Health & Medical Data — Heightened Protection Standards

DropIn is not a HIPAA covered entity. However, we voluntarily adopt HIPAA-equivalent technical and administrative safeguards for all health and medical data. This is best practice for a child care marketplace, satisfies the 2025 COPPA Rule's written security program requirement, and reflects the trust parents place in us.

What health data we collect and why

Because DropIn operates exclusively as a child care marketplace, we collect and process sensitive health and medical information on behalf of enrolled children. This includes immunization records, medical history, known allergies, current medications, developmental assessments, and physician contact information. We collect this data solely to facilitate bookings between Parent/Guardian and independent licensed or lawfully license-exempt Child Care Providers, and to transmit required records to the Provider selected for each booking. DropIn does not use health or medical data to provide child care, does not supervise the delivery of care, and is not a child care provider. We do not use health or medical data for advertising, marketing, profiling, or any commercial purpose. Health data is never sold or shared with third parties except as strictly necessary to transmit booking records to the specific Child Care Provider chosen by Parent/Guardian for a confirmed booking. The Child Care Provider is the regulated record-holder for all child care records under applicable state child care licensing laws. DropIn's copy of any uploaded record is held as a marketplace transmission record only and does not make DropIn the legal custodian or system of record for child care licensing purposes. Parents are encouraged to also provide records directly to the Provider as required by the Provider's licensing obligations. DropIn Data Role Summary — Data Storage: passive hosting only. Data Transmission: yes, to the booked Provider. Data Interpretation: NO — DropIn does not interpret, analyse, or act on data. Medical Decisions: NO — solely the Provider and licensed professionals. Record Authority: the Child Care Provider is the regulated record- holder under applicable state child care licensing law. DropIn retains data solely for marketplace functionality and not for regulatory compliance purposes. No Duty of Care: DropIn owes no duty of care, supervision, or protection to any child. DropIn's processing of personal data — including sensitive health and medical data — does not create any duty to act on that information, monitor child welfare, or take protective action. All duty of care is assumed exclusively by the Child Care Provider. The transmission of data to the Provider does not make DropIn a responsible party for the child's welfare.

How we protect health data — HIPAA-equivalent standards

All health and medical data stored on the DropIn platform is subject to the following safeguards:

  • Encryption: All health and medical data is encrypted at rest (AES-256) and in transit (TLS 1.2 or higher).

  • Access controls: Access is strictly limited to authorized DropIn personnel with a documented marketplace operational need (e.g., transmitting records, responding to technical support requests), and to the specific licensed or lawfully license-exempt Child Care Provider named in a confirmed booking. No other DropIn staff, partners, or third parties have access. Access for the purpose of child care supervision, quality oversight, or welfare review is not an authorized purpose.

  • Written security program: Consistent with the FTC's 2025 COPPA Rule amendments, DropIn maintains a written children's data information security program, including designated oversight personnel, annual risk assessments, implementation and testing of security safeguards, and annual program evaluations.

  • Audit logging: All access to health and medical data records is logged and periodically audited.

  • Third-party due diligence: Any third-party service provider that handles children's health data on DropIn's behalf is contractually required to maintain equivalent security standards.

How long we keep health data

  • Active profile data (immunization records, allergy information, medical authorizations) is retained for the duration of the child's active enrollment on the DropIn platform.

  • Booking-specific health data (diet tags, medication notes, emergency contacts) is retained for a minimum of 12 months after the booking date to support any post-booking health or safety inquiry, and deleted thereafter — unless a longer period is required by applicable state child care licensing regulations.

  • When a parent or guardian closes their DropIn account or requests deletion of their child's data, all health and medical data is permanently deleted within 30 days, except where retention is required by applicable law.

Biometric data

DropIn does not currently collect biometric identifiers (fingerprints, facial templates, voiceprints, retina scans, or genetic data) from children or adults. If this changes, we will update this Privacy Policy v12 and obtain separate, explicit parental consent before any biometric data is collected. We will comply with all applicable state biometric privacy laws, which include but are not limited to: the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14/); the Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code §503.001); the Washington Biometric Privacy Law (RCW 19.375); the New York Stop Hacks and Improve Electronic Data Security Act; and similar laws enacted in other states. We will also comply with the FTC's 2025 COPPA Rule amendments, which now expressly include biometric identifiers as a category of protected children's personal information.

Government-issued identifiers

Birth certificates uploaded to verify a child's age are treated as sensitive identity data under the 2025 COPPA Rule amendments. They are encrypted, access-controlled, and used solely to satisfy child care licensing verification requirements. They are not shared beyond the specific child care provider named in the booking.

Breach notification

In the event of a data breach affecting children's health or medical data, DropIn will notify affected parents and guardians and the relevant regulatory authorities as required by applicable law, without undue delay and in no event later than 72 hours after becoming aware of the breach.

4. Why Does DropIn Collect and Use Your Personal Data?

We use the info collected about you for various purposes. Your personal data may be used in the following ways:

Child Care Reservations: First and foremost, we use your personal data to complete and administer your online Child Care Reservation, which is essential to what we do as a marketplace. This means providing a neutral technology platform through which Parent/Guardian independently identifies and books the Provider, transmitting the Child/Family Profile to the booked Provider, and processing payments on the Provider's behalf. DropIn does not use your personal data to provide child care services, make care-related decisions, or match users with Providers. This includes sending you communications that relate to your Child Care Reservation, such as confirmations, modifications, and reminders. DropIn does not use personal data to make care-related decisions, welfare determinations, medical assessments, or developmental evaluations of any kind. Such decisions are the sole responsibility of the Child Care Provider, Parent/Guardian, and licensed professionals. Purpose Limitation — Data Processed Solely For: (1) facilitating bookings between Parent/Guardian and the independently selected Provider; (2) transmitting the Child/Family Profile and required records to the booked Provider; (3) processing payments as a limited payment facilitator on behalf of the Provider; and (4) maintaining marketplace functionality. Data is not used for any child care operational purpose.

Sensitive Data — Absolute Use Prohibition: Sensitive personal data collected through the DropIn platform — including child health data, medical conditions, dietary requirements, immunization records, developmental information, and any other Special Category data — is never used for marketing, profiling, advertising, commercial analytics, or any purpose beyond facilitating the specific booking for which it was provided. DropIn does not sell, share, or monetize sensitive child data in any form. Any use of sensitive data for any purpose other than the specific booking transmission for which it was collected is expressly prohibited.

Customer service: We provide customer service and are here to help 24/7. Sharing relevant details such as reservation info or info about your user account with our global customer service staff allows us to respond when you need us. This includes helping you to contact the right Child Care Provider and responding to any questions you might have about your Child Care Reservation (or any other questions, for that matter).

Account facilities: DropIn users can create an account on our website or apps. We use the info you give us to administer this account, enabling you to do a number of useful things. You can manage your Child Care Reservations, take advantage of special offers, make future Child Care Reservations easily, and manage your personal settings. Managing personal settings lets you keep and share lists, share photos, view previously searched Child Care Services, and check other child care related info you have provided. You can also see any reviews you have written.

Online groups: We might give account holders the chance to connect and interact with each other through online groups or forums.

Marketing activities: We use your information for marketing activities. These activities include: using your contact info to send you regular news about child care related products and services (you can unsubscribe from email marketing communications quickly, easily, and anytime by clicking the "Unsubscribe" link included in each newsletter or other communication); and based on your info, individualized offers might be shown to you on the DropIn website, on mobile apps, or on third-party websites/apps (including social media sites), and the content of the site displayed to you might be personalized. When you participate in other promotional activities (e.g. sweepstakes, referral programs, or competitions), relevant info will be used to administer these promotions.

Communicating with you: There might be other times when we get in touch, including by email, mail, phone, or text. Which method we choose depends on the contact info you previously shared. We process the communications you send to us, including responding to and handling any requests you or your booked Child Care Provider have made. If you have not finalized a Child Care Reservation online, we can contact you with a reminder to continue with your reservation. We believe this additional service benefits you because it allows you to carry on with a Child Care Reservation without having to search for Child Care Providers or enter your reservation details again.

When you use our services, we might send you a questionnaire or invite you to provide a review about your experience with DropIn or the Child Care Provider. We also send you other material related to your Child Care Reservations, such as how to contact DropIn if you need assistance, and information that we feel might be useful to you in planning or making the most of your Child Care. We might also send you material related to upcoming Child Care booking Reservations or a summary of previous Child Care Reservations you made through DropIn. Even if you do not have an upcoming Child Care booking Reservation, we may still need to send you other administrative messages, which could include security alerts.

Market research: We sometimes invite our customers to take part in market research. Review the info that accompanies this kind of invitation to understand what personal data will be collected and how it is used.

Improving our services: We also use personal data for analytical purposes and product improvement. This is part of our commitment to improving our services and enhancing the user experience. In this case, we use data for testing and troubleshooting purposes, as well as generating statistics about our business. The main goal here is to get insights into how our services perform, how they are used, and ultimately to optimize and customize our website and apps, making them easier and more meaningful to use. We strive to use pseudonyms for this analytical work as much as possible.

Customer reviews: During and after your Child Care, we might invite you to submit a review. We can also make it possible for the people you booked a reservation for to do this instead. If you have a DropIn account, you can choose to display a screen name next to your review instead of your real name, or even submit the review anonymously. If you would like to set a screen name, you can do so in your account settings. By completing a review, you are agreeing that it can be displayed on, for example, the relevant Child Care Provider info page on our websites, on our mobile apps, on our social media accounts and social media apps, or on the online platform of the relevant Child Care Provider or business partner's website.

Call monitoring: When you make calls to our customer service team, DropIn uses an automated telephone number detection system to match your telephone number to your existing reservations. This helps save time for both you and our customer service staff. During calls with our customer service team, live listening might be carried out or calls might be recorded for quality control and training purposes. This includes the use of the recordings for handling of complaints, legal claims, and fraud detection. Not all calls are recorded. Recordings are kept for a limited amount of time before being automatically deleted. An exception to this rule is when DropIn has a legitimate need to keep the recordings longer for fraud investigation or legal purposes.

Promotion of a safe and trustworthy service: To create a trustworthy environment for you, DropIn's business partners, and our Child Care Providers, we might use personal data to detect and prevent fraud and other illegal or unwanted activities. Similarly, we might use personal data for risk assessment and security purposes, including the authentication of users and reservations. When we do this we may have to stop or put certain Child Care Reservations on hold until we finish our assessment.

Legal purposes: Finally, in certain cases, we may need to use your info to handle and resolve legal disputes, for regulatory investigations and compliance to enforce the DropIn online reservation service Terms and Conditions, or to comply with legal requests from law enforcement.

Providing your personal data to DropIn is voluntary. However, we may only be able to provide you with certain services if we can collect some personal data. For example, we cannot process your Child Care Reservation if we do not collect your name and contact details. If we use automation to process personal data that produces legal effects or significantly affects you, we will always implement the measures required to safeguard your rights and freedoms. This includes the right to obtain human intervention.

To process your personal data as described above, we rely on the following legal bases: for Child Care Reservations and customer service, DropIn relies on the legal basis that the processing of personal data is necessary for the performance of a contract. Note: the primary contract is between Parent/Guardian and the independent Child Care Provider; DropIn processes data as marketplace facilitator in connection with that contract. In view of marketing, analytics, fraud prevention, and service improvement purposes, DropIn relies on its legitimate commercial business interest to provide its services, prevent fraud, and improve our services. For purpose of legal compliance, DropIn relies, where applicable, on compliance with legal obligations (such as legal law enforcement requests). When required under law, DropIn will obtain your consent prior to processing your personal data, including for email marketing purposes or as otherwise required by law. If you wish to object to the processing based on legitimate interest and no opt-out mechanism is available to you directly (for example, in your account settings), contact us at [email protected].

5. How Does DropIn Share Your Data with Third Parties?

In certain circumstances, we will share your personal data with third parties. These third parties include:

The Child Care Provider you booked

In order to complete your Child Care Reservation, we transfer relevant reservation details to the Child Care Provider you have booked. This is one of the most essential things we do for you. Depending on the Child Care Reservation and Child Care Provider, the details we share can include your name, contact and payment details, the names of the children on the booking, and any other info or preferences you specified when you made your Child Care Reservation, including health, dietary, or special requirements.

In certain cases, we also provide some additional historical info about you to the Child Care Provider. This includes whether you have already booked with them in the past, the number of completed bookings you have made with DropIn, a confirmation that no misconduct has been reported about you, the percentage of bookings you have canceled in the past, or whether you have given reviews about past bookings.

If you have a question about your Child Care, we may contact the Child Care Provider to handle your request. In cases of Child Care Reservation-related disputes, we may provide the Child Care Provider with your contact details, including your email address and info about the Child Care Reservation process needed to handle the dispute. This may include a copy of your reservation confirmation as proof that a Child Care Reservation was actually made.

Third-party service providers

We use service providers outside of the DropIn corporate group to support us in providing our services. These include customer support, market research, fraud detection and prevention (including anti-fraud screening), and payment processing. We use third parties to process payments, handle chargebacks or provide billing collection services. When a chargeback is requested for your Child Care Reservation, either by you or the holder of the credit card used to make the reservation, we will need to share certain reservation details with the payment service provider and the relevant financial institution so they can handle the chargeback. This could also include a copy of your reservation confirmation or the IP address used to make your reservation. We might share information with relevant financial institutions if we consider it strictly necessary for fraud detection and prevention purposes.

Marketing services: We share personal data with advertising partners, including your email address, as part of marketing DropIn services via third parties to ensure that relevant ads are shown to the right audience. We use techniques like hashing to enable the matching of your email address with an existing customer database so that your email address cannot be used for other purposes. For info about other personalized ads and your choices, read our Cookie Statement.

Advertising partners: We use advertising partners like metasearch providers to allow you to compare our offers with the offers of others. When you make a reservation on DropIn after using an advertising partner, we will send the details of the reservation that you made on DropIn to that partner. All service providers are required to continue to safeguard your personal data adequately.

DropIn corporate group

DropIn is part of the DropIn AI Inc. corporate group. We may receive personal data about you from other companies in the DropIn AI Inc. corporate group or share your personal data with them for the following purposes: to provide services (including to make, administer, and manage reservations or handle payments); to provide customer service; to detect, prevent, and investigate fraudulence or other illegal activities and data breaches; for analytical and product improvement purposes; to send you personalized offers or marketing with your consent, or as otherwise permitted by applicable law; for hosting, technical support, overall maintenance, and maintaining security of such shared data; and to ensure compliance with applicable laws.

As applicable and unless indicated otherwise, DropIn relies on its legitimate interest to share and receive personal data with the corporate group for service delivery, fraud prevention, analytics, and support purposes. For compliance with legal obligations (such as legal law enforcement requests), DropIn relies on applicable legal bases.

All companies within the DropIn AI Inc. group of companies may need to exchange personal customer data to ensure all users are protected from fraudulent activities on its online platforms.

Business partners

We work with many business partners. These business partners distribute or advertise the DropIn services, including the services and products of our Child Care Providers. When you make a reservation on one of our business partners' websites or apps, certain personal data that you give them, such as your name and email address, address, payment details, and other relevant info will be forwarded to us to finalize and manage your Child Care Reservation.

If customer service is provided by the business partner, DropIn will share relevant reservation details with them (as and when needed) to provide you with appropriate and efficient support. When you make a reservation through one of our business partners' websites, the business partners can receive certain parts of your personal data related to the specific reservation and your interactions on these partner websites. For fraud detection and prevention purposes, we may also exchange info about our users with business partners, but only when strictly necessary.

Competent authorities

We disclose personal data to law enforcement to the extent required by law or strictly necessary for the prevention, detection, or prosecution of criminal acts and fraud, or if we are legally obliged to do so otherwise. We may need to further disclose personal data to competent authorities to protect and defend our rights or properties, or the rights and properties of our business partners.

6. Security and Data Retention

We observe reasonable procedures to prevent unauthorized access to and the misuse of personal data. We use appropriate business systems and procedures to protect and safeguard the personal data you give us. We also use security procedures and technical and physical restrictions for accessing and using the personal data on our servers. Only authorized personnel are allowed to access personal data in the course of their work.

We will keep your personal data for as long as we think necessary to enable you to use our services or to provide our services to you (including maintaining your DropIn user account, if you have one), to comply with applicable laws, to resolve any disputes, and to otherwise allow us to conduct our business, including to detect and prevent fraud or other illegal activities. All personal data we keep about you is covered by this Privacy Policy v12. For health and medical data specifically, please see Section 3 above for detailed retention timelines.

For added protection, we strongly recommend setting up two-factor authentication for your DropIn account. This adds an extra authentication step to make sure anyone who gets ahold of your username and password (e.g.

through phishing or social engineering) will not be able to access your account. You can set this up in the Security section of your account settings.

7. How DropIn Processes Communications

DropIn can offer you and Child Care Providers various ways to communicate about the Child Care Services and existing Child Care Reservations by directing communications via DropIn. This also allows you and your Child Care Provider to contact DropIn with questions about your Child Care Reservation through the website, our apps, and the other channels that we provide.

DropIn accesses communications and may use automated systems to review, scan, and analyze communications for the following reasons:

  • Security purposes

  • Fraud prevention

  • Compliance with legal and regulatory requirements

  • Investigations of potential misconduct

  • Product development and improvement

  • Research

  • Customer engagement (including to provide you info and offers that we believe might interest you)

  • Customer or technical support

We reserve the right to review or block the delivery of communications that we, at our sole discretion, believe might contain malicious content or spam, or pose a risk to you, Child Care Providers, DropIn, or others.

All communications sent or received using DropIn communication tools will be received and stored by DropIn. Business partners (through whose platforms you make a reservation) and Child Care Providers might also choose to communicate with you directly by email or other channels that DropIn does not control.

8. Mobile Devices and Social Media

Mobile devices

We offer free apps for a range of different mobile devices, as well as versions of our regular website that are optimized for browsing on a phone and tablet. These apps and mobile websites process the personal details you give us in a similar way that our website does. They also allow you to use location services to find Child Care Services nearby, if you want.

With your consent, we may send you push notifications with information about your Child Care Reservation. You can also grant us access to your location data or contact details in order to provide services you request. If you upload pictures to our platform, these pictures may include location info (known as metadata) as well. Read your mobile device's instructions to understand how to change your settings and control the sharing of this type of data.

In order to optimize our services and marketing activities, and to make sure we give you a consistent user experience, we use something known as cross-device tracking. This can be done with or without the use of cookies. With cross-device tracking, DropIn is able to track user behavior across multiple devices. As part of cross-device tracking, we may combine data collected from a particular browser or mobile device with data from another computer or device that is linked to it. To optimize the content of the DropIn newsletter, we combine searches and reservations made from different computers and devices. You can unsubscribe from the DropIn newsletter anytime. Personalized ads shown to you on other websites or in apps can be offered based on your activities on linked computers and devices. By changing the cookie settings on your device (see our Cookie Statement under What are your choices?), you can change your cross-device tracking settings for advertisement purposes. You should know that logging out of your DropIn account does not mean that you will no longer receive personalized ads.

Social media

At DropIn, we use social media in different ways. We use it to facilitate the use of online reservation services, to promote our Child Care Providers' products and services, and to advertise, improve, and facilitate our own services. The use of social media features can result in the exchange of personal data between DropIn and the social media service provider, as described below. You are free to not use any of the social media features available to you.

Sign in with your social media account: We offer you the opportunity to sign in to a DropIn user account with one of your social media accounts. We do this to reduce the need for you to remember different usernames and passwords for different online services. After signing in once, you will always be able to use your social media account to sign in to your DropIn account. You can decouple your DropIn user account from your chosen social media account anytime you want.

Integration of social media plugins: We have also integrated social media plugins into DropIn website and apps. This means that when you click one of the buttons (e.g. Facebook's "Like" button), certain info is shared with these social media providers. If you are logged-in to your social media account at the same time, your social media provider may relate this info to your social media account. Depending on your settings, they might also display these actions on your social media profile to others in your network.

Other social media services and features: We may integrate other social media services (e.g. social media messaging) for you to interact with DropIn or your contacts about our services. We may maintain social media accounts and offer apps on several social media sites. Whenever you connect with DropIn through social media, your social media service provider may allow you to share info with us. If you choose to share, you will generally be told by your social media provider which information will be shared. For example, when you sign in to a DropIn user account using your social media account, certain info may be shared with DropIn, including your email address, age, or profile pictures saved to your social media account, depending on what you authorize.

Your social media provider will be able to tell you more about how they use and process your data when you connect to DropIn through them. This can include combining the personal data they collect when you use DropIn through them with info they collect when you use other online platforms also linked to your social media account. If you decide to connect using your Facebook or Google account, please review the relevant data policies for info about how these parties use data they receive.

9. How You Can Control Your Personal Data

We want you to be in control of how your personal data is used by us. You can do this in the following ways:

  • You can ask us for a copy of the personal data we hold about you.

  • You can inform us of any changes to your personal data or ask us to correct any of the personal data we hold about you. As explained below, you can make some of these changes yourself when you have a user account.

  • In certain situations, you can ask us to erase, block, or restrict the processing of the personal data we hold about you, or object to particular ways that we use your personal data.

  • In certain situations, you can also ask us to send the personal data you have given us to a third party.

  • Where we use your personal data on the basis of your consent, you are entitled to withdraw that consent at any time, subject to applicable law.

  • Where we process your personal data based on legitimate interest or the public interest, you have the right to object to that use of your personal data at any time, subject to applicable law.

We rely on you to make sure that your personal info is complete, accurate, and current. Let us know about any changes to or inaccuracies in your personal info as soon as possible. If you have a DropIn user account, you can access a lot of your personal data through our website or apps. You will generally find the option to add, update, or remove info we have about you in your account settings.

If any of the personal data we have about you is not accessible through our website or apps, you can send us a request, which will not cost you anything. For any requests relating to this Privacy Policy v12, to exercise any of your rights, or if you have a complaint, contact our Data Protection Officer at [email protected]. You can also contact your local data protection authority. If you want to object to your personal data being processed on the basis of legitimate interest and there is no option to opt out directly, contact us at [email protected].

10. US State Privacy Rights

As of 2026, more than 20 US states have enacted comprehensive privacy laws. Rather than maintaining 50 state-specific versions, DropIn implements the strictest applicable standard across all states as a single national baseline. Your rights described below apply regardless of which state you live in.

California residents — CCPA / CPRA

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the following rights: the right to know what personal information we collect, use, disclose, and sell; the right to delete personal information we hold about you; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of your personal information; the right to limit the use of sensitive personal information; and the right to non-discrimination for exercising your privacy rights.

Categories of personal information we collect include: Identifiers (e.g. your name, account number, email address, IP address); Financial, medical, or health insurance information (e.g. your bank account number, payment card number, medical information if provided by you or on your behalf); Characteristics of protected classifications under California or federal law (e.g. your gender, religion, sexual orientation); Commercial information (e.g. your purchase information); Internet or other electronic network activity information (e.g. information about your website or app usage); Geolocation data (e.g. your physical location); Visual information (e.g. any photographs you upload on your account); Inferences (e.g. analytics and preferences); and Professional or employment- related information (e.g. employer and business details).

We may share certain parts of your personal info with third parties, which under California law can be treated as a "sale" of information. This may include info related to Identifiers, Commercial information, Geolocation data, Internet activity, and Inferences. You may exercise your right to opt out of sales by visiting: https://www.dropin.care/content/ccpa.html. DropIn does not knowingly sell the personal information of minors under the age of 16 without appropriate consent. To exercise your California rights, contact us at [email protected] with the subject line: "California Resident Privacy Rights — Request." Authorized agents must provide written authorization from the consumer they represent.

Virginia, Colorado, Connecticut, Texas, and other state residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Florida, Montana, Oregon, and other states with comprehensive privacy laws have similar rights including: the right to access personal data we hold about you; the right to correct inaccurate data; the right to delete personal data; the right to obtain a portable copy of your data; and the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights regardless of your state, contact our Data Protection Officer at [email protected]. We will process requests within the timeframe required by the law of your state of residence. We do not discriminate against any user for exercising their privacy rights.

Washington state residents — My Health My Data Act

Washington's My Health My Data Act (MHMD, effective 2024) provides expanded protections for consumer health data beyond traditional HIPAA. Because DropIn collects health-related data about children, we apply MHMD- equivalent standards for all users, not only Washington residents. This means: we collect only the minimum health data necessary for the specific child care purpose; we do not sell consumer health data; we do not use health data for advertising or profiling; we maintain a written data security program; and we provide the rights described above including deletion of health data on request.

Nevada, Utah, and other state residents

Residents of Nevada, Utah, Iowa, Indiana, Tennessee, Montana, and other states with privacy laws in effect or taking effect during 2025–2026 are covered by DropIn's national privacy baseline, which meets or exceeds the requirements of each of these laws. Contact [email protected] to exercise your rights under any applicable state law.

11. Cookies and Tracking Technologies

Whenever you use our online services or apps, we use cookies and other online tracking technologies (which we will also refer to as "cookies" for the purpose of this Cookie Statement). Cookies can be used in various ways, including to make the DropIn website work, analyze traffic, or for advertising purposes.

What are cookies and online tracking technologies?

A web browser cookie is a small text file that websites place on your computer's or mobile device's web browser. These cookies store info about the content you view and interact with to remember your preferences and settings or analyze how you use online services. Cookies are divided into first party cookies (served by the owner of the domain — in our case, DropIn) and third-party cookies (placed on our domains by trusted partners that we have allowed to do so, such as social media partners, advertising partners, security providers, and more).

Cookies are also either session cookies (which only exist until you close your browser) or permanent cookies (which stay on your device after the browser is closed and have a range of lifespans). On the DropIn platform, we try to only serve permanent cookies that have a limited lifespan. However, for security reasons or in other exceptional circumstances, sometimes we may need to give a cookie a longer lifespan.

Along with cookies, we also use tracking technologies that are very similar. Our website, emails, and mobile apps may contain small transparent image files or lines of code that record how you interact with them. These include web beacons (also known as web bugs, tracking bugs, tags, web tags, page tags, tracking pixels, pixel tags, 1x1 GIFs, or clear GIFs), which are a tiny graphic image of just one pixel that can be delivered to your device as part of a web page request, in an app, an advertisement, or an HTML email message. They can be used to retrieve info from your device, such as your device type, operating system, IP address, and the time of your visit. They are also used to serve and read cookies in your browser or to trigger the placement of a cookie.

Scripts are small computer programs embedded within our web pages that give those pages a wide variety of extra functionality. Scripts make it possible for the website to function properly and can also be used for analytical or advertising purposes. Tracking URLs are links with a unique identifier in them, used to track which website brought you to the DropIn website or app. Software Development Kits (SDKs) are part of our apps' source code, used to analyze how the apps are being used or to send personalized push notifications.

How are cookies used?

Cookies are used to collect info including: IP address, Device ID, Viewed pages, Browser type, Browsing info, Operating system, Internet service provider, Timestamp, whether you have responded to an advertisement, a referral URL, and Features used or activities engaged in on the website/apps. They allow you to be recognized as the same user across the pages of a website, devices, between websites, or when you use our apps. Cookies are divided into three categories:

Functional cookies: These are cookies required for our websites and apps to function and must be enabled for you to use our services. Functional cookies are used to create technologically advanced, user-friendly websites and apps that adapt automatically to your needs and preferences, so you can browse and book easily. More specifically, these cookies enable our website and apps to work properly so you can create an account, sign in, and manage your bookings; remember your selected currency and language settings, past searches, and other preferences; and remember your registration info so you do not have to retype your log-in credentials each time you visit our website or app.

Analytical cookies: These cookies measure and track how our website and apps are used. We use this info to improve our website, apps, and services. More specifically, these cookies help us understand how visitors and customers like you use DropIn and our apps; help improve our website, apps, and communications; allow us to find out what does and does not work on our website and apps; help us understand the effectiveness of advertisements and communications; teach us how users interact with our website or apps after they are shown an online ad, including ads on third-party websites; and enable our business partners to learn whether or not their customers make use of any child care offers integrated into their websites.

Marketing cookies: These cookies are used by DropIn and our trusted partners to gather info about you over time, across multiple websites, applications, or other platforms. Marketing cookies help us to decide which products, services, and interest-based ads to show you, both on and off our website and apps. More specifically, these cookies categorize you into a certain interest profile based on the websites you visit and your click behavior, display personalized and interest-based ads both on the DropIn website and on other websites (known as retargeting), and integrate social media into our website and apps.

Non-cookie techniques — email pixels: We may also use techniques like pixels, which we do not mark as cookies because they do not store any info on your device. We sometimes place pixels in emails like newsletters. A "pixel"

is an electronic file the size of a single pixel that is placed in the email and loaded when you open it. By using email pixels, we can see if the message was delivered, if and when you read it, and what you click. We also receive this info about the push notifications we send you. These statistics provide us with feedback about your reading behavior, which we use to optimize our messages and make our communications more relevant to you.

What are your choices?

To learn more about cookies and how to manage or delete them, visit allaboutcookies.org or the help section of your browser. Under the settings for browsers like Internet Explorer, Safari, Firefox, or Chrome, you can choose which cookies to accept and reject. If you choose to block certain functional cookies, you may not be able to use some features of our services.

In addition to specific settings that we may offer on the DropIn platform and apps, you can also opt out of certain cookies. To prevent Google Analytics from collecting analytical data on certain browser types, visit the Google Analytics Opt-out Browser Add-on (only available on desktop). We always aim to work with advertising and marketing companies that are members of the Network Advertising Initiative (NAI) and/or the Interactive Advertising Bureau (IAB). Members of the NAI and IAB adhere to industry standards and codes of conduct, and allow you to opt out of behavioral advertising. Visit www.networkadvertising.org to identify NAI members that may have placed advertising cookies on your computer. You may also want to visit www.youronlinechoices.com or www.youradchoices.com to learn how to opt out of customized ads.

Your mobile device may allow you to limit the sharing of info for retargeting purposes through its settings. If you choose to do so, remember that opting out of an online advertising network does not mean you will no longer see or be subject to online advertising or marketing analysis. It just means the network you opted out of will not deliver ads customized to your web preferences and browsing patterns anymore. Some websites have "Do Not Track" features that allow you to tell a website not to track you. We are currently unable to support "Do Not Track" browser settings.

For questions about our cookie practices, contact us at [email protected]. Our cookie statement may be updated from time to time. If these updates are substantial, particularly relevant to you, or impact your data protection rights, we will get in touch with you about them.

12. Who Is Responsible and How to Contact Us

DropIn AI Inc. controls the processing of personal data as described in this Privacy Policy, except where explicitly stated otherwise. DropIn AI Inc. is a private limited liability company incorporated under the laws of the State of Delaware, and having its registered address at 16192 Coastal Hwy, Lewes, DE 19958.

If you have any questions about this Privacy Policy or our processing of your personal data, contact our Data Protection Officer at [email protected] and we will get back to you as soon as possible. For questions about a reservation, contact our customer service team through the customer service contact page. Requests from law enforcement should be submitted using the Law Enforcement process.

DropIn AI Inc. · [email protected] · 16192 Coastal Hwy, Lewes, DE 19958 · © 2026 DropIn AI Inc. All rights reserved.