Privacy Policy

SlopBin is operated by Acacia Services LTD, a private company limited by shares registered in England and Wales under company number 13258630. Registered office: Acacia Services LTD, Bartle House, Oxford Court, Manchester, M2 3WQ. Acacia Services LTD is the controller for personal data processed through SlopBin when we decide why and how it is processed. Stripe, Deno, and Resend may also process some data under their own roles and policies for payment, hosting, and email services.

We have not appointed a data protection officer or UK representative because we do not currently understand SlopBin to be required to appoint one. Use the privacy contact below for data protection questions and rights requests.

• Privacy requests: privacy@slopbin.dev
• Abuse reports: abuse@slopbin.dev
• Copyright notices: dmca@slopbin.dev
• Billing and support: support@slopbin.dev

For each paste we store: paste content bytes, protection metadata, tier, language hint, creation time, expiry time, plaintext size, and an optional agent_id you supply. IP addresses are stored only as rate limit counters with a 24-hour TTL.

Password-protected paste passwords are processed transiently during hosted browser, REST, and MCP create/read requests. They are not written to paste storage.

For paid accounts we store: email address from Stripe, Stripe customer and subscription IDs, subscription status, API key hash, manage-token hash, encrypted credential-delivery payloads for recovery email retries, and account-managed paste metadata.

Abuse reports may include the reported paste slug, report category, reporter email if supplied, report text, client IP, delivery status, review status, and operator notes.

We collect most of this data directly from you when you create, read, report, manage, or delete a paste. We receive billing and subscription identifiers from Stripe after checkout and through Stripe webhooks. Hosting, email, security, and operational metadata may be generated by SlopBin or our service providers when the service is used.

• Raw paste passwords. Lost paste passwords cannot be recovered.
• Plaintext API keys or delete tokens in the primary database; only hashes are stored. Welcome-email retry payloads are encrypted at rest.
• Third-party advertising or analytics cookies.
• User agents beyond client type inference (browser / api / mcp).

Under UK GDPR, these are the main lawful bases we rely on:

• Contract: create, host, read, delete, and manage pastes; provide paid API keys; send transactional account email; and operate billing links.
• Legitimate interests: rate limiting, fraud prevention, security, debugging, service reliability, abuse review, and operator alerting.
• Legal obligation: respond to lawful requests, copyright notices, tax and accounting obligations, sanctions or fraud controls, and serious abuse reports where law requires action.
• Consent: only where you voluntarily send optional information, such as an abuse reporter email address. SlopBin does not currently use non-essential cookies, advertising pixels, or analytics tracking.

When you use the browser editor or account manage pages, we may set small HttpOnly session cookies so you do not have to keep secrets in the URL:

• sb_delete_token - sealed delete token for routes under the site origin; cleared when the paste expires or you sign out of that flow.
• sb_manage - sealed manage session for /manage; expires after 30 days and is invalidated when you rotate the manage link or delete your account.

These cookies use SameSite=Lax, Secure on HTTPS, and AES-GCM sealing when BROWSER_SESSION_KEY is set. They are used only to provide requested security and account management functions, not for cross-site tracking.

• Deno Land Inc. / Deno Deploy - hosts SlopBin's runtime in Amsterdam and provides Deno KV/storage and deployment infrastructure. Deno may process paste records/content, account metadata, request and operational logs, and runtime metadata for hosting, storage, security, reliability, and debugging. Deno's terms incorporate a Data Processing Addendum.
• Stripe - payment processing, subscriptions, invoices, customer billing details, tax handling, payment disputes, and customer portal sessions. Stripe handles payment data under its own privacy policy.
• Resend - transactional email, including paid credential delivery, resend flows, abuse notifications, and operator alerts.

Deno privacy · Deno terms and DPA · Stripe privacy · Resend privacy

SlopBin is operated from the UK, hosted on Deno Deploy in Amsterdam, and uses global infrastructure and service providers. Data may transit through, be accessed from, or be processed in the United States and other countries outside the UK or EEA by Deno, Stripe, Resend, or their subprocessors. Where required, we rely on the safeguards provided in their service terms, data processing terms, standard contractual clauses, the UK International Data Transfer Addendum, adequacy regulations, the UK Extension to the EU-U.S. Data Privacy Framework, or equivalent transfer mechanisms.

• Free tier pastes are deleted after 24 hours.
• Paid tier pastes are deleted when they expire, are manually deleted, are consumed by burn-after-read, or the account is deleted.
• Rate limit counters expire after 24 hours.
• Paid account records persist until you delete the account from manage, cancel and request deletion, or we process a valid deletion request.
• Credential delivery records are kept while needed for paid credential recovery and support, then deleted with the account.
• Abuse reports, DMCA notices, billing records, ops events, and security records are retained as long as needed for legal, security, dispute, and operational purposes.
• Stripe may retain invoices, payment records, tax records, and fraud-prevention data under Stripe's own retention rules.

If you have a paid account and can open /manage from your welcome email link, you can:

• Export your data - download a JSON file with account metadata, paste contents you own, and credential-delivery metadata we hold. Full invoices, payment methods, and billing history are available through Stripe tools.
• Delete your account - removes your account-managed pastes and our copy of account data, cancels subscription and deletes the Stripe customer where the API allows, and clears your manage session cookie. This cannot be undone.

For anything you cannot complete in-app, email privacy@slopbin.dev. We aim to respond without undue delay and within one month.

You can also ask us to access, correct, delete, restrict, object to, or port personal data where the law gives you those rights. We may need to verify your identity before acting on a request.

SlopBin does not use personal data for advertising profiles, automated decision-making, or automated decisions that produce legal or similarly significant effects.

If you are not satisfied with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

Abuse reports you file about someone else's paste are processed separately from your account export; contact us if you need access or erasure for data you submitted as a reporter.