Drift OS Privacy Policy

1. Scope

This Privacy Policy describes how Drift OS ("we," "us," "our") collects, uses, stores, and discloses personal data when you use our website, application, APIs, and related services.

Data controller: Integrofy LLC, 1522 Western Ave STE 24183, Seattle, WA 98101.

2. Data We Collect

We may collect the following categories of data:

• account data (name, email, auth identifiers);
• billing data needed to manage subscriptions and payments;
• user content and activity data (notes, events, decisions, prompts, outputs, project metadata);
• technical and usage data (IP, browser, device, logs, timestamps);
• support and communications data.

3. How We Use Data

We use personal data to:

• provide and operate the Services;
• authenticate users and secure accounts;
• process payments and manage subscriptions;
• deliver AI-powered features and responses;
• improve reliability, safety, and performance;
• comply with legal obligations and enforce our Terms.

4. AI Processing (OpenRouter and Nebius)

Our AI features may send relevant prompt/context data and model requests to third-party providers, including OpenRouter and Nebius, for inference. This transmission is necessary to provide summaries, insights, extraction, categorization, and other AI features.

We may store generated outputs and inference metadata in our systems, including cached AI responses and usage accounting records, to improve performance, control cost, and support product functionality.

Third-party providers process data under their own terms and privacy notices. Review:

• OpenRouter Privacy Policy
• OpenRouter Terms of Service
• Nebius Privacy Policy

We do not use your prompts or outputs to train our own foundation models. We only use your content to provide the Services, operate product features, and improve reliability and safety. Third-party AI providers may process data under their own policies; we configure integrations to minimize training use where such controls are available.

5. Legal Bases (Where Applicable)

For users in the EEA/UK/Switzerland, our legal bases include:

• account registration, login, and core product operation: performance of a contract;
• payment processing and subscription management via Polar.sh: performance of a contract;
• security monitoring, fraud prevention, and service reliability: legitimate interests;
• product analytics and error diagnostics via PostHog: legitimate interests, or consent where required by law;
• optional marketing communications (if enabled): consent (you may withdraw at any time);
• tax, accounting, and legal compliance: legal obligation.

6. Cookies and Tracking Technologies

We use cookies and similar technologies for authentication, security, preferences, analytics, and performance monitoring.

• strictly necessary cookies: required for login sessions, security, and essential product functionality;
• analytics cookies: used by PostHog to measure usage, sessions, and product performance;
• third-party cookies: Google OAuth may set cookies needed to authenticate users through Google.

Where required by law (including in the EEA/UK), we request consent before placing non-essential cookies and provide a way to reject or withdraw consent.

7. Sharing and Disclosure

We may disclose personal data to:

• AI providers (OpenRouter and Nebius) for model inference and output generation;
• Polar.sh as our payment processor (payment card details are processed directly by Polar.sh; we do not store full card numbers);
• Google as an authentication provider for sign-in and account identity verification;
• PostHog for product analytics and error tracking (including event metadata, session diagnostics, crash/error data, and IP/device metadata);
• Netcup as our infrastructure hosting provider (including EU-hosted systems);
• professional advisors and auditors;
• authorities where required by law or to protect rights and safety;
• successors in connection with mergers or asset transfers.

Provider privacy notices: Polar.sh, PostHog, Google, Netcup.

8. Retention

We retain personal data according to category and legal need. Typical retention periods are:

• account profile data: for the life of the account and up to 15 days after deletion request;
• user content and workspace data: for the life of the account and up to 15 days after account closure, subject to backup cycles;
• billing and transaction records: up to 7 years to satisfy accounting and tax obligations;
• security logs and server logs: typically up to 90 days, unless needed longer for abuse prevention or investigations;
• AI inference metadata and usage logs: typically up to 30 days unless longer retention is required for fraud prevention, legal obligations, or dispute handling.

9. International Transfers

We and our service providers may process data in multiple countries. Where required, we apply appropriate safeguards for cross-border data transfers, including the European Commission's Standard Contractual Clauses (SCCs) or reliance on applicable adequacy decisions.

We use Netcup infrastructure in the EU where available. Some service providers may process data in the United States or other countries, and we apply transfer safeguards where legally required.

10. Security

We use reasonable technical and organizational safeguards to protect personal data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent where processing is based on consent.

We aim to respond to verified rights requests within 30 days. If a request is complex, we may extend by up to an additional 60 days where permitted by law and will notify you of the reason for delay.

To exercise rights, contact us at privacy@driftos.app.

12. Data Protection Contact

You may contact us about privacy matters at privacy@driftos.app. We will designate a data protection officer or EU/UK representative if and when required by applicable law.

13. Children

The Services are not intended for children under 13, and we do not knowingly collect personal data from children under 13.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a revised "Last Updated" date. Continued use of the Services after changes take effect means you accept the update.

15. Contact

Integrofy LLC, 1522 Western Ave STE 24183, Seattle, WA 98101.

Integrofy LLC is registered in Wyoming; legal venue provisions for contractual disputes are set out in our Terms of Service.

Privacy questions or complaints: privacy@driftos.app.

See also our Terms of Service.