Privacy Policy
This Privacy Policy explains how Driftgard (“Driftgard”, “we”, “us”) collects, uses, shares, and protects information when you visit our website or use our products and services (the “Services”).
Effective date: 4 March 2026 • Last updated: 4 March 2026
What we collect
Website and demo enquiries; account and organisation data; usage/telemetry (if enabled); and customer-provided evaluation content.
What we do with it
Operate and secure the Services, provide support, improve reliability, generate audit evidence, and comply with law.
Your control
Project-level retention and masking options; access controls; deletion requests; and contractual controls for enterprise deployments.
Driftgard is primarily an enterprise service. In many cases, the organisation that uses Driftgard is the “controller” of evaluation data, and Driftgard acts as a “processor” under contract.
1. Information we collect
1.1 Website and communications
- Contact details and business information you submit (e.g., name, work email, company, job title).
- Messages and attachments you send (e.g., demo requests, support tickets).
- Basic web logs (IP address, browser type, pages viewed, timestamps) for security and troubleshooting.
1.2 Account, organisation, and access
- User account identifiers (e.g., user ID, email) and authentication events.
- Organisation and project metadata (org/project IDs, membership, role assignments).
- Audit actions (who/what/when/why) for key configuration and policy changes.
1.3 Service usage (telemetry)
Telemetry is configurable by project/organisation. If enabled, we may collect product usage metrics (e.g., feature interactions, performance/latency metrics, error traces) to improve reliability and security.
- Usage events and aggregate statistics.
- Error and reliability signals.
- Security signals (rate limiting, anomalous access patterns).
1.4 Customer-provided evaluation content
Customers may upload or send content to evaluate, such as prompts, model responses, and related metadata (“Evaluation Content”). Evaluation Content may include personal data, depending on what you upload.
- Prompts and model outputs provided for evaluation.
- Associated metadata (timestamps, model IDs, project IDs, tags).
- Derived outputs (risk scores, violations, evidence strings, summaries).
If you can avoid uploading personal or sensitive data, please do. Where needed, enable masking controls and set appropriate retention.
2. How we use information
2.1 Provide and secure the Services
- Authenticate users and enforce org/project access controls.
- Run evaluations, generate results, and produce exports/evidence packs.
- Monitor for abuse, fraud, and security incidents.
- Maintain audit logs and change history for defensibility.
2.2 Improve reliability and product quality
- Diagnose crashes, performance issues, and errors.
- Understand feature adoption and UX pain points (aggregate/telemetry).
- Develop new features and improve the evaluation workflow.
2.3 Support and communications
- Respond to enquiries and provide customer support.
- Send service-related notices (security updates, maintenance).
- For marketing messages, we use opt-in/opt-out mechanisms where required by law.
2.4 Legal, compliance, and safety
- Comply with legal obligations and respond to lawful requests.
- Enforce our Terms and acceptable use policies.
- Protect the rights, safety, and security of our customers and the public.
3. Legal bases (where applicable)
Depending on your jurisdiction, our legal basis for processing may include: performance of a contract; legitimate interests (e.g., security, product improvement); compliance with legal obligations; and consent (e.g., for certain marketing messages). For enterprise Services, processing of Evaluation Content is typically performed under the customer’s instructions and contract.
4. Sharing and disclosure
4.1 Service providers
We may use vetted service providers to host and operate parts of the Services (e.g., infrastructure, analytics, email). They are authorised to process information only as needed to provide services to us.
4.2 Customer-controlled sharing
Your organisation may configure access controls and share exports/reports with internal teams, auditors, or regulators. These shares are controlled by your organisation.
4.3 Legal requirements
We may disclose information if required to do so by law, regulation, legal process, or enforceable governmental request.
4.4 Business transfers
If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, information may be transferred as part of that transaction (subject to appropriate safeguards).
5. Data retention
Retention is configurable per project/organisation. Customers can typically choose between stateless evaluation and stored evaluation history to support audits and drift monitoring. We retain information only as long as needed for the purposes described in this Policy, unless a longer retention period is required or permitted by law.
- Evaluation Content and results: retained according to project settings and contractual terms.
- Audit logs: retained to provide defensible evidence of changes and access.
- Backups: may persist for limited periods under standard operational practices.
6. Security
6.1 Controls (high level)
- Org → Project isolation and role-based access controls.
- Audit logging for key actions and configuration changes.
- Encryption in transit (TLS) and, where applicable, encryption at rest.
- Least-privilege operational access.
6.2 Your responsibilities
- Only upload content you are authorised to process.
- Configure retention and masking to match your obligations.
- Limit access using RBAC and project membership.
- Secure your credentials and notify us of suspected compromise.
We maintain administrative, technical, and physical safeguards designed to protect information, but cannot guarantee absolute security.
7. International transfers
We may process and store information in the regions where we or our service providers operate. Where required by law, we implement appropriate safeguards for cross-border transfers. Customers with specific residency requirements should discuss deployment options during onboarding.
8. Your rights and choices
8.1 Access, correction, deletion
Depending on your jurisdiction, you may have rights to request access to, correction of, or deletion of personal information. For enterprise accounts, requests may need to be routed through your organisation (the data controller).
8.2 Marketing preferences
You can opt out of marketing emails at any time by using the unsubscribe link in the email (where provided) or by contacting us. Service-related notices are not marketing and may still be sent.
8.3 Cookies and analytics
We may use cookies or similar technologies for security, basic site functionality, and analytics. Where required, we provide choices and obtain consent for non-essential cookies.
9. Children’s privacy
Driftgard is not directed to children and we do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us so we can take appropriate steps.
10. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top. If changes are material, we will provide additional notice as required by law or contract.
11. Contact us
Privacy enquiries
For privacy questions or requests, contact us through the website contact form. If you are an enterprise customer, you may also use your support channel provided during onboarding.
(Optional later: add a dedicated email like privacy@driftgard.com once you’re ready.)
Many privacy requests related to Evaluation Content should be handled by the organisation that uploaded the data (the controller). We assist customers in fulfilling requests as required by contract and law.