This Privacy Policy explains how DriftGuard (“we,” “us,” or “our”) collects, uses, and shares information when you use the hosted service at driftguard.org, including our web console, API, and MCP-hosted endpoints.
Our open-source software on GitHub that you run locally is outside the scope of this Policy unless it connects to our hosted Service.
1. Information we collect
Account and identity
- Social sign-in: If you authenticate with GitHub, Google, or another supported provider, we receive profile information they share (such as email address, display name, avatar URL, and provider user ID).
- Organizations and roles: Workspace name, membership role, seat usage, and invite email addresses you or admins provide.
- API keys: We store a one-way hash and a short public prefix of API keys you create; we do not store full keys after issuance.
Service data you provide
- Watches: URLs and MCP endpoints you ask us to monitor, optional request headers (which may include secrets if you configure them), alert policies, webhook/Slack destinations, and labels.
- Snapshots and drift history: Response bodies, parsed schemas, diff classifications, and timestamps produced by scheduled checks.
- Trial sessions: Anonymous trial identifiers stored in your browser until you link an account.
- Support and billing correspondence: Messages you send to hello@driftguard.org.
Payment information
Paid subscriptions are processed by Lemon Squeezy (merchant of record). We receive subscription status, plan tier, customer email, and transaction references—not full payment card numbers. Lemon Squeezy’s privacy policy governs payment data they collect: lemonsqueezy.com/privacy.
Technical and usage data
- Session cookies (e.g.
dg_session) for authenticated console access; - IP address, user agent, and request logs for security, abuse prevention, and debugging;
- Aggregated usage metrics (check counts, feature usage) to operate and improve the Service.
2. How we use information
We use information to:
- Provide monitoring, diffing, alerting, exports, and account features;
- Authenticate users, enforce plan limits, and prevent fraud or abuse;
- Process subscriptions and communicate about billing or service changes;
- Improve reliability, security, and product design;
- Comply with legal obligations.
We do not sell your personal information. We do not use watch content to train general-purpose AI models.
3. Legal bases (EEA/UK users)
Where GDPR or UK GDPR applies, we rely on: contract (providing the Service you requested); legitimate interests (security, analytics, product improvement); and consent where required (for example, non-essential cookies if we add them). You may withdraw consent without affecting the lawfulness of prior processing.
4. How we share information
We share information only as needed to operate the Service:
- Infrastructure provider: Hosting, database, queues, and edge delivery.
- Lemon Squeezy: Subscription billing and tax handling (merchant of record).
- Identity providers: When you choose social sign-in, authentication is handled by the provider under their policies.
- Integrations you configure: Alert payloads are sent to webhooks, Slack, PagerDuty, or other destinations you specify.
- Legal and safety: When required by law or to protect rights, safety, and integrity of the Service.
Team workspace admins may access organization watches and keys according to their role.
5. International transfers
We operate from Kenya and use global infrastructure providers. Data may be processed in countries other than yours. Where required, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms offered by our processors.
6. Retention
Retention depends on your plan and settings:
- Free tier: shorter snapshot retention (as described on our pricing page);
- Pro / Team: extended history per plan limits;
- Account data: kept while your account is active and for a reasonable period afterward for backups, disputes, and legal compliance;
- Logs: typically retained for a limited period unless needed for security investigations.
You may request deletion of your account by emailing hello@driftguard.org. Some data may persist in encrypted backups for a limited time.
7. Security
We use HTTPS, hashed API keys, encrypted sensitive headers at rest where configured, access controls, and rate limiting. No method of transmission or storage is 100% secure; you are responsible for protecting credentials and avoiding secrets in URLs or logs.
8. Your rights
Depending on your location, you may have rights to access, correct, delete, restrict, or port personal data, and to object to certain processing. To exercise these rights, contact hello@driftguard.org. We will respond within applicable deadlines.
EEA/UK residents may lodge a complaint with their local data protection authority. Kenya residents may contact the Office of the Data Protection Commissioner.
9. Cookies and analytics
We use essential cookies for authentication and session management (dg_session). Sign-in with Google may involve Google Identity Services cookies subject to Google’s privacy policy.
On marketing pages (/, /pricing, /resources, and /docs), we also run:
- First-party funnel analytics — always on. Sets
dg_aid(anonymous id) and sends events to our own API (/api/funnel/events). No third-party ad networks. - Optional PostHog analytics — loaded only after you click Yes, help improve on the consent banner, stored in
dg_analytics_consent. If you choose No thanks, PostHog is never loaded. We honorDo Not Trackwhen your browser sends it.
The authenticated console, admin surfaces, and API routes do not load PostHog or show the marketing consent banner.
You can change your choice by clearing site cookies for driftguard.org and revisiting a marketing page.
10. Children
The Service is not directed to children under 16. We do not knowingly collect personal information from children. Contact us if you believe a child has provided data and we will delete it.
11. Changes
We may update this Policy by posting a new version on this page. Material changes will be communicated where appropriate. Continued use after the effective date constitutes acceptance.
12. Contact
Privacy questions and requests: hello@driftguard.org