Privacy Policy

1. Scope and roles

This policy applies to driftguard.io, app.driftguard.io, and related subdomains, APIs, and support channels. If your organization subscribes to DriftGuard under a Data Processing Agreement (DPA), that agreement governs Customer Content (for example, repository metadata, plan output, and findings) and may supplement this policy.

Where we process personal data on your organization’s instructions, you are the data controller and UP2CLOUD acts as processor. For account registration, marketing, billing, and security logging, UP2CLOUD is an independent controller.

2. Information we collect

We collect the following categories of information:

• Account and identity: name, work email, organization name, authentication identifiers from GitHub OAuth or SSO, and role assignments you configure.
• Integration data: repository names, pull request identifiers, commit SHAs, OpenTofu/Terraform plan artifacts, cloud resource metadata required to compute cost, drift, and security findings, and webhook delivery logs.
• Usage and diagnostics: feature usage events, API request metadata, performance metrics, error reports, and support correspondence.
• Billing: subscription tier, invoice contacts, payment status (payment card data is handled by our payment processor, not stored by us).
• Marketing: waitlist email addresses and campaign attribution when you opt in on our website.
• Technical: IP address, browser type, device identifiers, and cookies described in Section 8.

3. How we use information

We use personal data to:

• Provide, maintain, and improve the Service, including PR analysis, dashboards, notifications, and policy enforcement.
• Authenticate users, prevent fraud and abuse, and enforce acceptable use.
• Operate billing, account management, and customer support.
• Send product, security, and legal notices; marketing communications only with consent or applicable B2B soft-opt-in rules.
• Comply with law, respond to lawful requests, and protect rights, safety, and security.
• Generate aggregated, de-identified analytics to improve detection quality and platform reliability.

4. Legal basis (EEA/UK)

Where GDPR applies, we rely on: (a) contract performance for providing the Service; (b) legitimate interests for security, product improvement, and B2B marketing to business contacts; (c) consent for non-essential cookies and optional communications; and (d) legal obligation where required. You may object to certain processing where applicable law provides that right.

5. Sharing and subprocessors

We do not sell personal data. We share data with infrastructure and subprocessors that help us operate the Service (for example, EU-region cloud hosting, observability, email delivery, and payment processing), bound by confidentiality and data protection terms. A current subprocessor list is available on request at privacy@driftguard.io.

We may disclose information if required by law, in connection with a merger or acquisition, or to protect DriftGuard, our customers, or the public from harm or illegal activity.

6. International transfers

DriftGuard is designed for EU hosting by default. If data is transferred outside the European Economic Area or UK, we implement appropriate safeguards such as Standard Contractual Clauses and transfer impact assessments where required.

7. Data retention

We retain Customer Content according to your organization’s plan settings and DPA, typically for the duration of the subscription plus a limited backup period. Account and billing records are retained as required for tax, accounting, and legal obligations. Security logs may be retained for up to twenty-four (24) months unless a longer period is required for incident investigation.

8. Security

We implement administrative, technical, and organizational measures appropriate to a B2B infrastructure security product, including encryption in transit, access controls, least-privilege engineering practices, vulnerability management, and audit logging. No method of transmission or storage is completely secure; you are responsible for securing credentials, GitHub tokens, and cloud roles you provision to DriftGuard.

9. Cookies and similar technologies

We use strictly necessary cookies for authentication and session management. With your consent where required, we may use analytics cookies to understand product usage. You can control non-essential cookies through your browser settings or in-product preferences when available.

10. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, port, or object to processing of your personal data, and to withdraw consent. EEA/UK residents may lodge a complaint with a supervisory authority. Requests should be sent to privacy@driftguard.io; we may need to verify your identity and coordinate with your organization’s administrator for processor-held data.

11. Children

DriftGuard is a business service not directed to individuals under 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this Privacy Policy to reflect product, legal, or regulatory changes. Material changes will be notified via the Service or email where appropriate. Continued use after the effective date constitutes acceptance of the updated policy.

13. Contact

UP2CLOUD Unipessoal Lda., DriftGuard Privacy, privacy@driftguard.io. For data protection inquiries in the EU, include your organization name and the nature of your request.