Legal

Privacy Policy

Last updated: December 2024

DriftRail Inc. ("DriftRail," "Company," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard information when you visit our website, use our AI observability platform, or interact with our services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you voluntarily provide when you:

  • Create an Account: Email address, name, organization name, job title, and password
  • Subscribe to Paid Plans: Billing address, payment card information (processed and stored by our PCI-compliant payment processor, Stripe), and tax identification numbers where required
  • Contact Us: Name, email address, and any information you include in your communications
  • Participate in Surveys or Promotions: Contact information and survey responses

1.2 Service Data (Customer Data)

When you use DriftRail to monitor your AI systems, you transmit data to our platform for processing. This "Service Data" may include:

  • LLM inference events including prompts, completions, and model outputs
  • Metadata such as model names, providers, timestamps, latency measurements, and token counts
  • Custom metadata and tags you attach to events
  • RAG (Retrieval-Augmented Generation) source references
  • User identifiers or session IDs you choose to include

Important: You are solely responsible for ensuring that any Service Data you transmit to DriftRail complies with applicable laws and that you have all necessary rights and consents to transmit such data. You should not transmit sensitive personal information, protected health information, or other regulated data unless you have appropriate agreements in place with DriftRail (such as a Business Associate Agreement for HIPAA-covered data).

1.3 Automatically Collected Information

When you access our Services, we automatically collect:

  • Device Information: Hardware model, operating system and version, unique device identifiers, browser type and version, and mobile network information
  • Log Data: IP address, access times, pages viewed, links clicked, and the page you visited before navigating to our Services
  • Usage Data: Features used, actions taken, frequency and duration of activities, and error logs
  • Location Data: General geographic location inferred from your IP address

1.4 Cookies and Similar Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to:

  • Authenticate users and maintain session state
  • Remember your preferences and settings
  • Analyze usage patterns and improve our Services
  • Measure the effectiveness of our marketing campaigns

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our Services.

1.5 Information from Third Parties

We may receive information about you from:

  • Authentication Providers: If you sign in using a third-party service (e.g., Google, GitHub), we receive your name, email, and profile information as permitted by your settings
  • Business Partners: Information from partners who refer you to our Services
  • Public Sources: Publicly available information such as company websites and professional networking sites

2. How We Use Your Information

2.1 Providing and Improving Services

  • Process and classify inference events you submit
  • Generate analytics, dashboards, and reports
  • Detect behavioral drift and send alerts
  • Provide customer support and respond to inquiries
  • Develop new features and improve existing functionality
  • Conduct research and analysis to enhance our AI classification models

2.2 Communications

  • Send transactional emails (account verification, password resets, billing receipts)
  • Provide service-related announcements (maintenance, security alerts, policy changes)
  • Send marketing communications (with your consent where required)

2.3 Security and Compliance

  • Detect, prevent, and respond to fraud, abuse, and security incidents
  • Enforce our Terms of Service and other agreements
  • Comply with legal obligations and respond to lawful requests
  • Protect the rights, property, and safety of DriftRail, our users, and the public

2.4 Aggregated and De-identified Data

We may create aggregated, anonymized, or de-identified data from information we collect. Such data does not identify you personally and may be used for any lawful purpose, including benchmarking, research, and improving our Services.

3. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom (UK), we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our Services pursuant to our agreement with you
  • Legitimate Interests: Processing for our legitimate business interests, such as improving our Services, marketing, and fraud prevention, where these interests are not overridden by your rights
  • Consent: Where you have given explicit consent to processing for specific purposes
  • Legal Obligation: Processing necessary to comply with applicable laws

4. Data Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

4.1 Service Providers

We engage trusted third-party companies to perform services on our behalf, including:

  • Cloud Infrastructure: Hosting and data storage providers
  • Payment Processing: Stripe for payment card processing (we do not store full card numbers)
  • Analytics: Services that help us understand usage patterns
  • Communication: Email delivery and customer support platforms
  • AI Processing: Third-party AI services (e.g., Google Gemini) for classification processing

These providers are contractually obligated to use your information only for the purposes of providing services to us and must maintain appropriate security measures.

4.2 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal process, including:

  • Court orders, subpoenas, or search warrants
  • Requests from law enforcement or government agencies
  • Legal proceedings to which we are a party

Where legally permitted, we will attempt to notify you before disclosing your information in response to legal process.

4.3 Protection of Rights

We may disclose information when we believe in good faith that disclosure is necessary to:

  • Protect our rights, property, or safety
  • Protect the rights, property, or safety of our users or the public
  • Detect, prevent, or address fraud, security, or technical issues
  • Enforce our Terms of Service or other agreements

4.4 Business Transfers

If DriftRail is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of assets, or similar transaction, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

4.5 With Your Consent

We may share information with third parties when you explicitly consent to or direct such sharing.

4.6 Affiliates

We may share information with our corporate affiliates and subsidiaries for purposes consistent with this Privacy Policy.

5. Data Security

We implement comprehensive technical and organizational measures to protect your information:

5.1 Technical Safeguards

  • Encryption at Rest: All data is encrypted using AES-256 encryption
  • Encryption in Transit: All data transmission uses TLS 1.3
  • API Key Security: API keys are hashed using bcrypt and never stored in plaintext
  • Tenant Isolation: Row-level security (RLS) policies ensure complete data isolation between customers
  • Access Controls: Role-based access control (RBAC) limits data access to authorized personnel
  • Audit Logging: Comprehensive logging of all data access and system activities
  • Vulnerability Management: Regular security assessments and penetration testing

5.2 Organizational Safeguards

  • Employee background checks and security training
  • Confidentiality agreements for all personnel
  • Principle of least privilege for system access
  • Incident response procedures and breach notification protocols
  • Regular security policy reviews and updates

5.3 Limitations

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you transmit information at your own risk.

6. Data Retention

6.1 Service Data Retention

Service Data (inference events and classifications) is retained according to your subscription plan:

  • Starter: 7 days
  • Growth: 30 days
  • Pro: 90 days
  • Enterprise: Custom retention up to 7 years

Data is automatically and permanently deleted after the retention period expires. Deleted data cannot be recovered.

6.2 Account Information Retention

We retain account information for as long as your account is active. Upon account termination:

  • Service Data is deleted within 30 days
  • Account information may be retained for up to 90 days for administrative purposes
  • Billing records may be retained for up to 7 years as required by tax and accounting regulations
  • Audit logs may be retained for compliance purposes

6.3 Legal Holds

We may retain information beyond normal retention periods when required by law, legal proceedings, or regulatory investigations.

7. International Data Transfers

DriftRail is based in the United States. If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries.

7.1 Transfer Mechanisms

For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Your explicit consent where appropriate

7.2 Data Residency

Enterprise customers may request specific data residency requirements. Contact us for more information about available options.

8. Your Rights and Choices

8.1 All Users

Regardless of your location, you may:

  • Access Your Account: View and update your account information through the dashboard
  • Export Your Data: Download your Service Data in JSON, CSV, or PDF format
  • Delete Your Account: Request account deletion through the dashboard or by contacting us
  • Opt-Out of Marketing: Unsubscribe from marketing emails using the link in each email
  • Manage Cookies: Control cookies through your browser settings

8.2 EEA, UK, and Swiss Users

Under the GDPR and similar laws, you have additional rights:

  • Right of Access: Request a copy of personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
  • Right to Restriction: Request that we limit processing of your data in certain circumstances
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

8.3 California Residents (CCPA/CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose
  • Right to Delete: Request deletion of personal information we have collected
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to Limit Use of Sensitive Personal Information: Request that we limit use of sensitive personal information to purposes necessary to provide the Services

To exercise these rights, contact us at support@driftrail.com. We will verify your identity before processing your request.

8.4 Other Jurisdictions

If you are located in a jurisdiction with specific privacy laws (such as Brazil's LGPD, Canada's PIPEDA, or Australia's Privacy Act), you may have additional rights. Contact us to learn more about your specific rights.

9. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child under 18, please contact us immediately.

10. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access.

11. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no common understanding of how to interpret DNT signals, our Services do not currently respond to DNT signals. You can control tracking through your browser settings and cookie preferences.

12. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) to comply with GDPR or other data protection regulations, we offer a standard DPA. Enterprise customers may negotiate custom data processing terms. Contact us at support@driftrail.com to request a DPA.

13. AI and Automated Processing

Our Services use artificial intelligence and machine learning to classify inference events and detect risks. This automated processing:

  • Analyzes the content of prompts and responses you submit
  • Generates risk scores and classifications
  • Detects patterns and anomalies in your data

You have the right to request human review of automated decisions that significantly affect you. The classifications generated by our AI are provided for informational purposes and should be reviewed by qualified personnel before taking action.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

  • We will update the "Last updated" date at the top of this policy
  • We will notify you by email (for account holders) or by posting a prominent notice on our website
  • For material changes that affect how we process your data, we will provide at least 30 days' notice before the changes take effect

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@driftrail.com

Subject Line: Privacy Inquiry

We will respond to your inquiry within 30 days, or sooner as required by applicable law.

For EEA/UK users, you may also contact your local data protection authority if you have concerns about our data processing practices.