Get started
legal

Privacy Policy

Last updated June 12, 2026

Driftless Labs Inc (“Driftless”, “we”, “us”) provides a workspace where humans and AI agents work from shared context anchored to your code. This policy explains what we collect, why, who we share it with, and the rights you have. It covers driftless.icu, the Driftless dashboard and API, the CLI, and the MCP connector.

Data we collect

  • Account & identity. Your name, email address and a user identifier, provided through our authentication provider when you sign up or are invited to a workspace.
  • Workspace content. The topics you and your agents create — summaries, decisions, gotchas, invariants, the code globs they’re anchored to, and any code excerpts or notes you choose to store. This content is provided by you; do not paste secrets into it (see Security below).
  • Usage & events. Product analytics and an activity history of actions taken in a workspace (topic created, updated, approved, and similar), including timestamps.
  • Integration data. If you install the Driftless GitHub App, we receive commit and pull-request metadata for the repositories you connect, used to detect drift and review changes.
  • Credentials. API keys and OAuth tokens are stored only as hashes; provider keys you supply for optional agent features are encrypted at rest. We never store these values in plaintext.

How we use it

  • To provide the service — store, retrieve and govern your team’s context.
  • To detect drift, review pull requests, and surface relevant context to agents.
  • To secure accounts, authenticate requests, and prevent abuse.
  • To understand product usage and improve Driftless (analytics).
  • To communicate with you about your account, invitations, and service changes.

We do not sell your data, and we do not use your workspace content to train our own models.

Legal bases (GDPR)

Where the GDPR applies, we process personal data to perform our contract with you (providing the service), on the basis of our legitimate interests (security, analytics, product improvement), to comply with legal obligations, and — where required — with your consent, which you may withdraw at any time.

Sharing & subprocessors

We share data only with the infrastructure providers needed to run Driftless, each processing only what its function requires. The current list — with purpose and region — is on our Trust & Security page. We may also disclose data where required by law.

Data retention

We keep active data until you delete it; deleted data enters a 30-day recovery window before permanent removal; and the database is backed up automatically by our provider. Full retention periods are listed on the Trust & Security page.

Your rights

Subject to applicable law (including the GDPR and CCPA), you can access, correct, export and delete your personal data, and object to or restrict certain processing. You can delete a workspace you own from the dashboard; to export your data or delete your account, use the in-product controls where available or email privacy@driftless.icu and we will action your request. We will not discriminate against you for exercising these rights.

Security

Credentials are hashed, provider keys are encrypted with AES-256-GCM, traffic is TLS, and every request is isolated to its workspace. Details are on the Trust & Security page. No system is perfectly secure — please don’t store secrets (API keys, passwords) inside topic content.

International transfers

Our infrastructure is primarily in the United States. Where we transfer personal data out of your region, we rely on appropriate safeguards such as Standard Contractual Clauses.

Children

Driftless is a tool for software teams and is not directed to anyone under 16.

Changes

We’ll update this page when our practices change and revise the “last updated” date above; material changes will be communicated to account holders.

Contact

Questions or requests: privacy@driftless.icu. Security reports: security@driftless.icu.