Privacy Policy

How we handle your data. UK GDPR and DPA 2018.

Data We Collect

  • Account — Email address, password (hashed), role. Optional: sign-in via Google or GitHub (identifier and email).
  • API keys (LLM) — If you add them in Settings: stored encrypted (AES-256-GCM). Never in plain text in logs, never returned by the API.
  • Cycle content — Framing, artifacts (problem statement, spec, summary, budget), run metadata. Required for the service (drift, evidence, export).

Data minimization — We collect only what is necessary to operate DriftLess (account, preferences, run content). API keys are never logged in plain text or exposed.

Your Rights (UK GDPR)

Under UK GDPR and the Data Protection Act 2018 you have the following rights:

  • Right of access — Obtain a copy of the data we hold about you.
  • Right to rectification — Have inaccurate data corrected (e.g. email, preferences).
  • Right to erasure (right to be forgotten) — Request deletion of your data and your account.
  • Right to data portability — Receive your data in a structured format, where technically feasible.
  • Right to object / restrict processing — Object to certain processing or request its restriction, within the limits provided by law.

To exercise these rights, contact us at the address given in the Legal Notice (or via the site's contact form or email). We will respond within one month as required by UK GDPR.

API Key Security

API keys you enter (Anthropic, OpenAI, DeepSeek, Google, Mistral) are encrypted at rest with a server-side key. They are never stored in plain text in logs, nor returned in API responses. We do not proxy your LLM calls: you pay your provider directly. You can remove your keys at any time from Settings.

Retention

Account and run data are kept while your account is active. If you request account deletion (right to erasure), we delete your account record, stored API keys, and GitHub connection data within a reasonable technical timeframe. Run and artifact data are project-scoped; we do not retain your personal data after deletion, except where we are legally required to retain it.

Cookies

We use essential cookies for session management and authentication. We do not use third-party advertising or tracking cookies. You can manage cookie preferences in your browser.

Complaints

If you are in the UK, you may lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk. If you are in another country, you may contact your local data protection supervisory authority.

Legal Notice← Home