Privacy Policy

Last updated: 2026-05-14 · Version: 1.0.0

This Privacy Policy explains how Drillr Inc. ("Drillr," "we") collects, uses, shares, and protects your personal information. It applies to the drillr.ai website, API, MCP server, CLI tools, and related services (collectively, the "Service").

1. Information We Collect

(a) Information you provide

  • Account: email, password hash, name (if provided), organization (if provided)
  • Commercial: billing address, tax info, payment method (processed by third-party processors)
  • Support communications you send to support@drillr.ai or legal@drillr.ai

(b) Information collected automatically

  • Usage data: queries you submit, API endpoints called, call frequency, summaries of returned outputs, error logs
  • Technical: IP address, User-Agent, device type, browser, OS, timezone
  • Cookies and similar technologies: for session persistence, authentication, and product analytics (see Section 7)

(c) Third-party sources

  • SSO providers (e.g., Google) — basic profile when you sign in
  • Payment processors — payment status

We do not actively collect special categories of personal data (health, religion, biometrics, etc.).

2. How We Use Information

  • Provide and maintain the Service: account management, authentication, quota enforcement, billing, customer support
  • Improve the Service: usage analytics, debugging, product research, model quality evaluation (see Section 3)
  • Security: abuse monitoring, fraud prevention, account moderation, vendor compliance audits
  • Compliance: legal obligations, response to valid government or judicial requests
  • Communications: service notices, security alerts, important product updates (you may opt out of marketing emails at any time)

3. Do We Use Your Data to Train AI Models?

By default, no. Drillr does not use your queries, AI outputs, or personal data to train Drillr's proprietary AI models by default.

Exceptions:

  • If you explicitly opt in to feedback mechanisms (e.g., thumbs up/down, error sample submission), such content may be used to improve model quality
  • Third-party model providers (Anthropic, OpenAI, etc.) have their own data handling policies; Drillr's contracts with these providers require them not to train on Drillr traffic by default. Refer to the relevant provider's policy for specifics

4. How We Share Information

We do not sell your personal information (as "sale" or "share" is defined under CCPA).

We share only in the following cases:

  • Service providers: hosting (AWS, Vercel, Cloudflare), payment processing (Stripe, etc.), email service, customer support tools, product analytics — all under data processing agreements
  • AI model providers: third-party model providers (e.g., Anthropic, OpenAI) as necessary to process your queries
  • Upstream data vendors: minimum necessary usage records when required by vendor agreements for audit
  • Legal requirements: valid subpoenas, court orders, government requests; we will notify you where legally permitted
  • Business transfers: in connection with merger, acquisition, or asset sale, subject to equivalent privacy commitments
  • Your consent: any sharing beyond the above requires your explicit consent

5. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access and export: receive a copy of personal information we hold about you
  • Correct: correct inaccurate information
  • Delete: request deletion of your account and data, subject to legal obligations
  • Restrict processing: in certain cases
  • Object: object to processing based on legitimate interests
  • Data portability: receive your data in a machine-readable format
  • Withdraw consent: at any time (does not affect prior lawful processing)

California residents (CCPA / CPRA) additionally have:

  • Right to know (specific categories collected)
  • Right to non-discrimination
  • Right to opt out of "sale/share" (Drillr does not sell/share — you are opted out by default)
  • Right to limit use of sensitive personal information

To exercise these rights, contact privacy@drillr.ai. We will respond within 30 days (45 days under CCPA).

6. Data Storage and International Transfers

  • Data is primarily stored in the United States (AWS / Vercel U.S. regions)
  • If you are located in the European Economic Area, the U.K., or Switzerland, your data will be transferred to the U.S. in reliance on Standard Contractual Clauses (SCCs) and equivalent safeguards
  • Third-party providers' storage locations are governed by their own compliance frameworks

7. Cookies and Similar Technologies

We use the following cookie categories:

  • Essential cookies: session persistence, authentication, security (cannot be disabled without breaking the Service)
  • Preference cookies: language, UI theme, timezone
  • Analytics cookies: product usage analytics (e.g., PostHog, Mixpanel, or similar) — you may decline via the cookie banner
  • Marketing cookies: currently not used

You may manage cookies through your browser settings or our cookie preference center.

8. Data Retention

  • Account data: for the life of your account + 30-day grace period after deletion
  • Usage logs (for security and billing): 12 months (institutional customers may negotiate longer audit log retention via MSA)
  • Billing and tax records: minimum period required by law (typically 7 years)
  • Backups: rolling daily backups, up to 90 days

9. Children

The Service is not directed to children under 16. We do not knowingly collect data from children.

10. Security

We employ reasonable technical and organizational measures (in-transit encryption, at-rest encryption, least-privilege access, security audits) to protect data. However, no method is 100% secure — in the event of a data incident, we will notify you and relevant regulators as required by law.

11. Changes

This Policy may be updated. Material changes will be communicated via in-product notice or email; minor changes will be reflected by updating the "Last updated" date on this page.

12. Contact

  • Privacy requests: privacy@drillr.ai
  • Mailing address: Drillr Inc., 1111B S Governors Ave STE 40831, Dover, DE 19904, USA

EU / UK representative: Drillr does not actively offer goods or services to data subjects in the European Union or the United Kingdom and has therefore not appointed an EU or UK representative under GDPR Article 27 / UK GDPR Article 27. If Drillr begins offering services to such data subjects, Drillr will appoint a representative and update this Policy accordingly.