Privacy Policy

Drel is an AI-native security assessment platform. We take privacy seriously — we collect only what we need to operate the service, we don't sell your data, and we give you control over what you share with us.

This policy explains what data we collect, why we collect it, how we use it, and your rights as a user. If you have questions, reach out at hello@drel.ai.

Account data. When you sign up, we collect your email address and, optionally, your name and company. This is used to authenticate you and communicate with you about your account.

Assessment inputs. When you generate an AI Security Assessment Pack, we process the system description and questionnaire answers you provide. This content is used solely to generate your assessment pack and improve our AI models (see AI training below).

Usage data. We collect standard analytics — pages visited, features used, session duration, and error logs. This helps us understand how the product is used and where to improve it.

Payment data. Billing is handled by Stripe. We store only a reference to your Stripe customer ID — we never see or store your full card number.

Support communications. If you contact us by email, we retain those messages to resolve your issue and improve our support.

We may use anonymized assessment inputs to improve our AI models. Before any content is used for training, it is stripped of identifying information — company names, system names, and any other details that could identify you or your organization.

You can opt out of AI training at any time from your account settings. Opting out does not affect your ability to use the service.

We do not share your raw assessment content with third parties for any purpose.

We use the data we collect to:

• Provide and operate the Drel service • Authenticate your account and protect against unauthorized access • Generate AI Security Assessment Packs based on your inputs • Send transactional emails (account confirmation, billing receipts, password reset) • Send product updates and announcements (you can unsubscribe at any time) • Improve the product through usage analytics • Respond to support requests • Comply with legal obligations

We do not sell your personal data. We share data only with the following categories of service providers, under strict data processing agreements:

Infrastructure. We use AWS and Vercel to host the application and store data. Data is stored in the EU (eu-west-1) by default.

Payments. Stripe processes all billing. Their privacy policy applies to payment data.

Analytics. We use privacy-focused analytics tools that do not track individuals across sites.

AI providers. Assessment generation uses large language model APIs. Inputs are sent to these providers under data processing agreements that prohibit training on your data.

We may disclose data if required by law, court order, or to protect the rights and safety of Drel and its users.

We retain your account data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (typically up to 7 years for billing records).

Assessment packs are retained for the duration of your subscription. On the free tier, assessment packs are retained for 90 days. You can export or delete your assessments at any time from the dashboard.

Depending on your location, you may have the following rights regarding your personal data:

• Access. Request a copy of the personal data we hold about you. • Correction. Ask us to correct inaccurate or incomplete data. • Deletion. Request deletion of your personal data ("right to be forgotten"). • Portability. Receive your data in a structured, machine-readable format. • Objection. Object to processing based on legitimate interests. • Restriction. Ask us to restrict processing in certain circumstances.

To exercise any of these rights, email hello@drel.ai. We will respond within 30 days.

We use a minimal set of cookies:

Essential cookies are required for the service to function — session authentication and CSRF protection. These cannot be disabled.

Analytics cookies help us understand how the product is used. These are optional and can be declined via our cookie banner.

We do not use advertising or tracking cookies. We do not participate in cross-site tracking networks.

We apply industry-standard security practices to protect your data:

• All data in transit is encrypted with TLS 1.2+ • Data at rest is encrypted using AES-256 • Access to production systems is restricted to authorized personnel with MFA • We conduct regular security assessments of our own infrastructure (we use Drel for this) • Vulnerability disclosures can be sent to security@drel.ai

No system is perfectly secure. If you believe you have found a security issue, please report it responsibly before public disclosure.