Privacy Policy

Short version: We collect what we need to run the Service — your account info, payments, study progress, and content you submit for course generation. We don't sell your data. We use a small set of third-party services (Clerk, Stripe, Anthropic) to operate. You can delete your account anytime.

Contents

Introduction
Information We Collect
How We Use Your Information
Third-Party Services
Cookies and Similar Technologies
Data Retention
Data Security
Your Rights
EU/EEA/UK Residents (GDPR)
California Residents (CCPA/CPRA)
Children's Privacy
Changes to This Policy
Contact

1.Introduction

This Privacy Policy describes how Drillcade ("we," "us," or "our") collects, uses, and shares information when you use our service at drillcade.com, app.drillcade.com, and any related services (together, the "Service"). By using the Service you agree to the practices described here.

2.Information We Collect

Account information (via Clerk)

Email address, display name, profile image (if you choose to set one)
Authentication credentials and session tokens
Sign-in method (email, password, social provider)

Payment information (via Stripe)

We do not store your credit card number. Stripe processes all payments and maintains its own privacy policy.
We retain a Stripe customer ID, your subscription status, billing period, and a record of purchases (for tax and account history).

Usage data

Course generation history (timestamps, source URLs, generated course metadata).
Study attempt history — which questions you answered, correctness, time spent. Used to power your progress dashboard and Weak Areas tracking.
Account preferences (theme, sound settings, etc.).

Submitted content

URLs, files, and text you submit for course generation are sent to Anthropic's API for processing. Submitted content may also be stored in our database to power the generated course you keep.
Do not submit confidential, personal, or third-party-confidential material that you do not have the right to share.

Server logs

HTTP request logs (IP address, request path, response status, timestamp). Retained for ~30 days for debugging and abuse prevention.
Stripe webhook event IDs for idempotency tracking.

3.How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service.
Process payments and manage subscriptions.
Generate and deliver study content based on your inputs.
Track your study progress and provide personalized feedback (Weak Areas, etc.).
Communicate with you about your account, billing, and material service updates.
Detect, investigate, and prevent abuse, fraud, or violations of our Terms.
Comply with legal obligations (tax, accounting, lawful requests).

We do not sell your personal information.

4.Third-Party Services

We rely on the following third parties to provide the Service:

Clerk (clerk.com) — authentication and user management. Their privacy policy applies to data they handle.
Stripe (stripe.com) — payment processing. PCI-DSS compliant.
Anthropic (anthropic.com) — AI processing of submitted content for course generation. Submitted source materials are sent to Anthropic in accordance with their data usage policies.
Hetzner (hetzner.com) — server infrastructure (hosted in Germany).
Cloudflare (cloudflare.com) — DNS resolution.

We disclose information to these providers only as necessary to operate the Service.

5.Cookies and Similar Technologies

Authentication cookies set by Clerk to maintain your sign-in session. These are essential — the Service will not work without them.
Stripe cookies may be set during the checkout flow.
We do not use third-party advertising or behavioral tracking cookies.

6.Data Retention

Account information is retained as long as your account is active.
Study attempt history is retained as long as your account is active to power progress tracking.
Generated course content is retained until you delete it or your account is closed.
Payment records are retained as required by tax and accounting laws (typically 7 years).
Server logs are retained for approximately 30 days.
Webhook event idempotency records are retained indefinitely (audit trail) but contain no personal content.

Upon account deletion, we delete or anonymize your personal information within 30 days, except where retention is required by law.

7.Data Security

We use industry-standard security measures, including:

Encrypted connections (HTTPS/TLS) for all data in transit.
Authentication via short-lived JWT tokens (no long-term password caching client-side).
Webhook signature verification for all third-party events (Stripe, Clerk).
Rate limiting and abuse detection on public API endpoints.
Limited operator access to user data on a need-to-know basis.

No system is 100% secure. While we use reasonable safeguards, we cannot guarantee absolute security. You are responsible for safeguarding your account credentials.

8.Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you.
Correct inaccurate information.
Delete your account and associated personal data.
Export your data in a portable format.
Opt out of non-essential communications (account-essential emails — billing, security, terms updates — cannot be opted out).
Object to or restrict certain processing.

To exercise these rights, contact us at hello@drillcade.com. We will respond within 30 days.

Our legal bases for processing your information:

Contractual necessity — to provide the Service you signed up for.
Legitimate interests — preventing abuse, improving the Service, securing our infrastructure.
Consent — for any optional features (currently none).
Legal obligation — for tax, accounting, and compliance records.

You have additional rights including the right to lodge a complaint with your local data protection authority.

Our infrastructure is hosted in Germany (Hetzner). Some third-party services we rely on (Clerk, Stripe, Anthropic) are based in the United States; data may be transferred there subject to standard contractual clauses or equivalent safeguards adopted by those providers.

10.California Residents (CCPA/CPRA)

We do not sell or share personal information for cross-context behavioral advertising. California residents have specific rights under the California Consumer Privacy Act, including:

Right to know what personal information we collect and how we use it.
Right to delete personal information.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing (we do not sell or share).
Right to non-discrimination for exercising these rights.

To exercise these rights, email hello@drillcade.com.

11.Children's Privacy

Drillcade is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us and we will delete it promptly.

12.Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice. The "Last updated" date at the top of this page reflects the most recent revision.

13.Contact

Questions about your data or this Privacy Policy?

Email: hello@drillcade.com