Effective Date: June 11, 2026

Privacy Policy

This Privacy Policy explains how Cognio AI Tech Pvt Ltd and Algohype Analytics LLP (together, the data controller for DruidX) collect, use, disclose, and protect your information when you use the DruidX website, applications, and services.

1. Information We Collect

  • Account and authentication data: name, email address, password hash, and — if you sign in with Google or GitHub — OAuth tokens and the basic profile information those providers share.
  • Conversations and uploaded documents: the prompts, messages, files, and images you submit to chats and agents.
  • Custom agent and GPT configurations: instructions, settings, and connected tools you define when building agents.
  • Knowledge-base documents and vector embeddings: documents you add to knowledge bases and the embedding vectors we derive from them to enable retrieval.
  • Voice agent data: voice agent configuration and the audio processed by our speech providers when you use voice features.
  • Payment and billing data: billing address, payment method details, and transaction history (processed by our payment provider; we never store full card numbers).
  • Support requests: messages, attachments, and contact details you send to our support channels.
  • Usage analytics: page views and product interaction data, collected only with your consent.
  • Security logs: IP address, browser and device information, and request metadata used to protect the platform.

2. Purposes and Lawful Bases

We process personal data only where a lawful basis under the GDPR applies:

PurposeLawful basis
Creating and operating your account, providing chat, agents, and platform features, and processing billingPerformance of a contract (Art. 6(1)(b) GDPR)
Securing the platform, preventing fraud and abuse, and applying rate limiting and bot protectionLegitimate interest (Art. 6(1)(f) GDPR)
Analytics cookies and product analytics, and marketing communicationsConsent (Art. 6(1)(a) GDPR)
Retaining invoices and tax recordsLegal obligation (Art. 6(1)(c) GDPR)

3. Subprocessors and Data Sharing

We do not sell your personal data. To operate DruidX we rely on the following categories of subprocessors, each bound by a data processing agreement:

  • AI model providers: OpenAI, OpenRouter, Google, Groq — process your prompts, conversations, and document content to generate responses. Under the providers' API terms, data submitted via their APIs is not used to train their models. (Primarily US-based processing.)
  • Web search providers: Tavily, Firecrawl, Exa — receive your search queries only when web search is enabled for a conversation or agent. (US-based.)
  • Infrastructure: Supabase — PostgreSQL database and file storage; Qdrant — vector database for knowledge-base embeddings; Cloudflare R2 — storage for generated artifacts; Vercel — website and application hosting. (US/EU data centers depending on service.)
  • Payments: Dodo Payments — merchant of record; processes billing details, payment methods, and invoices. (US-based.)
  • Email: Resend - delivery of transactional email such as verification and account notices. (US-based.)
  • Voice: LiveKit, Deepgram, Cartesia, ElevenLabs — process audio streams and speech only when you use voice agents. (US-based.)
  • Error monitoring: Sentry — application error reports with PII collection disabled, using EU data ingestion.
  • Analytics (with consent only): Microsoft Clarity, Datafast, PostHog (EU-hosted) — load only after you consent to analytics cookies.
  • Security: Arcjet — rate limiting and bot protection on requests to our services. (US-based.)

We may also disclose information to legal or regulatory authorities when required by law.

4. International Transfers

Some of the providers above process data outside the European Economic Area (EEA), primarily in the United States. Where data leaves the EEA, transfers rely on Standard Contractual Clauses or applicable adequacy decisions as set out in each processor's data processing agreement.

5. Data Retention

We retain personal data only as long as necessary for the purposes described above:

Data categoryRetention period
Authentication sessionsLifetime of the session
Backend processing sessions (e.g., sandboxed agent runs)Maximum 7 days
Transient chat document embeddings24 hours
Conversations and messagesUntil you delete them or delete your account
Knowledge-base documents and embeddingsUntil you delete them
Billing records and invoicesStatutory tax retention periods
Support tickets24 months
Security logs90 days
Analytics data (consent-based)13 months maximum

6. Your Rights (Articles 15–21 GDPR)

You have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Receive your data in a portable format and export it (Art. 20).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Erase your data, including by deleting your account (Art. 17).
  • Restrict processing in certain situations (Art. 18).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time where processing is based on consent, without affecting prior processing.

You can exercise most rights yourself: export your data and delete your account from Settings → Privacy, or email us at [email protected]. We respond to requests within one month. You also have the right to lodge a complaint with your local supervisory authority.

7. Cookies

For details on the cookies we set, how analytics cookies load only after consent, and how to manage your preferences, see our Cookie Policy.

8. Children

DruidX is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.

9. Security

We use industry-standard administrative, technical, and organizational safeguards to protect your data, including encryption in transit, access controls, and security logging.

Contact Information

DruidX Legal & Compliance

Email: [email protected]

Operated by: Cognio AI Tech Pvt Ltd

Payments processed by: Algohype Analytics LLP

These policies are provided for general informational purposes and should be reviewed by legal counsel before final publication.