Privacy Policy

Last updated: June 2026

Template — not legal advice. This is an engineering starter you must have reviewed by counsel and tailored to your entity, jurisdiction(s), and actual data practices before publishing.

1. Who we are

NullDrift ("we", "us") provides agentic-AI automation engineering for small businesses: a privacy-first audit agent that measures where repetitive work costs you hours, and custom automation systems built from that measurement. This policy explains what we collect when you visit our site, request an audit, or run the audit agent, and how we use it.

2. Information we collect

Information you give us — name, work email, business name, industry, and anything you include when you request an automation audit.
Usage data — basic, privacy-preserving analytics about how the site is used (pages viewed, referring source). We do not use intrusive cross-site tracking.
Client operational data — for customers, we process operational data through your existing tools' official APIs solely to deliver the service. We are a processor of that data on your behalf.
Audit-agent telemetry — see section 2a; activity metadata and (by default) the real window/tab names, kept on the device; never content or credentials.

2a. The audit agent's data posture

During an engagement, the NullDrift audit agent runs on consenting team members' machines to find automatable workflows. Its data posture is enforced in code by a single privacy gate every event must pass (see the audit-agent page for the full manifest):

Collects (default "detailed" mode — kept on the device): application name, the real window/tab title, and activity category; active duration and idle time; process name and start/stop (never command-line arguments); file action, name, type, size bucket, and location category (never the full path); and in-browser SaaS category with the real tab title. Real titles make the resulting report decision-grade.
Strict "metadata-only" mode (opt-out): a single configuration flag drops every title and filename, keeping only categories and buckets — for clients who prefer the stricter posture.
Never collects (either mode): keystrokes, screenshots, clipboard, file or message content, passwords/secrets/tokens, full URLs (query strings) or hostnames, full file paths, command-line arguments, or personal identity — individuals appear only as pseudonymous IDs.
Egress is gated: telemetry stays on the device and is aggregated locally; a report leaves the machine only after a human approves that step.
Local-first storage: raw event timelines never leave the device; the agent aggregates on-device and shares only the summary report through a single gated upload path. Cloud upload, where used, is per-client, encrypted in transit and at rest, TLS-only, auto-expiring (30-day default retention), and revocable per device.
Controls: opt-in with a visible manifest at install, configurable retention, deletion on request, one-command uninstall.
Purpose limitation: the agent exists to rank workflows for automation. It is not, and is never used as, an employee-monitoring, productivity-scoring, or insider-threat tool, and its output must not be used to evaluate individuals.

3. How we use it

To respond to your cost-audit request and communicate about the service you asked about.
To deliver, maintain, and improve the service for customers.
To meet legal and security obligations.

We do not sell your personal information. We email you only about what you requested, and every email includes a one-click unsubscribe that we honor promptly.

4. Legal bases & your rights

Depending on your jurisdiction (e.g. GDPR/UK GDPR, CCPA/CPRA, CASL), you may have rights to access, correct, delete, or port your data, and to object to or restrict processing. To exercise them, email admin@nulldrift.tech. For EU/UK and Canadian recipients we rely on consent or legitimate interest as applicable, documented per recipient.

5. Sharing & subprocessors

We share data only with subprocessors that help us run the service (e.g. hosting, email delivery, the official APIs of your own tools). We require appropriate safeguards and do not authorize them to use your data for their own purposes.

6. Retention & security

We keep personal data only as long as needed for the purposes above or as required by law, then delete or anonymize it. We use scoped, least-privilege credentials, encryption in transit, and access controls; secrets are never stored in client-side code.

7. Contact

Questions or requests: admin@nulldrift.tech. We will respond within the timeframe your jurisdiction requires.