Privacy Policy

Effective Date: January 1, 2026 | Last Updated: January 1, 2026

DrillsForge, Inc. ("DrillsForge," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the DrillsForge platform ("Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1 Information You Provide

Category	Examples
Account Information	Name, corporate email address, password (hashed), job title, department
Organization Information	Company name, department name, workspace slug, admin email
Payment Information	Card last four digits, card brand, billing contact (full card numbers are never stored on our servers)
Exercise Content	Scenarios, inject responses, tasks, facilitator notes, After Action Reports
SSO Data	OAuth2 profile information from Azure AD or Google (name, email, provider ID)

1.2 Information Collected Automatically

Category	Examples
Usage Data	Pages visited, features used, session duration, actions performed within exercises
Device & Connection	IP address, browser type, operating system, user agent string
Audit Logs	Login/logout events, session lifecycle actions, administrative changes (recorded for security purposes)

1.3 Information We Do Not Collect

We do not store full credit card numbers, CVVs, or complete payment credentials
We do not use third-party tracking cookies or advertising pixels
We do not collect biometric data
We do not monitor or record screen content or keystrokes outside the Service

2. How We Use Your Information

We use the information we collect to:

Provide the Service — Operate your Workspace, run exercises, generate reports, and deliver AI-assisted features
Authenticate Users — Verify identity via local credentials or SSO, enforce role-based access control
Process Payments — Manage subscriptions and billing
Ensure Security — Detect unauthorized access, enforce rate limiting, log security events, prevent fraud
Send Transactional Communications — Email verification codes, welcome emails, subscription notices, and critical service updates
Improve the Service — Analyze aggregate usage patterns to enhance features, performance, and reliability
Comply with Legal Obligations — Respond to lawful requests and enforce our Terms of Service

3. AI Processing

DrillsForge uses a locally-hosted large language model (LLM) to power AI features including inject generation, reactive inject proposals, and After Action Report narratives.

On-premises processing: AI inference runs within the same infrastructure as the Service. Exercise content sent to the AI model does not leave the deployment environment.
No external AI services: We do not send your data to third-party AI providers (e.g., OpenAI, Google, Anthropic).
No model training: Your exercise data is not used to train or fine-tune AI models.
Content review: AI-generated content is provided for simulation purposes only and should be reviewed by qualified personnel.

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

Within Your Organization: Users within the same Workspace can see data appropriate to their role (e.g., facilitators see all session data; players see only their assigned injects and tasks).
Service Providers: We may use trusted third-party services for payment processing, email delivery, and infrastructure hosting. These providers are contractually bound to protect your data and use it only for the services they provide to us.
Legal Requirements: We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify affected Customers before any such transfer.

5. Data Isolation & Multi-Tenancy

DrillsForge is a multi-tenant platform. Each Customer Workspace is logically isolated:

All database queries are scoped by organization ID
Users in one Workspace cannot access data from another Workspace
SSO configurations, scenarios, sessions, and user accounts are Workspace-specific
Platform administrators can view Workspace metadata (name, slug, user count) for operational purposes but do not access exercise content

6. Data Retention

Data Type	Retention Period
Active Workspace data	Retained while subscription is active
Data after subscription cancellation	Retained for 90 days, then permanently deleted
Audit logs	Retained for 1 year
Login attempt records	Retained for 90 days
Email verification codes	Expire after 15 minutes; records purged after 30 days
Signup request records	Retained for 1 year

7. Data Security

We implement industry-standard security measures to protect your data:

Encryption: Passwords are hashed using bcrypt. Data in transit is protected via TLS/HTTPS.
Access Controls: Role-based access control (RBAC) with four permission levels. CSRF protection on all state-changing requests.
Authentication Security: Login rate limiting, session ID regeneration on login, secure/HttpOnly/SameSite cookie flags.
Audit Trail: Comprehensive logging of authentication events, session lifecycle actions, and administrative changes.
Infrastructure: Security headers (X-Content-Type-Options, X-Frame-Options, strict Referrer-Policy). Sensitive file types blocked at the web server level.

8. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate personal data.
Deletion: Request deletion of your personal data, subject to legal retention requirements.
Export: Request an export of your exercise data in a machine-readable format.
Objection: Object to processing of your data for certain purposes.
Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, contact us at privacy@drillsforge.com. We will respond within 30 days.

8.1 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

8.2 European Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is processed under lawful bases including contract performance, legitimate interest, and consent. You have the right to lodge a complaint with your local data protection authority.

9. Cookies & Session Management

DrillsForge uses session cookies to maintain your authenticated state. These cookies are:

Essential only: We do not use marketing, analytics, or tracking cookies.
HttpOnly: Not accessible via JavaScript, reducing XSS risk.
SameSite=Lax: Prevents cross-site request forgery while allowing SSO redirect flows.
Secure flag: Automatically enabled when served over HTTPS.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child under 18, we will take steps to delete that information promptly.

11. International Data Transfers

If you access the Service from outside the United States, your data may be transferred to and processed in the United States. By using the Service, you consent to such transfers. We take appropriate safeguards to ensure your data receives adequate protection in accordance with applicable data protection laws.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to Workspace administrators or through a notice within the Service at least 30 days before taking effect. The "Last Updated" date at the top reflects the most recent revision.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Privacy inquiries: privacy@drillsforge.com
General support: support@drillsforge.com