Privacy Policy

Effective date: 11 March 2026

This Privacy Policy explains how Permission Email Ltd (Company No. 13560555), trading as DriftWatch ("we", "us", "our"), collects, uses, and protects your personal data when you use the DriftWatch platform ("Service").

Permission Email Ltd (trading as DriftWatch) is the data controller. We are registered at Unit 3, Millars Brook, Wokingham, RG41 2AD, United Kingdom.

1. Data we collect

Account data

When you register we collect your name, email address, and password (hashed). If you join or create a team we store your team membership and role.

Billing data

If you subscribe to a paid plan we collect payment information via Stripe. We do not store full card numbers on our servers. Stripe acts as a data processor and handles payment data in accordance with PCI DSS standards.

Domain and DNS data

When you add a domain we query public DNS records and store snapshots of those records. DNS data is publicly available information. We store record values, TTLs, and computed diffs to provide the monitoring service.

Alert configuration data

We store the alert channels you configure (email addresses, Slack webhook URLs, custom webhook endpoints, Pushover user keys). Webhook URLs and API keys are encrypted at rest.

Usage data

We collect basic usage data including login timestamps, pages visited, API requests made, and feature usage. This helps us improve the Service and enforce plan limits.

Technical data

We automatically collect IP addresses, browser type, operating system, and device information through server logs. We use cookies for session management and authentication.

2. How we use your data

We use your data to:

Provide and maintain the Service, including DNS monitoring, change detection, and alerting.
Process payments and manage your subscription.
Send transactional emails (alerts, account notifications, billing receipts).
Send product updates and feature announcements (you can opt out at any time).
Enforce plan limits and rate limits.
Detect and prevent abuse, fraud, and security incidents.
Improve the Service based on aggregate usage patterns.

3. Legal basis for processing (GDPR)

We process your data under the following legal bases:

Contract - processing necessary to provide the Service you signed up for (account data, domain data, alerts).
Legitimate interest - usage analytics, security monitoring, and service improvement.
Consent - marketing communications (you can withdraw consent at any time).
Legal obligation - financial records retention for tax and accounting purposes.

4. Data sharing

We do not sell your personal data. We share data only with:

Stripe - payment processing.
Email delivery providers - to send transactional and alert emails.
Infrastructure providers - cloud hosting and database services necessary to run the Service.

All third-party processors are bound by data processing agreements and process data only on our instructions.

When you configure webhook or Slack integrations, DNS change data is sent to the endpoints you specify. You are responsible for the privacy practices of those endpoints.

5. Data retention

Account data - retained while your account is active and for 30 days after deletion.
DNS snapshots - retained according to your plan (30 days on Free, 1 year on Pro, unlimited on Enterprise). After downgrade or cancellation, data exceeding your plan's retention is deleted within 30 days.
Alert logs - retained for 90 days.
Billing records - retained for 7 years as required by UK tax law.
Server logs - retained for 30 days.

6. Data security

We implement appropriate technical and organisational measures to protect your data, including:

Encryption in transit (TLS 1.2+) and at rest.
Encrypted storage of sensitive configuration (webhook URLs, API keys).
Hashed passwords using bcrypt.
Role-based access control within teams.
Regular security reviews of our codebase.

7. Your rights (GDPR)

If you are in the UK or European Economic Area, you have the right to:

Access - request a copy of the personal data we hold about you.
Rectification - ask us to correct inaccurate data.
Erasure - ask us to delete your data (subject to legal retention requirements).
Restriction - ask us to restrict processing in certain circumstances.
Portability - receive your data in a structured, machine-readable format.
Objection - object to processing based on legitimate interest.
Withdraw consent - withdraw consent for marketing communications at any time.

To exercise any of these rights, contact us at hello@driftwatch.app. We will respond within 30 days.

8. Cookies

We use the following cookies:

Session cookie - essential for authentication and maintaining your logged-in state. Expires when you close your browser or after the session timeout.
CSRF token - essential for security. Prevents cross-site request forgery attacks.
Remember me - optional, set when you choose "Remember me" at login. Expires after 30 days.

We do not use third-party tracking cookies or advertising cookies.

9. International transfers

Your data is processed and stored in the United Kingdom and/or European Economic Area. If we transfer data outside these regions, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses).

10. Children

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before the changes take effect.

12. Contact and complaints

If you have questions about this Privacy Policy or want to exercise your rights, contact us at:

Permission Email Ltd Unit 3, Millars Brook, Wokingham, RG41 2AD, United Kingdom Email: hello@driftwatch.app

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.