DriftcheckRun a free audit

Privacy

Last updated 2026-05-02.

What we collect

  • Your email. Required to deliver your audit PDF and authenticate you to the dashboard.
  • A Stripe restricted key (read-only). We probe its scopes on submit and reject anything with write access. The key is encrypted at rest with libsodium sealed_box and only the audit worker can decrypt it.
  • Your application-DB CSV (optional). Encrypted before it touches storage. Hard-deleted after 30 days.
  • Stripe metadata read during the audit — webhook endpoints, events, subscriptions, invoices, customers, prices — for the last 90 days. We never read or store card data.

What we don’t do

  • We don’t sell or share your data with third parties.
  • We don’t use your data to train models or build aggregate datasets.
  • We don’t store full card numbers, CVCs, or PINs.
  • We don’t make any write calls to Stripe with your key. Our key validation enforces this on submit.

Retention

  • Stripe restricted keys: until you delete the workspace.
  • CSV blobs: 30 days, then hard-deleted.
  • Audit findings: 90 days on the free tier, 365 days on the paid monitor tier.
  • PDFs: kept indefinitely so you can re-download them.
  • Deleted workspaces are soft-deleted and hard-purged within 7 days.

Revoking access

You can revoke our access at any time from the Stripe dashboard: roll the restricted key. Audits in flight will fail; future audits will require a fresh key. To delete your workspace and queue the 7-day hard purge, email privacy@driftcheck.io.

Contact

Questions about this policy or about how we handle your data: privacy@driftcheck.io.