Privacy Policy

Last Updated: October 2025

This Privacy Policy describes how EthosSignal, Inc. ("we," "us," or "our") collects, uses, and protects your information when you use the Drift Quotient service ("Service"). We are committed to protecting your privacy and handling your data in an open and transparent manner.

1. Information We Collect

1.1 Information You Provide

When you create an account and use our Service, we collect:

• Account Information: Email address and password (encrypted and securely stored)
• Organization Data: Company names, websites, and URLs you provide for analysis
• User-Suggested URLs: Additional website resources you provide to enhance analysis accuracy
• Analysis Reports: Generated reports and summaries created by our AI analysis system

1.2 Automatically Collected Information

When you use our Service, we automatically collect:

• Usage Data: User ID, session data, and interaction patterns within the application
• Session Recordings: Visual recordings of your interactions with our Service (with password fields automatically masked)
• Error Tracking: Technical data about errors and exceptions, including stack traces and user context
• AI Analysis Metadata: Model names, token usage, costs, latency, and full input/output of AI-generated analyses
• Device Information: Browser type, operating system, and device characteristics

2. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve the Drift Quotient analysis service
• Authentication: To verify your identity and secure your account
• AI Analysis: To generate organizational drift analysis reports using artificial intelligence
• Product Improvement: To understand how users interact with our Service and identify areas for enhancement
• Error Resolution: To diagnose technical issues and improve system reliability
• Customer Support: To respond to your inquiries and provide technical assistance
• Security: To detect, prevent, and address fraud, abuse, and security vulnerabilities

3. Third-Party Services

We use the following third-party service providers to operate our Service. Each provider may collect and process your data according to their own privacy policies:

3.1 Supabase

We use Supabase for authentication and database services. Supabase processes your email address, encrypted password, and all data stored in our database. Learn more at Supabase Privacy Policy.

3.2 OpenAI

We use OpenAI's language models to generate organizational drift analyses. OpenAI processes company names, websites, URLs, and web search results to produce analysis reports. Learn more at OpenAI Privacy Policy.

3.3 PostHog

We use PostHog for product analytics, session replay, error tracking, and AI observability. PostHog collects:

• User IDs (but not email addresses or other personally identifiable information)
• Session recordings with automatic password field masking
• Error events with stack traces and user context
• AI analysis metadata including full prompts and responses
• Custom event properties such as analysis type and company names

Learn more at PostHog Privacy Policy.

3.4 Vercel

We use Vercel for application hosting and deployment. Vercel may collect connection logs, IP addresses, and other technical data necessary for service operation. Learn more at Vercel Privacy Policy.

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Authentication Cookies: Maintain your logged-in session securely
• Analytics Cookies: Track usage patterns and improve our Service through PostHog
• Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings, but disabling certain cookies may limit your ability to use some features of our Service.

5. Data Storage and Security

We implement appropriate technical and organizational measures to protect your data:

• Passwords are hashed using industry-standard encryption before storage
• All data transmission is encrypted using HTTPS/TLS
• Database access is restricted and authenticated
• Session recordings automatically mask password fields
• Regular security assessments and updates

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide you services. You may request deletion of your account and associated data at any time by contacting us. Upon deletion request:

• Your account and personal information will be permanently deleted from our databases
• Analysis reports and organization data will be anonymized or deleted
• Some data may be retained in backup systems for up to 90 days
• Aggregated, anonymized analytics data may be retained indefinitely

7. Your Rights

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your account and associated data
• Portability: Request a copy of your data in a structured, machine-readable format
• Objection: Object to certain processing activities
• Withdraw Consent: Withdraw consent for data processing where consent was the legal basis

To exercise these rights, please contact us using the information provided below.

8. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

9. Data Storage and International Transfers

All data collected through our Service is hosted in the United States. Our third-party service providers—Supabase (authentication and database), OpenAI (AI analysis), PostHog (analytics), and Vercel (hosting)—all store and process data within the United States.

If you access our Service from outside the United States, your information will be transferred to and processed in the United States. By using our Service, you consent to the transfer of your information to the United States. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

10. Advertising

We do not currently serve third-party behavioral ads and do not share data with advertising networks. Your data is used solely for the purposes outlined in this Privacy Policy and is not sold or shared with advertisers.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically for any changes.

12. Contact Us

If you have questions or wish to exercise any rights under this policy, contact: