Privacy Policy

UTM Drift Guard is operated by Peakure LLC (“we,” “us,” or “our”). This Privacy Policy explains how we collect, use, and protect your information when you use our website and service at utmdriftguard.com.

1. Information We Collect

Account Information

When you create an account, we collect your email address and, optionally, your name. This is used to authenticate you and provide the Service.

CSV Uploads

When you upload CSV files for UTM auditing, we process the data contained in those files to generate your audit report, health score, and taxonomy suggestions. Uploaded data is stored for 90 days and then automatically deleted.

Payment Information

Payments are processed by Stripe. We do not store your credit card number, CVV, or full payment details on our servers. Stripe handles all payment processing in compliance with PCI-DSS standards. We receive only a confirmation of payment status and a truncated card identifier.

Usage Analytics

We use PostHog to collect anonymized usage analytics, including pages visited, features used, and general interaction patterns. This helps us understand how the product is used and where to improve.

2. How We Use Your Information

• Provide the Service: Process your CSV uploads, generate audit reports, maintain your taxonomy, and power the link builder.
• Improve the product: Analyze aggregated, anonymized usage patterns to improve features, performance, and user experience.
• Transactional emails: Send account-related communications such as sign-in links, billing confirmations, and service updates via Resend.
• Security: Detect, prevent, and respond to fraud, abuse, or security incidents.

3. Third-Party Services

We use the following third-party services to operate UTM Drift Guard. Each processes data only as necessary to provide their respective function:

4. Data Retention

• Scan data and CSV uploads: Retained for 90 days after processing, then automatically deleted.
• Account data: Retained until you delete your account. Upon deletion, your data is removed within 30 days.
• Analytics data: Anonymized analytics are retained for up to 24 months.

5. Your Rights

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Deletion: Request deletion of your account and associated data.
• Export: Request an export of your data in a machine-readable format.
• Correction: Request correction of inaccurate personal data.
• Objection: Object to processing of your data for specific purposes.

To exercise any of these rights, contact us at support@utmdriftguard.com. We will respond within 30 days.

6. Cookies

We use minimal cookies:

• Authentication session: A secure, HTTP-only cookie to maintain your login session. Essential for the Service to function.
• PostHog analytics: A cookie used by PostHog to track anonymized usage patterns. You can opt out through your browser settings.

We do not use advertising cookies or tracking pixels from third-party ad networks.

7. GDPR Compliance (EEA Users)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including the right to data portability, the right to restrict processing, and the right to lodge a complaint with a supervisory authority. Our legal basis for processing your data is contractual necessity (to provide the Service) and legitimate interest (to improve the product and prevent fraud).

8. CCPA Compliance (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at support@utmdriftguard.com.

9. Account Deletion & Right to Erasure

In line with GDPR Article 17 and the CCPA right to delete, you may erase your account at any time from Settings → Account. On confirmation we (1) immediately cancel any active Stripe subscription, (2) anonymize your profile email and name, (3) write a compliance audit row that stores only a one-way SHA-256 hash of your email — never the plaintext — alongside the deletion timestamp, and (4) erase all uploaded scans, taxonomies, and related artifacts within 30 days. We retain the hashed audit log indefinitely to evidence compliance; it cannot be reversed to identify you.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.