Log inSign up

Legal

Privacy Policy

Last updated: May 1, 2026

1. Who we are

Drill (“we”, “us”) is operated by Jordan Martinelli, a French sole proprietor (auto-entrepreneur).

  • SIREN: 849 052 915
  • Address: 17 Imp du 11 Novembre, 06400 Cannes, France
  • Contact: legal@getdrill.app

We are the data controller for personal data processed through getdrill.app and the Drill product.

We have not appointed a Data Protection Officer, as this is not required under GDPR Article 37(1) given our organization size and processing activities. For any data-related request, contact us at legal@getdrill.app.

2. Data we collect

  • Account data: email, name, authentication identifiers.
  • Content you create: decks, cards, notes, and any learning material you submit.
  • Usage data: session activity, feature usage, page views, product analytics events, study sessions, and review history.
  • Billing data (if you subscribe): handled by Stripe; we do not store card numbers.
  • Technical data: IP address, browser, device, logs needed to operate the service.

3. Why we process it

  • Provide, operate, and secure the service.
  • Authenticate you and keep your session active.
  • Power the learning features (spaced repetition, analytics of your own progress).
  • Process subscriptions and send transactional emails.
  • Debug issues and prevent abuse.
  • Understand aggregate product usage and improve Drill through product analytics.

4. Legal basis (GDPR)

  • Contract: to deliver the service you signed up for.
  • Legitimate interest: to secure the service, fight abuse, and improve the product.
  • Legal obligation: to keep accounting records when applicable.
  • Consent: where required (e.g. non-essential cookies if any are introduced later).

5. Who we share data with

We share personal data only with processors strictly needed to run the service:

  • Neon — managed PostgreSQL database hosting.
  • Better Auth — authentication infrastructure.
  • Stripe — payment and subscription processing.
  • Resend — transactional email delivery.
  • PostHog — product analytics, event tracking, and product improvement.
  • AI assistant providers you connect (such as OpenAI/ChatGPT) — when you authorize and use a Drill integration, they may receive the tool requests you make and the Drill data returned by those tools.

We do not sell personal data. We do not share data with advertisers.

6. AI integrations

If you connect Drill to a third-party AI assistant (for example, ChatGPT via our MCP server), Drill sends data to that assistant only when you authorize the connection and invoke Drill from that assistant. Depending on the tools used, this may include your deck names, card notes, statements, tags, mastery statistics, internal item identifiers needed for follow-up actions, and new card content you ask the assistant to create or edit.

We use this data only to perform the action you requested, such as listing decks, creating cards, updating cards, moving cards, or returning mastery statistics. Third-party AI assistants process that data under their own terms and privacy policies. You can disconnect an integration from the assistant or revoke access where supported. Drill does not use your content to train AI models.

7. Data retention

We keep your data as long as your account is active. When you delete your account, we erase your personal data within 30 days, except records we must retain for legal obligations (e.g. invoices kept up to 10 years).

8. Your rights

Under GDPR, you can:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Request erasure (“right to be forgotten”).
  • Export your data (portability).
  • Object to or restrict certain processing.
  • Lodge a complaint with the CNIL, the French data protection authority.

To exercise any right, email legal@getdrill.app.

9. Cookies

We use strictly necessary cookies for authentication and session management. We also use PostHog for product analytics, which may use browser storage to understand page views, feature usage, and product performance. We do not use advertising cookies or sell analytics data. Where consent is required, we will request it.

10. International transfers

Some processors may store or process data outside the EU. When they do, we rely on Standard Contractual Clauses or equivalent safeguards.

11. Security

We use industry-standard practices: encrypted connections (HTTPS), encrypted databases at rest, scoped access, and short-lived authentication tokens. No system is perfectly secure; we will notify affected users and authorities if a breach happens, as required by law.

12. Children

Drill is not intended for children under 13. If you are between 13 and 16, you need parental consent to use the service, per GDPR requirements.

13. Changes

We may update this policy. Material changes will be notified by email or an in-product notice. The “Last updated” date at the top always reflects the current version.

14. Contact

Questions, requests, or concerns: legal@getdrill.app.