Adroyt
Sign inStart free trial

Privacy Policy

Last updated: May 2, 2026

Introduction

Adroyt ("we," "our," or "us") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered project management platform.

Data We Collect

Account & Profile

When you register, we collect your name, email address, organization name, role, language and timezone preferences, and (optionally) a profile photo. If you sign in through a single sign-on provider, we receive your name, email, and a stable identifier from that provider.

Billing

For paid subscriptions, our payment processor collects and stores your card or bank details directly. We never see or store full payment-card numbers; we receive only a tokenized reference, the billing email, the last four digits, the country, and invoice metadata.

Project Content

Data you and your team input into the platform — projects, tasks, milestones, resources, files, comments, custom fields, time entries, and reports — together with anything you upload (documents, images, schedule imports). You retain ownership of this content; we process it only to provide the service.

AI Conversations

The prompts you send to the in-app AI assistant, the project context attached to those prompts, and the assistant's responses. These are stored against your account so chat history persists across sessions.

Telemetry & Diagnostics

Pages visited, features used, performance metrics, error reports, and coarse device information (browser, operating system, approximate location derived from IP). We use this to operate and improve the platform.

Identity & Security Tokens

When you connect a third-party account (single sign-on, calendar, storage, integrations), we store the access tokens needed to maintain that connection, encrypted at rest. We never store the password to your third-party account.

Support & Communications

The content of support tickets, in-app feedback, and email correspondence with our team.

How We Use Your Data

We use the information we collect to:

  • Provide, operate, and maintain the platform
  • Generate AI-driven insights, summaries, and recommendations on your project content
  • Send transactional communications, security alerts, and service updates
  • Improve and personalise your experience
  • Detect, prevent, and respond to fraud, abuse, and security incidents
  • Bill you accurately and resolve billing disputes
  • Comply with legal obligations and enforce our Terms of Service

We do notuse your project content, AI conversations, or uploaded documents to train any machine-learning models — neither our own nor any third party's.

AI Processing

Our AI features are powered by third-party large language model providers operating under enterprise agreements. When you use an AI feature:

  • Your prompt and the project context required to answer it are sent to the provider over an encrypted connection.
  • The provider processes the request and returns a response. Under our enterprise terms, the provider does not retain your prompts or responses beyond the time needed to serve the request, and does not use your data to train its models.
  • We log the request, the response, and metadata (timestamps, duration, token counts, cost) for billing, abuse prevention, and quality monitoring. These logs are scoped to your tenant and accessible to your tenant administrators.
  • AI-generated content can contain errors. You are responsible for reviewing AI output before relying on it for decisions, and for ensuring the prompts you submit do not violate the rights of others.

You can disable AI features for your tenant from your workspace settings.

Subprocessors and Data Sharing

We do not sell your personal information. We share limited data with twelve carefully vetted subprocessors who help us deliver the service, each bound by a written data processing agreement and confidentiality obligations. The named list below mirrors our internal vendor management policy and is updated whenever a subprocessor is added, removed, or replaced.

SubprocessorServiceData sharedRegion
SupabaseDatabase, authentication, object storage, realtimeAccount, project, and session data; uploaded documents and images; authentication identifiersEuropean Union (Frankfurt)
DigitalOceanApplication hosting and managed cacheApplication logs, build artifacts, ephemeral cache and background-job state, session refresh tokensEuropean Union (Frankfurt)
ResendTransactional email deliveryRecipient email, subject, rendered message body, delivery statusUnited States (with EU delivery option)
AnthropicPrimary AI inference providerAI prompts and the project context attached to themUnited States
OpenAIAI inference fallback (only when primary provider is unavailable)AI prompts and the project context attached to themUnited States
StripePayments and subscription billingBilling email, tokenized payment method, subscription state, invoice metadata (no raw card data)United States / European Union
SentryError tracking and session replayError stack traces, request metadata, masked DOM replays, tenant and user identifiersEuropean Union (Frankfurt)
PostHogProduct analytics and feature flagsPseudonymised usage events (only with consent), coarse geolocationEuropean Union
GitHubSource control and continuous integrationSource code, CI logs, encrypted build secretsUnited States (with global edge)
Fly.ioAntivirus scanning host (uploaded files)File bytes streamed through the scanner (not retained); scan logs containing filename, tenant identifier, and any virus signature detectedEuropean Union (Frankfurt)
Dmarcian-EUDMARC aggregate-report processingDMARC aggregate reports (sender IPs, message counts, alignment status); no message bodiesEuropean Union

We may also disclose data when required by valid legal process, to enforce our Terms, to protect the safety of users or the public, or in connection with a merger, acquisition, or sale of assets (with notice to you).

Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

  • Access and export your personal data
  • Correct inaccurate information
  • Request deletion of your data
  • Restrict or object to certain processing
  • Data portability
  • Withdraw consent at any time

To exercise these rights, contact us at [email protected].

Data Security

We implement industry-standard security measures including AES-256 encryption at rest and TLS 1.3 in transit, role-based access controls, regular security reviews, hash-chained audit logs, and multi-tenant data isolation. Our security program is built around the SOC 2 Trust Services Criteria; formal third-party certification is on our roadmap.

Data Residency

Your account, project content, files, and operational data are stored in our primary region in the European Union (Frankfurt, Germany). Backups are stored in the same region.

The exception is AI inference: when you use an AI feature, the prompt and the project context required to answer it are routed to our AI provider, which processes the request on infrastructure in the United States, then returns the response. The provider does not retain or train on your data. If you do not want any data to leave the EU, disable AI features in your workspace settings.

Some operational subprocessors (transactional email, payment processing, source control) may process limited metadata in the United States. See the Subprocessors table above for the data categories involved.

For international transfers, we rely on the Standard Contractual Clauses adopted by the European Commission, supplemented by technical and organisational measures (encryption in transit and at rest, access controls, audit logging).

Cookies and Tracking

We use a small number of cookies and similar technologies. On your first visit, our cookie banner asks for your consent before any non-essential cookie is set. You can change your choice at any time from the footer of any page.

Categories

  • Essential — required for the platform to function (session, authentication, security, load balancing). Set without consent because the service cannot operate without them.
  • Preferences — remember your theme, language, collapsed panels, and similar UI choices.
  • Analytics — help us understand which features are used, in aggregate. Set only after you accept analytics cookies.

We do not use advertising or cross-site tracking cookies.

Data Retention

We keep different categories of data for different periods, balancing your right to have data deleted with our legal, security, and operational obligations.

Data categoryRetention period
Account profileFor the life of the account; deleted within 30 days of account closure
Project content (projects, tasks, files, comments)For the life of the tenant; deleted within 30 days of tenant deletion
AI conversation historyUntil you or your tenant administrator deletes the conversation; in any case removed within 30 days of account closure
Audit logs (security & compliance)365 days, then archived; longer where law requires
Billing records and invoicesUp to 10 years, as required by tax and accounting law
Operational telemetry & error logs90 days
BackupsUp to 35 days on a rolling basis, then overwritten
Marketing email subscription preferencesUntil you unsubscribe; suppression list kept indefinitely so we do not contact you again

You can request earlier deletion at any time. We may retain the minimum data required to comply with a legal obligation, defend a legal claim, or prevent abuse — these residual records are isolated and not used for any other purpose.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the platform. Continued use after changes constitutes acceptance.

Contact Us

If you have questions about this Privacy Policy, contact our Data Protection Officer at [email protected].

Contact our Data Protection Officer

For questions or concerns about this policy:

[email protected]