Drydock Privacy Policy
This Privacy Policy describes how Drydock Labs, Inc. (“Drydock”, “we”, “us”) collects, uses, and shares information when you use drydock.build and the Drydock cloud virtual machine service (the “Service”). This policy covers the Drydock control plane — our website, dashboard, billing, and support. It does not cover what you store, run, or transmit inside the virtual machines you provision; you are the data controller for that data.
By using the Service you agree to this Privacy Policy.
1. Information we collect
1.1 Information you give us
- Account information. Name, email address, password (stored hashed), and any organization name you provide at signup.
- Billing information. Billing address, tax identifier where applicable, and payment instrument details. Payment card numbers are collected and stored by our payment processor (Stripe), not by Drydock.
- Communications. Anything you send to legal@drydock.build, support channels, or our dashboard chat, including the contents of those messages.
- Identity verification. If we ask you to verify your identity for fraud-prevention or sanctions-screening purposes, the documents and answers you provide.
1.2 Information we collect automatically
- Service telemetry. The actions you take in the dashboard, the API calls you make, the VMs you create, suspend, or destroy, the regions you choose, and the resources those VMs consume (CPU, memory, network, disk) — for billing, capacity planning, and abuse detection.
- Network metadata. Source IP, user-agent, timestamps, and request paths for requests to the dashboard and API.
- Cookies and similar. A session cookie used to keep you signed in. We do not use third-party advertising cookies.
1.3 Information about your VMs
We collect operational metadata about the VMs you provision (their IDs, hostnames, IP addresses, region, image, status, network throughput counters, and similar). We do not routinely inspect the contents of your VMs' disks, memory, or network traffic. We may inspect them where necessary to investigate a credible AUP violation, respond to legal process, or protect the security or availability of the Service.
2. How we use information
We use the information we collect to:
- provide, operate, and improve the Service;
- authenticate you and protect your account;
- bill you and process payments;
- detect, investigate, and prevent fraud, abuse, and AUP violations;
- communicate with you about your account, the Service, security incidents, and important changes;
- comply with legal obligations, including sanctions-screening and tax reporting;
- enforce the Terms of Service and AUP.
3. How we share information
We share information only as described below.
- Service providers. Vendors that help us run the Service — our payment processor (Stripe), our infrastructure provider (NetActuate), our email delivery provider, and our error-tracking and analytics providers — under contracts that limit their use of the information to providing services to us.
- Legal process. We disclose information when required by valid subpoena, court order, or other lawful process, and where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Drydock, our customers, or the public.
- Abuse reporting. When we receive a credible abuse complaint about traffic from one of your VMs, we may share enough information with the complainant to allow the complaint to be resolved. We may also report apparent CSAM to NCMEC and law enforcement as required by law.
- Corporate transactions. If Drydock is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.
- With your direction. When you ask us to share information (for example, with a teammate you invite to your account).
We do not sell your personal information.
4. Data retention
- Account and billing records: retained for the life of the account and for at least 7 years after closure for tax and audit purposes.
- Service telemetry and logs: retained for up to 12 months.
- VM operational metadata: retained for the life of the VM and up to 90 days after deletion.
- Abuse-investigation records: retained as long as needed to investigate and respond, and as required by law.
5. Security
We use commercially reasonable technical and organizational measures to protect the information we collect, including encryption of data in transit, encrypted storage of secrets, access controls on production systems, and audit logging. No system is perfectly secure; we do not guarantee that information will not be accessed by unauthorized parties.
6. Your choices and rights
- Access and correction. You can view and update most account information in the dashboard. For anything you can't change yourself, email legal@drydock.build.
- Deletion. You can close your account at any time. We will delete or anonymize personal information after the retention periods above.
- California, EU/UK, and other jurisdictions. If applicable law gives you additional rights — for example, the right to access, correct, port, or delete personal data, or to object to or restrict certain processing — you can exercise those rights by emailing legal@drydock.build. We will respond within the time required by law.
- Do Not Track. We do not respond to Do Not Track signals.
7. International transfers
Drydock is based in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. By using the Service you consent to that transfer.
8. Children
The Service is not directed to anyone under 18 and we do not knowingly collect information from anyone under 18. If you believe we have, email legal@drydock.build and we will delete it.
9. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be announced in the dashboard or by email at least 14 days before they take effect.
10. Contact
Drydock Labs, Inc.
2261 Market Street STE 30427
San Francisco, CA 94114
legal@drydock.build