Privacy Policy

Name: Drengr
Author: Drengr

Last updated: April 5, 2026

The short version: Drengr now offers user accounts and paid subscriptions. To provide those services, we collect your email address, a one-way hash of your machine's identity for license enforcement, and metadata about your API key usage. The Software itself still runs entirely on your machine and does not send your screen content, device data, or commands to us. We use privacy-friendly, cookieless analytics (Vercel Analytics) on the Site. The Software sends anonymous product telemetry (no personal data); see Section 2.9 for details and opt-out instructions. We do not sell your personal data.

1. Who We Are (Data Controller)

For the purposes of the General Data Protection Regulation (GDPR) and equivalent laws, the data controller for personal data processed in connection with Drengr is:

Sharmin Sirajudeen
Trading as Drengr
Email: [email protected]

We do not have a formal Data Protection Officer. You may contact us directly at the email above for any privacy-related matter. We will respond within thirty (30) days.

2. What We Collect and Why

We collect personal data only where it is necessary to provide the Service. The table below summarises each category, its purpose, and the legal basis under GDPR Article 6.

2.1 Account Data (Google OAuth)

When you create a Drengr account using Google Sign-In, we receive from Google the following data points that your Google account makes available under the email and profile OAuth scopes:

Email address
Display name
Google account identifier (used as a stable user ID)
Profile picture URL (optional; not stored persistently)

Purpose: To create and maintain your account, send you transactional emails (e.g., license key delivery, billing receipts), and authenticate subsequent sessions.

Legal basis (GDPR Article 6(1)(b)): Processing is necessary for the performance of the contract between you and us (the Terms of Use). Without a verified email address, we cannot deliver license keys or manage your subscription.

2.2 API Keys

When you generate an API key, we store a SHA-256 hash of that key in our database. The plaintext key is shown to you once at creation and is never retained by us.

Purpose: To authenticate API requests from the Drengr binary and enforce usage entitlements.

Legal basis (GDPR Article 6(1)(b)): Necessary for the performance of the contract; key authentication is the mechanism by which the licensed service is delivered.

2.3 Machine Fingerprint

The Drengr binary computes a machine fingerprint— a one-way SHA-256 hash derived from a combination of your operating system's machine ID, hostname, and a locally-stored UUID. The raw components (your actual hostname or machine ID) never leave your device. Only the resulting hash is transmitted to api.drengr.dev.

We store the following data points for each activated machine:

Machine fingerprint hash (a pseudonymous identifier)
Operating system type (e.g., "macOS", "Linux")
Drengr binary version
Timestamp of first activation
Timestamp of last heartbeat (updated every 5 minutes while the binary is running)
IP address of the activating request (processed transiently by our infrastructure; see Section 2.5)

Purpose: To enforce per-license machine seat limits (e.g., a Pro license permits a defined number of concurrent machines), detect unauthorised sharing of license keys, and provide you with a view of active machines in your dashboard.

Legal basis (GDPR Article 6(1)(b)): Machine activation tracking is a necessary component of delivering the licensed service under the terms you agreed to. The number of permitted seats is a material term of the contract. Where we also rely on protection against license abuse, the additional basis is our legitimate interest (Article 6(1)(f)) in preventing unauthorised use of our software, which is proportionate given that the fingerprint is irreversibly hashed and cannot be used to reconstruct your hostname or machine ID.

Is the fingerprint hash "personal data" under GDPR? Yes, we treat it as personal data. Although the hash is pseudonymous — it cannot be reversed to identify your hostname — it can be linked to your account, which is directly identified. Under GDPR Recital 26 and ICO guidance on pseudonymisation (updated March 2025), pseudonymised data remains personal data when the controller holds both the pseudonym and the identifying information. We therefore apply full GDPR obligations to the fingerprint record.

2.4 Heartbeat Data

While the Drengr binary is running, it sends a heartbeat request to api.drengr.dev approximately every five minutes. Each heartbeat carries:

Your API key (verified against the stored SHA-256 hash)
Your machine fingerprint hash
Binary version

The heartbeat updates the last_seen_at timestamp on your machine activation record. No additional data is logged or retained beyond what is described in Section 2.3.

Legal basis (GDPR Article 6(1)(b)): Necessary for contract performance; heartbeat confirms that the activated machine remains within the licensed seat count and keeps entitlements current.

2.5 IP Addresses

Every HTTP request to api.drengr.dev — including license validation, activation, and heartbeat requests — carries your IP address as a natural property of the TCP/IP connection. Our infrastructure (Cloudflare Worker proxying to Supabase Edge Functions) processes this address transiently to route the request. We do not log or persistently store raw IP addresses in our application database. Cloudflare and Supabase may retain server access logs containing IP addresses at the platform level for security and operational purposes, subject to their own privacy policies and our Data Processing Agreements with them.

Legal basis (GDPR Article 6(1)(f)): Legitimate interest in maintaining the security and operation of the Service.

2.6 Usage Metadata (Runs, Steps, API Calls, Daily Action Counts)

We store metadata about your use of the Service including:

Number of OODA runs initiated
Number of steps per run
Number of API calls made against your key
Daily drengr_do action count per machine fingerprint (used to enforce the Free Plan daily action limit; resets at midnight UTC)
Timestamps of activity

We do not store the content of your runs — no screenshots, UI trees, prompts, or device data from your OODA sessions are transmitted to or stored by us. Metadata is aggregated usage counts only.

Purpose: To enforce rate limits, provide you with usage dashboards, generate insights for billing tiers, and detect abuse.

Legal basis (GDPR Article 6(1)(b)): Necessary for contract performance (quota enforcement, billing, and service delivery).

2.7 Billing Data

Subscription payments are processed by Polar Software, Inc. ("Polar"), which acts as the merchant of record for all paid transactions. Polar collects and processes your payment card details, billing address, and transaction history directly. We receive from Polar a subscription status signal (active, cancelled, expired) and a customer identifier, but we do not receive or store your payment card numbers, bank account details, or billing address.

Polar's handling of your payment data is governed by Polar's Privacy Policy.

2.8 Site Analytics (Vercel Analytics)

The Site (drengr.dev) uses Vercel Analytics, a cookieless, privacy-friendly analytics service that measures aggregate page views and custom conversion events (such as "clicked Download" or "reached sign-up page"). Vercel Analytics does not use cookies, device fingerprints, or cross-site tracking, and does not collect IP addresses or any personally identifiable information.

Legal basis (GDPR Article 6(1)(f)): Legitimate interest in understanding aggregate site usage to improve the product. Because no personal data is collected and no cross-site tracking occurs, this interest is not overridden by your interests or fundamental rights.

2.9 Anonymous Product Telemetry

The Software (the Drengr binary) sends anonymous telemetry events to help us understand how the product is used. Each event contains:

A random install identifier (UUID v4, generated locally and stored at ~/.drengr/telemetry_id)
Event type (e.g., "session_start", "tool_call")
Tool name invoked (e.g., "drengr_do")
Platform category (android, ios, or cloud)
MCP client name (e.g., "cursor", "claude_code")
Drengr binary version and operating system

Telemetry is limited to tool usage counts. The install identifier is a random UUID with no link to your identity or Account. Every event is also written to a local log file at ~/.drengr/telemetry.log so you can inspect exactly what was sent.

Opt-out: set the environment variable DRENGR_TELEMETRY=off to disable all telemetry. The log file is the complete record of what we collect — nothing more is sent.

Legal basis (GDPR Article 6(1)(f)): Legitimate interest in understanding aggregate product usage patterns to prioritise development. Because no personal data is collected and opt-out is available, this interest is not overridden by your interests or fundamental rights.

3. Cookie Policy

The Site sets strictly necessary session cookies via Supabase Auth when you are logged in to your Drengr account. These cookies maintain your authenticated session and are required for the Service to function. They are not used for advertising, tracking, or analytics.

Specifically:

Supabase session cookies — Set when you sign in via Google OAuth. Contain an encrypted session token. Expire when you sign out or after the session inactivity period (typically 7 days). These are HttpOnly, Secure, and SameSite=Lax cookies.

No advertising cookies, analytics cookies, tracking pixels, or third-party cookies are set. No consent banner is required for strictly necessary cookies under GDPR Recital 30 and ePrivacy Directive Article 5(3), but we disclose them here as a matter of transparency.

The Vercel Analytics script used on the Site does not set any cookies or use local storage.

4. Data Flows You Control (Not Our Processing)

The Software enables data flows to third parties that you initiate and control. We are not a party to those flows and do not see, receive, or store that data.

4.1 AI Providers (OODA Mode)

When you use OODA Mode (drengr run), the Software transmits screenshots, UI element trees, and your prompts directly from your machine to the AI Provider you have configured (e.g., OpenAI, Anthropic, Google Gemini). This transmission uses API credentials you supply. We do not see, intercept, or store this data.

If screen content contains personal data about third parties, you are responsible for ensuring that transmission is lawful. Each AI Provider's handling is governed by their own privacy policy:

OpenAI: openai.com/policies/privacy-policy
Anthropic: anthropic.com/legal/privacy
Google: policies.google.com/privacy
Groq: groq.com/privacy-policy

4.2 Cloud Device Providers

When you connect the Software to a cloud device provider (such as BrowserStack or Sauce Labs), commands and screen data flow to those providers under your account and their terms. We are not a party to that data flow.

4.3 MCP Clients

When you use the Software as an MCP server, MCP clients (such as Claude Desktop or Cursor) send commands through the Software to your local device. All data passes through the Software on your local machine. We do not see or store any of this data.

4.4 Install Script and npm Registry

If you install via npm, the npm registry (operated by GitHub, Inc.) may collect installation metadata including your IP address, in accordance with npm's privacy policy. If you install via the curl install script from drengr.dev, your IP address is visible to our infrastructure as part of the HTTP request; we do not log or retain these addresses beyond transient routing.

5. Legal Basis Summary (GDPR Article 6)

The following table summarises the legal basis for each processing activity:

Account creation and management — Article 6(1)(b): contract performance
API key generation and validation — Article 6(1)(b): contract performance
Machine fingerprint and activation tracking — Article 6(1)(b): contract performance; additionally Article 6(1)(f): legitimate interest in preventing license abuse
Heartbeat processing — Article 6(1)(b): contract performance
Usage metadata (run/step/call counts) — Article 6(1)(b): contract performance (quota enforcement)
IP address transient processing — Article 6(1)(f): legitimate interest in service security and operation
Site analytics (Vercel Analytics) — Article 6(1)(f): legitimate interest in aggregate product improvement; no personal data collected
Anonymous product telemetry — Article 6(1)(f): legitimate interest in aggregate usage patterns; no personal data collected; opt-out available
Transactional email communications — Article 6(1)(b): contract performance

6. Data Retention

We retain personal data for as long as your account is active plus a reasonable period thereafter for legal, operational, and dispute resolution purposes. Specific retention periods are:

Account data (email, name, Google ID): Retained for the life of your account. Upon account deletion, purged within 30 days from our primary database, and from backups within 90 days.
API key hashes: Retained while the key exists. Deleted when you revoke the key or close your account.
Machine activation records (fingerprint hash, OS, version, timestamps): Retained for 12 months following the last heartbeat. You may delete individual machine records from your dashboard at any time.
Usage metadata (run/step/call counts): Retained for 24 months from the date of the activity, then aggregated or deleted.
Subscription and billing status records: Retained for 7 years from the date of the last transaction to satisfy applicable accounting and tax obligations, even if your account is otherwise deleted. This is a legal obligation under Article 6(1)(c).
Email correspondence: Retained as part of normal email archiving for up to 3 years.

7. International Data Transfers

Our sub-processors operate infrastructure in the United States, Singapore, and globally distributed edge networks. Transfers of personal data of EEA, UK, or Swiss residents to these jurisdictions are covered by appropriate safeguards:

Supabase:Covered by Supabase's DPA incorporating EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and the UK ICO addendum thereto. Supabase is incorporated in Delaware and operates infrastructure including in Singapore.
Vercel:Covered by Vercel's DPA incorporating EU Standard Contractual Clauses. Vercel processes data on US and global edge infrastructure.
Cloudflare:Covered by Cloudflare's DPA incorporating EU Standard Contractual Clauses. Cloudflare operates a global edge network.
Google (OAuth):Google LLC participates in the EU-US Data Privacy Framework. OAuth authentication data is processed under Google's Cloud Data Processing Addendum.
Polar.sh: As merchant of record, Polar processes billing data subject to their own DPA and Privacy Policy. Polar is incorporated in the United States.

8. Sub-Processors

We use the following sub-processors to provide the Service. Each sub-processor is bound by a Data Processing Agreement (DPA) with us requiring them to protect personal data to GDPR standards:

Supabase, Inc. — Database, authentication, and edge functions. Stores account data, API key hashes, machine activation records, and usage metadata. Region: US (primary) and Singapore. Supabase DPA
Vercel, Inc. — Hosting for the Site (drengr.dev) and Vercel Analytics. Region: US and global edge. Vercel DPA
Cloudflare, Inc. — DNS, CDN, and Worker proxy for api.drengr.dev. Processes IP addresses and API request metadata transiently. Region: Global edge. Cloudflare DPA
Google LLC — OAuth identity provider. Provides email, name, and Google account identifier at sign-in. Google Cloud DPA
Polar Software, Inc. — Merchant of record for paid subscriptions. Processes payment card data and billing addresses. Polar Privacy Policy

We will give you at least 30 days' notice (by updating this page and its "Last updated" date) before adding a new sub-processor that will process personal data material to your account.

9. Your Rights Under GDPR (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

Right of access (Article 15) — Request a copy of the personal data we hold about you, including account data, machine activation records, and usage metadata.
Right to rectification (Article 16) — Request correction of inaccurate personal data (e.g., display name).
Right to erasure (Article 17) — Request deletion of your personal data. You may delete your account via your dashboard, which will trigger deletion of account data, API key hashes, and machine activation records within 30 days. Usage metadata will be anonymised or deleted within 30 days. Subscription billing records are retained for 7 years as a legal obligation (Article 6(1)(c)) and cannot be erased before that period expires.
Right to restriction of processing (Article 18) — Request that we restrict processing in certain circumstances (e.g., while accuracy is contested).
Right to data portability (Article 20) — Request your personal data in a structured, machine-readable format (JSON export of account data and usage metadata).
Right to object (Article 21) — Object to processing based on legitimate interests (e.g., machine fingerprinting for anti-abuse purposes). We will cease that processing unless we demonstrate compelling legitimate grounds.

To exercise any right, email [email protected]with the subject line "GDPR Request" and your account email address. We will respond within 30 days. We may ask you to verify your identity before processing the request.

You also have the right to lodge a complaint with your supervisory authority. In the EEA: edpb.europa.eu. In the UK: the Information Commissioner's Office.

10. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights. The categories of personal information we collect are:

Identifiers— Email address, Google account ID, machine fingerprint hash (a pseudonymous device identifier under Cal. Civ. Code § 1798.140(v)(1)(A))
Commercial information — Subscription plan, payment status (subscription status signal from Polar; not payment card data)
Internet or other electronic network activity — API key usage counts, run/step/call metadata, timestamps of activity
Inferences— Aggregate usage level (e.g., "heavy user") derived from usage metadata, used only for service tier recommendations

Your CCPA rights:

Right to Know — Request disclosure of categories and specific pieces of personal information collected about you.
Right to Delete — Request deletion of your personal information. See erasure process above.
Right to Correct — Request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing — We do not sell or share personal informationwith third parties for advertising or cross-context behavioural advertising purposes. No "Do Not Sell or Share" opt-out is therefore necessary, but you may contact us to confirm.
Right to Limit Use of Sensitive Personal Information — We do not process sensitive personal information as defined by the CPRA.
Non-Discrimination — We will not discriminate against you for exercising any of these rights.

Note: The CCPA applies to for-profit businesses meeting specific thresholds (annual gross revenue exceeding $25 million; buying, selling, or receiving personal information of 100,000+ California residents per year; or deriving 50%+ of annual revenue from selling personal information). We may not currently meet these thresholds, but we provide these disclosures as a matter of transparency and best practice.

11. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact us at [email protected] and we will delete it promptly.

12. Security

We implement appropriate technical and organisational measures to protect personal data, including:

API keys are stored as SHA-256 hashes; plaintext is never persisted
Machine fingerprints are one-way hashes; raw machine IDs never leave your device
Database access is restricted by row-level security policies
All API communication is over TLS
Session cookies are HttpOnly, Secure, and SameSite=Lax

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to [email protected].

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes — such as adding new categories of personal data, new sub-processors, or new legal bases — we will update the "Last updated" date at the top of this page and notify you by email at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you disagree, you may cancel your account before the change takes effect.

14. Contact

For all privacy-related inquiries, rights requests, or concerns:

Sharmin Sirajudeen (Drengr)
Email: [email protected]
Subject line: "Privacy Request"

We will acknowledge your request within 5 business days and provide a substantive response within 30 days.