Legal

Privacy Policy

Last updated: June 12, 2026

1. Who We Are

Derail Logic (“we,” “us,” or “our”) operates the MartechAI platform (available at app.derail-logic.com) and the marketing website at derail-logic.com (collectively, the “Services”). We are committed to protecting your privacy and being transparent about how we handle your information.

2. Information We Collect

2.1 Information You Provide to Us

When you create a MartechAI account or use our Services, you may provide:

  • Account information: name, email address, and password (hashed with bcrypt; we never store plain-text passwords).
  • Workspace data: contacts, companies, deals, campaign briefs, email templates, landing page content, form configurations, brand voice settings, product intelligence profiles, and analytics configurations you create within the platform.
  • Integration data: when you connect third-party services (Google Analytics, Google Search Console, Google Ads, Google Business Profile, Gmail, YouTube, Facebook, Instagram, LinkedIn, X/Twitter, WordPress, HubSpot, Stripe), we access data through those services using OAuth or API keys you authorize. We only access the scopes you approve, and you can disconnect any integration at any time. Our handling of data from Google services is described in detail in Section 8 (Google User Data).
  • Payment information: billing details and payment method information are processed directly by Stripe. We do not store full credit card numbers on our servers. We retain subscription metadata (plan tier, status, billing interval, invoice history).
  • Form submissions: when visitors submit forms you create through MartechAI (including forms embedded on external websites), we store the submitted data on your behalf.
  • File uploads: images, documents, logos, and other files you upload to the platform are stored in our object storage (MinIO).
  • RAG knowledge base: documents and URLs you ingest for AI context (PDF, TXT, Markdown, JSON files and web page content) are processed into vector embeddings and stored in Qdrant.

2.2 Information Collected Automatically

When you visit our marketing website or use the MartechAI platform:

  • Usage analytics: we use Google Analytics 4 (GA4) on derail-logic.com to understand how visitors interact with our marketing site. GA4 collects pages visited, time on site, referring URLs, browser type, operating system, device type, and approximate geographic location (country/city level). GA4 does not collect personally identifiable information by default. IP addresses are anonymized.
  • Platform analytics: within the MartechAI application, we track feature usage, page views, and session data to improve the product. This data is associated with your workspace and account.
  • Form tracking: MartechAI forms (including those embedded on external sites via our form-embed.js script) capture UTM parameters, referrer URLs, and submission timestamps for marketing attribution purposes.
  • Cookies and similar technologies: see Section 7 below for details.
  • Server logs: our infrastructure automatically logs technical information including IP addresses, request timestamps, and user agents for security, debugging, and abuse prevention. PII in URLs is redacted from logs.
  • Email tracking: marketing emails sent through MartechAI may include tracking pixels and click-tracking links to measure opens and clicks. We filter out known bot/scanner user agents to maintain accurate metrics.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the MartechAI platform.
  • Process your account registration, authentication (JWT), and workspace management.
  • Power AI features (content generation, autopilot recommendations, RAG queries) using your workspace context and brand voice.
  • Send transactional emails (account invitations, password resets, report sharing, dashboard sharing) via AWS SES.
  • Send marketing emails you configure and authorize through the platform.
  • Process payments and manage subscriptions via Stripe.
  • Sync data with third-party integrations you connect (Google services, social platforms, WordPress, HubSpot).
  • Generate analytics, reports, and dashboards from your connected data sources.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations and enforce our Terms of Use.

4. How We Share Your Information

We do not sell your personal information or your customers' data. We share information only in the following circumstances:

  • Service providers: we use third-party infrastructure and API providers to operate the Services, including:
    • Hostinger (VPS hosting — application servers, database, file storage, queue system)
    • Cloudflare (DNS, CDN, DDoS protection)
    • Stripe (payment processing — we do not store full payment card details)
    • AWS SES (transactional and marketing email delivery)
    • Google (GA4 analytics, Gemini AI API for content generation failover, OAuth-integrated services you connect)
    • DataForSEO (SEO audit and keyword tracking data you request)
    • Form.io CDN (form rendering library loaded by embedded MartechAI forms)
  • Third-party integrations you enable: when you connect services like Google Analytics, Search Console, Facebook, LinkedIn, WordPress, or HubSpot, data flows between those services and MartechAI as you configure it. You control which integrations are active and what data is shared.
  • Legal requirements: we may disclose information if required by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: if Derail Logic is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy. Data obtained from Google APIs will only be transferred in a manner consistent with the Google API Services User Data Policy.

5. Data Retention

We retain your account information and workspace data for as long as your account is active. If you delete your account or specific data within the platform, we remove it from our active systems. Server logs and backups may retain data for up to 90 days for operational purposes. Email generation status caches are automatically cleared after 30 minutes.

If you cancel your subscription, your workspace data remains accessible in a read-only state for 30 days, after which it is permanently deleted. You may request earlier deletion by contacting us.

When you disconnect a third-party integration, we stop accessing the connected service immediately and delete the associated OAuth tokens. Previously synced data stored in your workspace (for example, analytics history used in your dashboards) remains until you delete it or your workspace is deleted. See Section 8 for additional commitments specific to Google user data.

6. AI Data Processing

MartechAI includes AI-powered features (content generation, autopilot recommendations, marketing copilot, image generation, RAG queries). When you use these features:

  • Content generation: prompts and workspace context (brand voice, ICPs, product intelligence, RAG knowledge) are sent to AI models. Primary inference runs on our local infrastructure (Arc GPU). Google Gemini API serves as failover when local resources are unavailable. Prompts and generated outputs are not used to train third-party models.
  • RAG (Retrieval-Augmented Generation): documents you upload are chunked, embedded, and stored in a Qdrant vector database. Embeddings are generated via our local AI infrastructure or Gemini API as failover. Queries are matched against your workspace's vector store only.
  • Image generation: image prompts are sent to AI image models. Generated images are stored in your workspace.
  • AI Prospecting: contact and segment data you select for AI prospecting campaigns is used to generate personalized email drafts through LangGraph workflows.
  • Google user data and AI: we do not use any data obtained through Google APIs (including Gmail message content, Analytics data, Search Console data, Ads data, or Business Profile data) to develop, improve, or train generalized artificial intelligence or machine learning models. Where Google user data is used as context for AI features (for example, generating marketing recommendations from your own analytics), it is used solely to provide those user-facing features within your workspace, and outputs are visible only to you and your workspace members.

7. Cookies and Tracking Technologies

7.1 Marketing Website (derail-logic.com)

Our marketing website uses the following cookie categories:

  • Necessary cookies: required for the site to function (session management, CSRF protection). These cannot be disabled.
  • Analytics cookies: Google Analytics 4 (G-Y5V64FV3T7) for understanding site traffic and usage patterns. GA4 uses first-party cookies (_ga, _ga_*) with anonymized IPs. By default, analytics storage is denied until you accept via our cookie consent banner.
  • Marketing cookies: reserved for future advertising and remarketing features. Currently not in active use.

You can manage your cookie preferences at any time through the cookie consent banner loaded via Google Tag Manager. Your preferences are stored by the consent tool and honored on subsequent visits.

7.2 MartechAI Platform (app.derail-logic.com)

The platform uses necessary cookies for authentication (JWT access and refresh tokens stored in localStorage) and session management. We do not use third-party tracking cookies within the authenticated application.

7.3 Embedded MartechAI Forms

When you embed a MartechAI form on your own website, the form-embed.js script loads the Form.io rendering library from cdn.form.io. Form.io may set its own cookies. The form embed script also captures UTM parameters and referrer information for marketing attribution. This data is stored in your MartechAI workspace and subject to your own privacy practices.

8. Google User Data

This section describes how MartechAI accesses, uses, stores, and shares data obtained from Google APIs when you choose to connect Google services to your workspace. It applies in addition to the rest of this policy.

MartechAI's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

8.1 What We Access and Why

We request only the minimum scopes needed for each feature, and only when you explicitly connect that service:

  • Google Analytics (read-only): we read your GA4 account and property list (so you can choose which property to connect) and run read-only reports (sessions, page views, conversions, traffic sources, top pages) to display dashboards and reports and to generate marketing recommendations for your workspace. We never modify your Analytics configuration.
  • Google Search Console (read-only): we read search performance data (queries, clicks, impressions, CTR, positions) for your verified sites to power SEO dashboards, audits, and content recommendations. We never modify your Search Console configuration.
  • Google Ads: we read campaign performance data (impressions, clicks, CTR, cost, conversions) for accounts you connect, to display advertising performance alongside your other marketing channels. We do not create, edit, or delete campaigns, ads, budgets, or accounts.
  • Google Business Profile: we read your business locations, performance metrics (calls, website clicks, impressions), and customer reviews to power local-business dashboards. With your direction, we also publish replies to customer reviews that you compose or approve in the platform. We do not otherwise edit or delete your business listings.
  • Gmail (optional email connection): if you connect your Gmail address, we use it to (a) send one-to-one sales emails that you compose and explicitly send or schedule in the CRM, from your own address; and (b) if you enable inbox sync, read messages between you and your CRM contacts so that correspondence appears on the contact's activity timeline. We access only what is needed for these features.
  • YouTube (read-only): if you connect YouTube, we read channel and video analytics to display performance reporting.

8.2 Limited Use Commitments

For all data obtained through Google APIs, and in particular Gmail data:

  • We only use Google user data to provide and improve the user-facing features described above, which are visible and apparent to you in the platform.
  • We do not transfer Google user data to third parties except as necessary to provide these features (e.g., storage on our own infrastructure), to comply with applicable law, or as part of a merger or acquisition with notice to you as described in Section 4.
  • We do not use Google user data for advertising purposes, including retargeting, personalized, or interest-based advertising.
  • We do not sell Google user data.
  • We do not allow humans to read Gmail message content, except (a) with your explicit consent for a specific message, (b) as necessary for security purposes such as abuse investigation, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.
  • We do not use Google user data — including Gmail content — to develop, improve, or train generalized AI or machine learning models.

8.3 Storage and Security of Google Data

OAuth access and refresh tokens are stored encrypted in our database and used only server-side to call Google APIs on your behalf. Synced data (e.g., analytics rows, review records, email correspondence linked to CRM contacts) is stored scoped to your tenant and workspace, isolated from other customers, and transmitted only over TLS-encrypted connections.

8.4 Retention, Revocation, and Deletion of Google Data

  • You can disconnect any Google integration at any time from the Integrations or Account settings pages in MartechAI. Disconnecting immediately stops all API access and deletes the stored OAuth tokens for that connection.
  • You can also revoke MartechAI's access directly from your Google Account at myaccount.google.com/permissions.
  • Synced Google data stored in your workspace can be deleted by you within the platform, and is permanently deleted when your workspace or account is deleted (see Section 5).
  • You may request deletion of all Google user data we hold for you at any time by contacting [email protected]; we will complete such requests within 30 days.

9. Email Communications

We use AWS SES to deliver emails from the platform. This includes:

  • Transactional emails: account invitations, password resets, dashboard/report sharing notifications, and system alerts.
  • Marketing emails: campaigns, sequences, and AI-generated prospecting emails you create and send through the platform. These are sent from your configured sender identity.

If you connect a Gmail or Microsoft mailbox as a sending identity, one-to-one sales emails are sent from your own mailbox via the respective provider's API rather than AWS SES (see Section 8 for Gmail specifics).

Marketing emails include open and click tracking by default. We filter out known bot and scanner user agents (GoogleImageProxy, Microsoft Safe Links, Proofpoint, Barracuda, etc.) to maintain accurate engagement metrics.

10. Data Security

We implement reasonable technical and organizational measures to protect your data:

  • Passwords are hashed using bcrypt and never stored in plain text.
  • OAuth tokens for connected integrations are stored encrypted at rest.
  • Authentication uses short-lived JWT access tokens with refresh token rotation.
  • API communications are encrypted in transit via HTTPS (TLS).
  • Multi-tenant data isolation: every database query is scoped to your tenant and workspace.
  • Role-based access control (viewer, editor, admin, tenantAdmin) limits what users can see and do within a workspace.
  • Server logs redact PII from URLs.
  • The platform has passed an OWASP security audit.
  • Stripe handles payment processing and is PCI DSS Level 1 compliant.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously review and improve our security practices.

11. International Data Transfers

Our infrastructure is hosted in the United States (Hostinger VPS, with local GPU infrastructure for AI processing). If you access the Services from outside the United States, your data will be transferred to and processed in the United States. By using the Services, you consent to this transfer.

Certain third-party services we use (Google, Stripe, Cloudflare, DataForSEO) may process data in additional jurisdictions. We rely on their respective compliance certifications and data processing agreements.

12. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

13. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Object to or restrict certain processing activities.
  • Withdraw consent where processing is based on consent — including disconnecting any third-party integration (and revoking Google access via myaccount.google.com/permissions) at any time.

You can exercise many of these rights directly through your MartechAI account settings. For requests that cannot be fulfilled through the platform, contact us at the email below.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the platform or via email. The “Last updated” date at the top of this page indicates when the policy was last revised. Continued use of the Services after changes become effective constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: [email protected]

Mail: Derail Logic, 831 Auburn Rd
Ste 210 #3173
Dacula, GA 30019, United States

Also see our Terms of Use and Cookie Policy.