Legal

Privacy Policy

Last updated: May 18, 2026

1. Who we are

DrewOS ("DrewOS," "we," "us," or "our") is operated by Outpost Preparedness LLC, a California limited liability company. DrewOS is a customer relationship management (CRM) and workflow automation platform that helps small businesses run their sales, marketing, and customer operations using AI agents.

You can reach our privacy team at drew@drewos.ai.

2. The short version

  • We collect only what we need to operate DrewOS for you: account info, your business contacts, content you create, and tokens for platforms you choose to connect.
  • We never sell your data. We don't use your content or connected-platform data to train third-party AI models.
  • You can delete your data at any time. See Data Deletion.
  • If you connect a Meta, Google, LinkedIn, or X account, that platform's own terms govern your relationship with them; our use of their data is limited to what you authorize.

3. Information we collect

3.1 Account information

Name, email address, business name, phone number (optional), and authentication identifiers from our identity provider (Clerk).

3.2 Business data you create or import

Contacts, organizations, deals, pipeline stages, notes, tasks, calendar events, email drafts, and any files you upload to your workspace.

3.3 Connected-platform data

When you authorize DrewOS to connect to a third-party platform (Meta/Facebook, Instagram, Google Workspace, Google Business Profile, LinkedIn, X, YouTube, TikTok, Twilio, Square, etc.), we receive:

  • An OAuth access token (and refresh token, where applicable) scoped to the permissions you grant.
  • Read-only metadata required to operate the integration (e.g., your Facebook Page ID, Instagram Business Account ID, Google Calendar IDs).
  • Content you direct DrewOS to read or write on that platform on your behalf — for example, posts you schedule, comments you reply to, emails you send, or analytics you ask us to display.

We do not access connected-platform data for any purpose other than the workflows you configure in DrewOS.

3.4 Website analytics

DrewOS operates a first-party analytics tracker for tenants whose marketing site we host. The tracker stores a randomly generated session identifier in a first-party cookie (no personally identifiable cross-site tracking), captures page views, button clicks, form submissions, and UTM parameters, and stores a salted SHA-256 hash of the visitor's IP address (the raw IP is never persisted). Tracker data is used only to attribute traffic to the tenant whose site is being visited.

3.5 Logs and operational data

We collect server logs, error reports, and rate-limit counters to keep the service running and secure. Logs are retained for up to 30 days.

4. How we use information

  • To operate, maintain, and improve the DrewOS service.
  • To execute workflows you configure (sending emails, posting to social platforms, scheduling meetings, generating reports).
  • To authenticate you and prevent unauthorized access.
  • To respond to support requests and communicate service notices.
  • To comply with legal obligations and enforce our Terms.

We do not use your business data, connected-platform content, or contact lists to train any general-purpose AI model, and we do not share your data with third parties for their own marketing.

5. AI processing

DrewOS uses Anthropic's Claude API to power agent workflows (drafting emails, classifying replies, summarizing activity, etc.). When an agent processes your data, the relevant content is sent to Anthropic's API under their Commercial Terms. Anthropic does not use Commercial API inputs or outputs to train their models.

6. How we share information

We share information only with:

  • Subprocessors we use to run the service: Railway (hosting), Vercel (frontend hosting), Clerk (authentication), Anthropic (AI model API), Resend / Google (email delivery), and Square (payments, when enabled). Each subprocessor is bound by a data-processing agreement and access is limited to what they need to provide their service.
  • Connected platforms you authorize — at your direction, we send content (posts, emails, calendar events) to the platform on your behalf.
  • Law enforcement, when required by valid legal process. We will notify you unless prohibited.
  • An acquirer, in the event of a merger, acquisition, or sale of assets — under continuity of this Policy.

7. Data retention

  • Account and workspace data: retained for the life of your account.
  • Backups: retained for up to 30 days after deletion.
  • Server logs: up to 30 days.
  • Analytics events: 24 months, then aggregated and anonymized.

When you close your account or request deletion, we remove your data within 30 days from production systems and within an additional 30 days from backups.

8. Your rights

You can:

  • Access and export your data from inside the DrewOS app.
  • Correct or update inaccurate information.
  • Delete your account and associated data — see Data Deletion.
  • Revoke any connected-platform integration from inside DrewOS or directly on the platform (Facebook, Google, LinkedIn, etc.).
  • Object to or restrict certain processing, and request portability of your data.

California residents have additional rights under the CCPA / CPRA, including the right to know what we collect, the right to delete, the right to opt out of "sale" or "sharing" (we do not sell or share personal information as those terms are defined under California law), and the right to non-discrimination. EEA and UK residents have rights under the GDPR / UK GDPR.

To exercise any right, email drew@drewos.ai.

9. Security

DrewOS uses TLS in transit, encryption at rest for stored secrets (OAuth tokens are encrypted with a per-installation key), and scoped access controls. No system is perfectly secure; we will notify affected users of any material breach as required by law.

10. International transfers

DrewOS is operated from the United States. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S.

11. Children

DrewOS is a business tool. It is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, contact us and we will delete it.

12. Cookies

We use first-party cookies for authentication (Clerk session cookies) and for the analytics tracker described in §3.4. We do not use third-party advertising cookies on the DrewOS application.

13. Changes to this Policy

We may update this Policy from time to time. If we make a material change, we will notify you by email or in-app notice. The date at the top of this page reflects the most recent revision.

14. Contact

DrewOS / Outpost Preparedness LLC
San Diego, California, USA
drew@drewos.ai