Privacy Policy
Last updated: January 23, 2026
1. Introduction
The Devious LLC ("we," "our," or "us") operates Ferry, an AI-powered data migration service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
We take data privacy seriously—especially because our service handles data migration. We're committed to transparency about our data practices and giving you control over your information.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Password (hashed, never stored in plaintext)
- Company name (optional)
- Billing information (processed by Stripe, not stored by us)
2.2 Files You Upload
When you use Ferry to migrate data, you upload files containing:
- Customer records from your source system
- Business data you wish to import
Important: We process these files solely to provide the migration service. Files are automatically deleted within 24 hours of successful import, or immediately upon your request. We do not use your data to train AI models, sell to third parties, or for any purpose other than completing your migration.
2.3 Usage Data
We automatically collect:
- API call logs (endpoint, timestamp, response code)
- Feature usage analytics
- Error reports and performance metrics
- IP address and browser information
2.4 Cookies and Tracking
We use:
- Essential cookies: Required for authentication and security
- Analytics cookies: To understand how you use our service (via PostHog)
You can disable non-essential cookies in your browser settings.
3. How We Use Your Information
We use your information to:
- Provide the data migration service
- Process payments and manage subscriptions
- Send service-related communications
- Improve our service and develop new features
- Detect and prevent fraud or abuse
- Comply with legal obligations
What We Never Do
- Sell your personal information to third parties
- Use your uploaded data to train AI models
- Share your data with advertisers
- Access your files except to provide the service
4. Data Sharing and Disclosure
We share information only in these circumstances:
4.1 Service Providers
- Supabase: Database and file storage (US-based, SOC 2 certified)
- Anthropic: AI processing (data not used for training)
- Stripe: Payment processing (PCI DSS compliant)
- Cloudflare: CDN and DDoS protection
- PostHog: Privacy-focused analytics
4.2 Legal Requirements
We may disclose information if required by law, such as in response to a valid subpoena or court order. We will notify you unless legally prohibited.
4.3 Business Transfers
If we're acquired or merge with another company, your information may be transferred. We'll notify you before your data becomes subject to a different privacy policy.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Uploaded files | 24 hours after import (or immediate on request) |
| Account data | Until account deletion + 30 days |
| API logs | 90 days |
| Billing records | 7 years (legal requirement) |
| Analytics data | 12 months |
6. Your Rights
6.1 All Users
- Access: Request a copy of your personal data
- Correction: Update inaccurate information
- Deletion: Request deletion of your account and data
- Export: Download your data in a portable format
6.2 European Users (GDPR)
If you're in the European Economic Area, you also have the right to:
- Object to processing based on legitimate interests
- Restrict processing in certain circumstances
- Data portability
- Lodge a complaint with your local supervisory authority
Legal Basis: We process your data based on: (a) contract performance, (b) legitimate interests (service improvement, security), and (c) your consent where required.
6.3 California Users (CCPA)
California residents have the right to:
- Know what personal information is collected
- Know if personal information is sold or disclosed
- Say no to the sale of personal information
- Access your personal information
- Request deletion of personal information
- Equal service and price (non-discrimination)
We do not sell personal information. We have not sold personal information in the preceding 12 months.
To exercise any of these rights, email privacy@ferry.dev.
7. Data Security
We implement industry-standard security measures:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- SHA-256 hashing for API keys and passwords
- Row Level Security (RLS) for database isolation
- Regular security audits and penetration testing
- SOC 2 Type II compliance (in progress)
Despite our efforts, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security, but we promptly address any incidents.
8. International Transfers
Your data may be transferred to and processed in the United States. We ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs) with EU/UK partners
- Data Processing Agreements (DPAs) with all subprocessors
- EU data residency option for Enterprise customers
9. Children's Privacy
Ferry is not intended for children under 16. We do not knowingly collect information from children. If you believe we have collected information from a child, contact us immediately.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We'll notify you of material changes via email or prominent notice on our website. Your continued use after changes constitutes acceptance.
11. Contact Us
For privacy-related questions or requests:
- Email: privacy@ferry.dev
- Address: The Devious LLC, United States
We aim to respond to all privacy requests within 30 days.
12. Data Processing Agreement
For customers who require a Data Processing Agreement (DPA) for GDPR compliance, we offer a pre-signed DPA. Contact us at privacy@ferry.dev or download our standard DPA.