Privacy Policy

Draftly (“Draftly,” “we,” “us,” or “our”) is an AI-powered collaborative writing platform that helps users improve and get feedback on drafts from AI editors and human collaborators. This Privacy Policy explains how we collect, use, disclose, and protect information relating to identified or identifiable individuals (“Personal Data”) when you visit our websites, sign up for or use our services, or otherwise interact with us (collectively, the “Services”).

If you do not agree with this policy, please do not use the Services. Where required by law, we will seek your consent.

1) Who we are & how to contact us

Data Controller: Draftly

Address: Schluchseestr. 26, 13469 Berlin, Germany

Email: [email protected]

If you are in the EEA/UK/Switzerland, you may also contact your local data protection authority. If we appoint an EU/UK representative or Data Protection Officer, we will update this section.

2) Scope

This policy applies to Personal Data we process as a controller through our consumer and business Services. It does not apply to websites, services, or applications that we do not own or control, nor to third-party sites linked from our Services.

3) Information we collect

A. Data you provide directly

• Account & Profile Data: name, email address, authentication credentials managed by Supabase Auth (e.g., hashed password, session tokens, magic-link tokens), avatar, locale, and preferences.
• Billing & Payments: purchase history, subscription tier, invoices, and tax details. Payment card data is processed by our payment provider (Stripe); we do not store full card numbers.
• User Content: drafts, text you type or paste, uploaded files and images, editor settings, comments, and feedback you send to us.
• Support & Surveys: information you include in requests, bug reports, or survey responses.

B. Data we receive automatically

• Usage & Device Data: IP address (with truncation/anonymization where configured), approximate location derived from IP, browser type and version, OS, device identifiers, pages viewed, referring/exit pages, timestamps, time on page, and interactions with UI elements.
• Event Data (analytics): page views and product events (see §7).
• Log Data & Diagnostics: error logs, performance metrics, and service telemetry.

C. Data from third parties

• Identity Providers: if you sign in with a third party, we receive your name, email address, a stable user identifier, and identity tokens from that provider. We currently support Google, Microsoft (Azure), and Notion as sign-in providers.
• Payment Provider (Stripe): payment status, last 4 digits/brand, and subscription status necessary to provide Services.
• Service Providers: limited data necessary for hosting, email delivery, security, and support.

We do not intentionally collect sensitive Personal Data (e.g., health data). Please do not include sensitive data in drafts unless strictly necessary.

4) Legal bases for processing (EEA/UK/CH)

• Contract (Art. 6(1)(b) GDPR): to provide, maintain, and support the Services you requested, including account creation, AI features, billing, and customer support.
• Legitimate Interests (Art. 6(1)(f) GDPR): to secure and improve the Services; to measure engagement; to prevent fraud and abuse; to defend legal claims; and to send transactional communications.
• Consent (Art. 6(1)(a) GDPR; § 25 TDDDG): where required, for example for non-essential cookies/storage and for promotional newsletters (in combination with § 7(2) UWG). You may withdraw consent at any time without affecting prior processing.
• Legal Obligations (Art. 6(1)(c) GDPR): to comply with tax, accounting, and regulatory requirements (e.g., retention of invoices under § 147 AO and § 257 HGB).

5) How we use information

• Provide and operate the Services, including account creation, authentication, drafts, feedback, and collaboration features.
• Process purchases, subscriptions, refunds, credits, and invoices.
• Enable AI features (e.g., insertions, selections, feedback) by securely sending relevant content to AI model providers for inference.
• Maintain safety, security, and integrity; detect, prevent, and respond to fraud or abuse.
• Fix bugs, perform analytics, conduct research, and improve performance and user experience.
• Communicate with you about service updates, changes, and support. When you create an account, we automatically add you to our welcome sequence and to a product-updates list managed in our self-hosted Mautic instance. You can opt out of either list at any time from your Account page, and every email contains an unsubscribe link.
• Comply with legal requirements and enforce our Terms.

We may aggregate or de-identify data so it can no longer reasonably identify you. We may use and share such information for analytics, research, and improving the Services.

6) Sharing your information

We share Personal Data only as described below, applying appropriate contractual and security safeguards:

A. Service providers (processors acting on our instructions)

Each provider is bound by a data processing agreement (Art. 28 GDPR) or comparable contractual safeguards.

• DigitalOcean (Frankfurt, EU): hosts our Next.js application, our self-hosted Mautic instance, and our self-hosted Umami analytics instance. Processes IP addresses, server logs, account data, user content, and event data.
• Supabase (EU region): database, authentication, and file storage. Processes account data, authentication credentials, user content, and metadata.
• Stripe (Ireland / United States): payment processing and subscription management. Processes name, email, billing address, transaction details, and card metadata (we do not store full card numbers).
• Resend (United States): transactional email delivery (e.g., account, billing, feedback-ready notifications). Processes email address and message content.
• Cloudflare (United States): Turnstile bot-mitigation challenge on signup and login. Processes IP address, user-agent, and browser challenge signals.
• Bunny.net (Slovenia, EU): delivery of self-hosted web fonts (Bunny Fonts). Processes IP address and HTTP request metadata at the time fonts are loaded.

B. AI and OCR model providers

To deliver AI features (e.g., generating suggestions, feedback, or OCR results), we transmit the necessary portions of your Input to the following providers for inference. We do not sell your content to AI providers. We rely on each provider’s default API policy that customer API content is not used to train their foundation models.

• OpenAI (United States): text generation and feedback.
• Anthropic (United States): text generation and feedback.
• Google (Gemini API) (United States / EU): text generation and feedback.
• Mistral AI (France, EU): text generation and document OCR.

C. Identity providers (only when you choose to sign in)

• Google, Microsoft (Azure), Notion: when you sign in with one of these providers, we receive your name, email, a stable identifier, and the identity tokens required to establish your session.

D. User-initiated integrations

You may connect optional integrations to send drafts or files out of Draftly. When you do, you direct us to transmit the relevant content to that provider, and the provider becomes an independent controller for the data it receives. We currently support exports to Notion, Dropbox, Google Drive, Microsoft OneDrive, and reMarkable.

E. Other recipients

• Business Transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets, under safeguards and with notice where required.
• Legal & Safety: to comply with law, enforce our agreements, protect rights, property, and safety, and address fraud, abuse, or security issues.
• With Your Direction: when you integrate a third-party app, share content externally, or ask us to disclose information.

We do not sell Personal Data or share it for cross-context behavioral advertising.

7) Analytics

We use Umami, self-hosted on our DigitalOcean infrastructure in Frankfurt, to understand product usage and improve Draftly. As configured by us, the Umami tracking script does not set tracking cookies and does not store raw IP addresses; visitor sessions are derived from a daily, salted hash so that individuals cannot be re-identified across days.

We track privacy-respecting product events such as login_start, login_success, draft creation/edit, AI insertion/selection, feedback creation, comment resolution, and purchase events. We rely on our legitimate interest under Art. 6(1)(f) GDPR for this measurement; where local law requires consent for analytics storage, we will request it via our consent banner before any non-essential storage is used.

8) Children

Our Services are not directed to children. In Germany, the digital consent age under Art. 8 GDPR is 16; we do not knowingly collect Personal Data from anyone under 16. For other jurisdictions, we do not knowingly collect Personal Data from children below the applicable digital consent age (13 in the United States; varying between 13 and 16 elsewhere in the EEA). If you believe a child provided Personal Data to us, contact us and we will take appropriate steps to delete it.

9) Data retention

• Account data: kept for the lifetime of your account. After account deletion, we aim to delete or irreversibly anonymize within 90 days, subject to legal holds and backup rotation.
• User content (drafts, comments, uploads): kept while your account is active; deleted drafts are removed from active systems immediately and from encrypted backups within up to 30 days.
• Invoices and transaction records: retained for 10 years to comply with § 147 AO and § 257 HGB.
• Authentication logs: retained for up to 90 days to support fraud detection and incident response.
• Application and security logs: retained for up to 90 days.
• Analytics events (Umami): retained for up to 12 months in identifiable form, then aggregated.
• Newsletter / marketing engagement (Mautic): retained while you are subscribed. After unsubscribe we remove your profile within 30 days, except for a minimal suppression record needed to honor your opt-out.

10) Security

We implement technical and organizational measures designed to protect Personal Data, including encryption in transit, restricted access, and monitoring. No system is perfectly secure; we cannot guarantee absolute security. If we learn of a breach affecting your Personal Data, we will notify you and regulators as required by law.

11) International data transfers

Most processing happens in the European Union: our hosting (DigitalOcean, Frankfurt), database and authentication (Supabase, EU region), fonts (Bunny.net, Slovenia), and OCR (Mistral AI, France) all run in the EU.

Some processors are based in the United States, namely OpenAI, Anthropic, Google (Gemini API), Stripe, Resend, and Cloudflare. For these transfers we rely on appropriate safeguards under Art. 46 GDPR, in particular the EU Standard Contractual Clauses, and, where the provider is certified, the EU-U.S. Data Privacy Framework. Where additional supplementary measures are appropriate, we apply them.

12) Your rights & choices

Depending on your location, you may have the right to:

• Access the Personal Data we hold about you.
• Correct inaccurate or incomplete Personal Data.
• Delete your Personal Data.
• Restrict or object to certain processing.
• Port your Personal Data to another service.
• Withdraw consent where processing is based on consent.
• Complain to a supervisory authority.

You can exercise many rights via in-product settings (e.g., account deletion, profile updates). Otherwise, email [email protected]. We may need to verify your identity and may decline requests as permitted by law (e.g., where disclosure would harm others’ rights or violate legal requirements).

US State Privacy (e.g., CA/CO/CT/VA/UT): You may have similar rights, including the right to know, delete, correct, and to be free from discrimination for exercising your rights. We do not sell Personal Data or share it for cross-context behavioral advertising. Authorized agents may submit requests on your behalf with proper authorization. You may appeal a decision by writing to [email protected].

13) AI features & automated decision-making

Draftly’s AI features generate text suggestions and feedback based on your inputs. We do not use automated decision-making that produces legal or similarly significant effects about you. We may use limited automated processing for abuse prevention and security.

Training & improvement: We do not train AI models on your private drafts, and we do not give third-party AI providers permission to train their models on your content. We use OpenAI, Anthropic, Google (Gemini API), and Mistral AI on their standard API tiers, where the provider’s default policy is that API content is not used to train their foundation models. We may use aggregated, de-identified usage patterns to improve product functionality and safety systems.

14) Cookies & similar technologies

We use cookies and similar browser storage only for the purposes described below. We do not use third-party advertising cookies and do not engage in cross-site tracking.

• Strictly necessary. Supabase Auth sets a session cookie to keep you logged in. Stripe sets cookies (e.g., __stripe_mid, __stripe_sid) on checkout pages to process payments and detect fraud. Cloudflare Turnstile may set short-lived cookies (e.g., cf_clearance) when challenging suspicious sign-in or signup attempts. These are required for core functionality and do not require consent under § 25(2) TDDDG.
• Preferences. We store your locale, theme, and consent choice in your browser so the product behaves consistently across visits.
• Analytics. Our Umami tracking script does not set cookies. Where local law requires consent for analytics storage, our consent banner asks for it before any non-essential storage is used.
• Marketing. Emails sent through our self-hosted Mautic instance may contain open- and click-tracking pixels. You can opt out of marketing emails at any time on your Account page or via the unsubscribe link in each email.

15) Third-party links

Our Services may link to third-party websites and services. Their privacy practices govern any information you provide to them. We are not responsible for their content or policies.

16) Data from organizations

If you use Draftly under an organization (e.g., a team or enterprise account), your organization may administer your account and access certain information subject to its policies. Your use may be subject to your organization’s agreements with us.

Data Processing Agreement. For business customers who process personal data on behalf of others using Draftly, a data processing agreement (DPA) under Art. 28 GDPR is available on request. Please contact [email protected].

17) Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and adjust the “Last Updated” date above. If changes materially affect your rights, we will provide additional notice (e.g., in-app or by email) where required by law.

18) Contact

Questions or requests about privacy: [email protected]. We will respond as required by applicable law.

Draftly does not sell Personal Data or share it for cross-context behavioral advertising.