DraftlyAll legal

Privacy Policy

Last updated: April 5, 2026

1. Introduction

Draftly (“we,” “us,” or “our”) operates the website and services available at https://draftly.space (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Service, create an account, purchase a subscription, or otherwise interact with us.

We act as a data controller for personal data we determine the purposes and means of processing. Where we process data strictly on behalf of a customer (for example, as a processor under a written agreement), that relationship is governed by our terms and any data processing addendum.

By using the Service, you acknowledge that you have read this policy. If you do not agree, please do not use the Service.

2. Scope & children

The Service is not directed to children under 16 (or the age required by your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected such data, contact us and we will delete it promptly.

3. Data we collect

Depending on how you use the Service, we may collect:

  • Account & identity: name, email address, authentication identifiers (for example, Google sign-in subject ID), profile image URL if provided by your identity provider, and account preferences.
  • Billing & transactions: subscription status, plan, payment-related records, and transaction references. Payment card data is typically handled by our payment processor; we do not store full card numbers on our servers.
  • Usage & technical data: IP address, device/browser type, approximate location derived from IP, pages viewed, referring URLs, timestamps, and diagnostic logs needed to operate and secure the Service.
  • Content you provide: prompts, uploads, generated outputs, project metadata, and support messages you send us.
  • Communications: email correspondence and metadata (for example, delivery status) when you contact us.

4. How we use data (purposes & legal bases)

We use personal data for the following purposes, as permitted by applicable law:

  • Provide and improve the Service — account creation, authentication, generation features, hosting of your content as described in our Terms, troubleshooting, and product analytics. Legal bases (where GDPR applies): performance of a contract; legitimate interests in operating and improving a secure SaaS product.
  • Billing and fraud prevention — processing payments, detecting abuse, and enforcing our Terms. Legal bases: performance of a contract; legitimate interests; legal obligations where applicable.
  • Security & compliance — monitoring for attacks, fraud, and violations; audit logs; responding to lawful requests. Legal bases: legitimate interests; legal obligation.
  • Communications — service-related notices, security alerts, and (where permitted) product updates. Marketing emails, if any, are sent in line with your preferences and applicable law. Legal bases: legitimate interests; consent where required.
  • Analytics & measurement — understanding how the Service is used to improve UX and performance. Where required, we rely on consent or legitimate interests as described in our Cookie Policy.

5. Cookies & similar technologies

We use cookies, local storage, and similar technologies for authentication, preferences, security, and analytics. Details, including third-party tools such as analytics or advertising pixels, are described in our Cookie Policy.

6. Sharing & subprocessors

We may share personal data with:

  • Service providers who assist with hosting, databases, email, analytics, payments, customer support, security, and AI/model infrastructure — only as needed to perform their functions and subject to appropriate contractual safeguards.
  • Professional advisors (lawyers, accountants) where required.
  • Authorities when we believe disclosure is required by law, regulation, legal process, or to protect rights, safety, and security.
  • Business transfers in connection with a merger, acquisition, or sale of assets, with notice as required by law.

A current list of categories of recipients may be provided on request. We do not sell personal data for money in the traditional sense; where US state laws define “sale” or “sharing” broadly (for example, certain advertising cookies), we describe choices in our Cookie Policy and honor applicable opt-out signals where required.

7. International transfers

We may process and store data in the United States, India, the European Economic Area, the United Kingdom, and other countries where we or our providers operate. When we transfer personal data from the EEA, UK, or Switzerland to countries not deemed adequate, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms, plus supplementary measures where appropriate.

8. Retention

We retain personal data only as long as necessary for the purposes above, including legal, accounting, and reporting requirements. Retention periods vary: for example, account data is kept while your account is active and for a reasonable period afterward; security logs may be kept for a shorter or longer period depending on operational need. Aggregated or de-identified information may be retained without limitation where permitted.

9. Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit, access controls, and vendor review. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

10. Your rights (EEA, UK, Switzerland)

If the GDPR or UK GDPR applies, you may have the right to:

  • Access, rectify, or erase your personal data;
  • Restrict or object to certain processing;
  • Data portability;
  • Withdraw consent where processing is consent-based;
  • Lodge a complaint with a supervisory authority.

To exercise these rights, contact us at support@draftly.business. We may need to verify your identity before fulfilling requests.

11. Your rights (United States)

Depending on your state of residence (for example California, Colorado, Virginia, and others with comprehensive privacy laws), you may have rights to know, access, correct, delete, or obtain a copy of personal information, and to opt out of certain processing such as “sale,” “sharing,” or targeted advertising, as those terms are defined locally. You may also have the right to appeal our decisions. We do not discriminate for exercising privacy rights.

Submit requests by emailing support@draftly.business with “Privacy Request” in the subject line. Authorized agents may submit requests where permitted by law; we may require proof of authorization.

12. Automated decision-making

The Service uses automated systems (including AI) to generate content from your inputs. We do not use those systems to make solely automated decisions with legal or similarly significant effects about you without human oversight where such a prohibition applies.

13. Third-party links & integrations

The Service may link to third-party sites or allow you to connect integrations (for example payment, analytics, or deployment providers). Those services have their own policies; we are not responsible for their practices.

14. Changes

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. For material changes, we may provide additional notice (for example, by email or in-product notice) where required.

15. Contact

Questions about this policy or our data practices: support@draftly.business

Data controller: Draftly. Primary contact for privacy inquiries: support@draftly.business.