Privacy Policy

Last updated: January 14, 2026

1. Introduction

Draft Software ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Draft.software ("the Service").

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, password, and company information when you register
  • Lead Data: Contact information and data you upload about your prospects
  • Email Content: Email templates and messages you create through the Service
  • Payment Information: Billing details processed by our payment provider (Paddle)
  • Communications: Information you provide when contacting support

2.2 Information Collected Automatically

  • Usage Data: How you interact with the Service, features used, and actions taken
  • Device Information: Browser type, IP address, device type, and operating system
  • Email Analytics: Open rates, click rates, and delivery status for emails sent through the Service
  • Cookies: Session cookies and analytics cookies (see Section 7)

2.3 Data Categories & Lawful Bases (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following lawful bases:

  • Contract Performance: Account information, lead data, email content, and usage data necessary to provide the Service you requested
  • Legitimate Interests: Analytics and security monitoring to improve service quality and prevent fraud
  • Consent: Analytics cookies and non-essential tracking (you may withdraw consent at any time via Cookie Preferences)
  • Legal Obligation: Payment/billing records required for tax and accounting compliance

3. How We Use Your Information

We use the collected information to:

  • Provide, maintain, and improve the Service
  • Process your transactions and send related information
  • Send administrative notifications and service updates
  • Respond to your comments, questions, and support requests
  • Monitor and analyze usage patterns to improve user experience
  • Detect, prevent, and address technical issues and fraud
  • Comply with legal obligations

4. Data Sharing and Disclosure

We may share your information with:

  • Service Providers: Third-party vendors who assist in operating the Service (hosting, analytics, payment processing)
  • Legal Requirements: When required by law or to protect our rights and safety
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

We do not sell your personal information to third parties.

4.1 Subprocessors & Third-Party Services

We rely on the following categories of third-party service providers (subprocessors) to deliver the Service:

  • Cloud Hosting: Microsoft Azure (infrastructure & compute), Appwrite (database & authentication)
  • Payment Processing: Paddle (subscription billing, tax calculation, payment gateway)
  • Email Delivery: User-provided SMTP servers (Gmail, Outlook, etc.)
  • Analytics & Monitoring: Sentry (error tracking), internal analytics (hosted on our infrastructure)
  • CDN & Edge Compute: Cloudflare (email routing worker), Vercel (frontend hosting)

Each subprocessor is contractually bound to data protection obligations consistent with GDPR and applicable privacy laws. For a current list of subprocessors and their locations, please contact us at privacy@draft.software.

5. Data Security

We implement appropriate technical and organizational security measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Regular security assessments and monitoring
  • Access controls and authentication requirements
  • Secure cloud infrastructure with industry-standard certifications

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. You may request deletion of your data at any time via your account settings.

6.1 Retention Periods by Data Type

  • Account & Profile Data: Retained while account is active; deleted upon account deletion request
  • Campaign & Lead Data: Retained while account is active; deleted upon account deletion request
  • Lead Reply Content: Configurable retention window (default: 90 days); automatically purged after expiration
  • Billing Records: Retained for 7 years per tax and accounting regulations (cannot be deleted on request)
  • Security Logs: Retained for 1-2 years for incident investigation (cannot be deleted on request)
  • Cookie Consent Logs: Retained for 3 years to demonstrate compliance with consent regulations

After account deletion, we permanently erase most personal data within 30 days, except where retention is required by law or legitimate business interests (e.g., billing records, security investigations).

7. Cookies and Tracking

We use cookies and similar technologies to:

  • Keep you signed in to your account
  • Remember your preferences
  • Analyze how the Service is used
  • Improve performance and user experience

You can control cookies through your browser settings. Note that disabling cookies may affect certain features of the Service.

8. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of your personal data (export available in Settings)
  • Correction: Request correction of inaccurate data (update directly in your account or contact support)
  • Deletion: Request deletion of your personal data (available in Settings under "Privacy & Data")
  • Portability: Request transfer of your data to another service (export as JSON)
  • Objection: Object to certain processing of your data
  • Withdrawal: Withdraw consent where processing is based on consent (via Cookie Preferences)
  • Lodge a Complaint: File a complaint with your local data protection authority (EEA/UK users)

To exercise these rights, visit your account settings, use the self-service export/delete tools, or contact us at privacy@draft.software. We will respond to verified requests within 30 days.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States and European Union member states where our cloud infrastructure and subprocessors are located.

For users in the EEA, UK, and Switzerland, we ensure appropriate safeguards are in place for such transfers, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where the destination country has been deemed to provide adequate protection
  • Data Processing Agreements (DPAs) with all subprocessors handling EEA/UK/Swiss data

For a copy of the safeguards in place, please contact us at privacy@draft.software.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Email: privacy@draft.software
  • Support: Contact page
  • Data Protection Officer (DPO): dpo@draft.software
  • Address: [Your Company Legal Name and Postal Address - must be updated before production]

Note to developer: Update the company legal name, registered address, and DPO contact before deploying to production. Consult with legal counsel to ensure all sections comply with applicable laws in your jurisdiction (GDPR, CCPA, etc.).