Privacy Policy
Last updated: February 2026
1. Introduction
Draftic AI ("we", "us", "our") operates the PRD Generator service at draftic.app. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service, in compliance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
2. Data We Collect
Account Data
- Name and email address (provided during registration)
- Authentication credentials (managed by Supabase Auth)
- Subscription and billing information (managed by Stripe)
Content Data
- PRD documents you create or generate
- Custom templates you build
- Knowledge base documents you upload (for RAG context)
- Feedback and ratings you provide on generated content
Usage Data (with consent)
- Anonymous feature usage events (no PII)
- Error reports for service improvement
- Performance metrics
3. How We Use Your Data
- To provide and improve the PRD generation service
- To authenticate your account and manage subscriptions
- To send transactional emails (PRD ready, generation failed, account changes)
- To provide AI-powered features via LLM providers
- To improve the service via anonymous analytics (only with your consent)
4. Third-Party Data Processors
We use the following third-party services to operate Draftic AI. Each has been evaluated for GDPR compliance:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, auth, file storage | Account data, content, files |
| Anthropic (Claude) | AI text generation | Prompts and context (zero data retention) |
| OpenAI | AI text generation | Prompts and context (API: zero data retention) |
| DeepSeek | AI text generation | Prompts and context |
| Stripe | Payment processing | Email, subscription data |
| Resend | Transactional emails | Email address, name |
| PostHog | Anonymous analytics (opt-in only) | Anonymous usage events |
| Sentry | Error monitoring | Error traces (PII stripped) |
5. AI & LLM Data Processing
- Your prompts and context are sent to AI providers solely for generating PRD content. We do not use your data to train AI models.
- Anthropic and OpenAI API usage provides zero data retention by default — your data is not stored by these providers after processing.
- We do not log full prompts or AI responses in production. Only token counts and cost metrics are recorded.
- PII is stripped from error logs to prevent accidental data exposure.
6. Data Retention
- Active account: Data is stored as long as your account is active.
- Subscription cancelled: Data retained for 30 days, then access reverts to the Free plan.
- Account deleted: Soft-deleted immediately. Permanently removed after 30 days. A 7-day warning email is sent before permanent deletion.
- Read notifications: Automatically cleaned up after 30 days.
- Unread notifications: Automatically cleaned up after 90 days.
7. Your Rights (GDPR & CCPA)
You have the following rights regarding your personal data:
- Right to Access: Export all your data at any time from Settings > Privacy.
- Right to Rectification: Update your account information in Settings > Account.
- Right to Erasure ("Right to be Forgotten"): Delete your account and all associated data from Settings > Privacy.
- Right to Data Portability: Export your PRDs, templates, and documents in standard formats (Markdown, JSON, original files).
- Right to Opt Out (CCPA): Opt out of analytics tracking in Settings > Privacy.
- Right to Non-Discrimination: Exercising your privacy rights will not affect the service you receive.
8. Cookies & Local Storage
Essential (always active)
- Authentication session cookies (Supabase Auth)
- Cookie consent preference (localStorage)
Analytics (opt-in only)
- PostHog analytics cookies — only activated after explicit consent via the cookie banner or Settings > Privacy.
You can withdraw analytics consent at any time in Settings > Privacy.
9. Data Security
- All data is transmitted over HTTPS (TLS 1.2+).
- Database access is protected by Row Level Security (RLS) — users can only access their own data.
- File uploads are validated server-side (MIME type, size, content).
- All inputs are sanitized to prevent XSS and injection attacks.
- Security headers (CSP, HSTS, X-Frame-Options) are enforced on all responses.
10. Children's Privacy
Draftic AI is not intended for use by children under the age of 16. We do not knowingly collect personal data from children.
11. Data Processing Agreement
When DrafticAI processes personal data on your behalf, we act as a data processor under GDPR Article 28. Our data processing practices include:
- Processing data only on your documented instructions
- Ensuring all personnel with access to personal data are bound by confidentiality obligations
- Implementing appropriate technical and organizational security measures
- Assisting you in responding to data subject access requests
- Deleting or returning all personal data upon termination of services, at your choice
- Notifying you without undue delay of any personal data breach
Our sub-processors are listed in the “Third-Party Data Processors” section above. We will notify you of any intended changes to sub-processors, giving you the opportunity to object.
To request a signed Data Processing Agreement, contact us at privacy@draftic.app.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification.
13. Contact Us
For privacy inquiries, data access requests, or to exercise your rights, contact us at: privacy@draftic.app