Privacy Policy
Your privacy matters
Effective date: June 12, 2026
1. Who We Are
Draftlytic is operated by Robert Boylan, trading as Draftlytic, based in Ireland. Robert Boylan is the data controller responsible for your personal data under this policy.
If you have any questions about this privacy policy or how we handle your data, including requests to exercise your data protection rights, please contact us at draftlytic@gmail.com. This is also our designated data protection contact.
2. Information We Collect
We collect different categories of personal data depending on how you interact with the Service:
Identity Data — your email address, and if you sign in with Google or GitHub, your display name, profile picture URL, and the account identifier from that provider. GitHub sign-in additionally provides your GitHub username and the email address GitHub shares with us; at sign-in we request only basic profile and email scopes (read:user and user:email) and never repository access. Authentication credentials are managed by Supabase Auth; we do not store passwords directly.
Project Data — project names, overviews, features, and other content you create in the Service.
GitHub Integration Data — if you connect the optional Draftlytic GitHub App (a paid-plan feature), we store the GitHub installation identifier, your GitHub account login and account type, and — per project — the repository owner and name you last pushed to, the time of the last push, and the commit identifier. We do not store GitHub access tokens; short-lived tokens are generated only at the moment of a push and are never written to our database. When you push a PRD, the Markdown content of that PRD is sent to the repository you select and written as a PRD.md file, and the commit includes a Co-authored-by trailer containing your GitHub username and the email address associated with your Draftlytic account (or a GitHub no-reply address if no email is on file). If the repository you push to is public, that file and the commit metadata (including that email address) become publicly visible on GitHub. You choose which repositories the GitHub App can access, and you can disconnect it at any time from Settings > Integrations.
Financial Data — subscription and billing information processed through Polar.sh. We never see or store your full card number. We store internally: your subscription tier and billing interval, the payment provider used (currently Polar.sh, recorded as payment_provider), and a subscription identifier provided by the payment processor (polar_subscription_id) that links your Draftlytic account to your Polar.sh subscription record.
Usage Data — credit usage, transaction history, and AI generation metadata (token counts, estimated costs) for billing reconciliation.
Network Data — IP address and request metadata processed by our infrastructure providers (Vercel and Supabase/AWS) for traffic routing, DDoS protection, and security monitoring. Cross-reference Section 4 for the third-party processors involved.
Uploaded Images — if you upload screenshots or images to the sketchpad canvas during project creation, those images are stored persistently in Supabase storage and associated with your project. They are sent to the AI provider for processing when you request AI generation. Uploaded images are deleted when you delete the project or your account. Avoid uploading images that contain personal data such as real names, addresses, phone numbers, financial information, or other sensitive information — such content will be transmitted to our AI provider and processed in accordance with their terms.
Support & Bug Report Data — if you submit a bug report through the in-app form, we collect the report description you provide, your email address, and optionally the project associated with the report. We also automatically collect technical diagnostics including: page URL, browser/device information, screen size, locale, timezone, recent console errors, recent navigation history, connection type, active theme, subscription tier, and credits remaining. If you attach screenshots to a bug report, those image files are stored separately in Supabase storage and are deleted when the bug report is purged — up to 3 months after submission, or up to 3 months after account deletion if the report is still on file. Deleting your account anonymises the report but does not immediately remove attached screenshots; they are erased when the report itself is purged. Bug reports are retained for 3 months after triage so we can investigate and resolve issues. If you delete your account before that, your user identifier is removed from the report (anonymised); the report description and technical diagnostics stay on file until the 3-month retention window expires, then they are automatically deleted.
Churn Feedback Data — if you downgrade to a lower tier or delete your account, you may be shown a brief optional survey. We collect your response: a predefined reason category (e.g., "too expensive", "missing feature"), an optional free-text comment (up to 1,000 characters), the event type (downgrade or account deletion), and your subscription tier at the time. Declining the survey does not affect your account action. On account deletion, your user ID is removed from the record (anonymized) and the cohort signal is retained for service improvement.
Attribution Survey Data — shortly after you create your first project, we may show you a brief optional survey asking how you heard about Draftlytic. We collect your response: a predefined source category (e.g., "twitter", "reddit", "google_search") and, if you select "Other", a free-text description of up to 200 characters. Dismissing the survey without answering records only that the survey was shown, with no source value. Attribution data is retained while your account is active and deleted with your account.
Referral Program Data — each Draftlytic account is assigned a unique 8-character referral code. We store: your referral code, the number of successful referrals you have made, the total referral credits you have earned, and the date referral credits were last granted. If you were referred by another user, we also store that user's internal account identifier (a pseudonymous UUID) in the referred_by column of your account record — this links your account to theirs for credit-grant purposes, but does not expose their name or email to you. If the user who referred you deletes their account, their identity is removed from your referral record (set to null); your referral credits and grant history remain. Referral data is retained while your account is active and deleted with your account.
Marketing Email Preferences — your account includes two notification preferences: product updates and tips & guides. Both default to opted out at account creation; you can opt in to either (or both) at signup, or later in Profile > Notifications. Every marketing email we send also includes an unsubscribe link. We record only your boolean preference flag; we do not store email-open or click-tracking data.
Product updates list (no account needed)
You can also join our product-updates list directly from the landing page, without creating a Draftlytic account. When you submit your email through that form, we store: your email address; the consent statement you accepted and its version; a hashed IP address (not the raw address) used only to detect and prevent abuse of the signup form; and the page you signed up from. We use this data solely to send you occasional product update emails.
Legal basis: your consent (GDPR Art. 6(1)(a)). Retention: we keep your entry until you unsubscribe or ask us to delete it. Withdrawing consent: once we begin sending these emails, every one will include an unsubscribe link; you can also withdraw at any time — before or after sending starts — by emailing us at draftlytic@gmail.com. Processor: once sending begins, these emails will be delivered through Brevo, our EU-based transactional email provider (see Section 4).
AI Audit Logs — each AI call made on your behalf is recorded in our internal ai_call_logs table. For failed calls, prompt content and response details are retained for debugging; successful calls record only token counts, latency, model identifier, and estimated cost. These logs are retained for 7 days and are used for billing reconciliation, abuse detection, and service reliability. This includes prompts from all AI features — project generation, AI edits, the PRD Workshop, and the AI scan. The PRD content you paste into the Workshop and the project content scanned for fixes are stored alongside the prompts that generated them. See our AI Policy for more detail on how AI-related data is handled.
URL Metadata — when you provide URLs (for example, when using the PRD Workshop scan feature), Draftlytic's servers fetch metadata from those URLs server-side to extract title, description, and image information. URLs may contain query-string data; this fetch occurs from Draftlytic's infrastructure, not your browser.
Email Blacklist Data — where we terminate an account for a serious or repeated breach of our Terms of Service (for example, abuse, fraud, or activity that harms other users or the Service), an administrator may add the email address associated with that account to an internal email blacklist. The record contains: the email address, the date it was blacklisted, an optional internal reason note written by the administrator, and the internal user identifier of the administrator who applied it. Once an email is on this list, attempts to sign up again with that address are refused. We retain blacklist records indefinitely for as long as is necessary to protect the Service from continued abuse. See §8 for retention details and §10 for how to request review or removal.
Data sharing between users
If you share a project with another Draftlytic user, the recipient will be able to view (and, if granted edit access, modify) the project data you have shared. Only the specific project data is shared — your account details, billing information, and other projects remain private. When you share a project, the recipient's email address is stored in connection with the shared project to manage access permissions. Both parties can revoke sharing at any time.
How we collect your data
- Directly from you — when you create an account, sign in with Google or GitHub OAuth, create projects, or purchase a subscription
- Automatically — when you use the Service, we record usage data such as credit transactions and AI token counts
- From third parties — Polar.sh provides us with payment confirmation and subscription status; Google OAuth provides identity data when you choose to sign in with Google; GitHub provides identity data when you choose to sign in with GitHub, and repository metadata (the list of repositories you grant access to) when you connect the GitHub App
Local device storage
We also store certain preferences and session data locally on your device using localStorage (not cookies). This includes your theme preference, session activity timestamps, in-progress project creation state, and UI dismissal preferences. This data never leaves your device and is not transmitted to our servers. You can clear it at any time via your browser settings.
Aggregated and anonymized data
We may derive aggregated, anonymized data from your personal data (e.g., calculating the percentage of users on each subscription tier). Anonymized data is not personal data under GDPR. However, if we combine anonymized data with your personal data in a way that could identify you, we treat the combined data as personal data.
Special categories of data
We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data).
3. How We Use Your Information
Under GDPR, we must have a lawful basis for each way we process your personal data. The table below sets out our purposes and the legal basis we rely on for each.
| Purpose | Legal Basis |
|---|---|
| Providing and maintaining the Draftlytic service (account creation, project storage, authentication) | Performance of our contract with you (Terms of Service) |
| Processing subscription and credit purchases via Polar.sh | Performance of contract |
| Sending prompts to Google Gemini to generate project plans, edit projects, and create logos on your behalf | Performance of contract (necessary to deliver the AI features you request) |
| Authenticating you when you choose to sign in with Google or GitHub | Performance of our contract with you (providing account access) |
| Pushing your PRD to a GitHub repository you have connected and selected, when you request it | Performance of contract (delivering the GitHub push feature you request) |
| Communicating with you about your account, billing, or service changes | Performance of contract; Legitimate interests (keeping you informed about the service you use) |
| Improving the service based on aggregated, anonymized usage patterns | Legitimate interests (improving our service for all users) |
| Recording credit transactions and token usage for billing reconciliation | Performance of contract; Legal obligation (financial record-keeping) |
| Receiving and investigating bug reports you submit | Legitimate interests (maintaining service quality and resolving issues) |
| Collecting optional churn feedback when you downgrade or delete your account | Legitimate interests (understanding why users leave to improve the service) |
| Collecting optional attribution survey response ("How did you hear about us?") | Legitimate interests (understanding which acquisition channels are effective) |
| Operating the referral program (assigning referral codes, tracking referrals, granting referral credits) | Performance of contract (delivering the credit reward you and the referred user are entitled to) |
| Sending product update announcements and optional tips/guides emails (Product updates & Tips, guides preferences) | Consent (Art. 6(1)(a) GDPR) — you opt in at signup or later in Profile > Notifications; you may withdraw at any time by toggling those preferences or using the unsubscribe link in each email |
| Sending occasional product update emails to people who join the public "product updates" list from the landing page (no account required) | Consent (Art. 6(1)(a) GDPR) — you opt in by submitting the signup form; you may withdraw at any time by using the unsubscribe link in each email once sending begins, or by contacting us |
| Maintaining an internal email blacklist for accounts terminated for serious or repeated breach of the Terms of Service, and refusing new sign-ups from blacklisted addresses | Legitimate interests (protecting the Service and our users from abuse, fraud, and repeated breaches by previously-terminated accounts). We only apply a block where it is a proportionate response to the conduct in question. You may request review or removal — see §10. |
Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests — see the "Your Rights" section below.
4. Third-Party Services
We use the following third-party services that may process your data:
- Supabase — Authentication and database hosting
- Polar.sh — Payment processing for paid subscriptions and credit top-ups (see Polar.sh privacy policy). Polar receives your email address, billing country, and payment method details directly — we never see or store your full card number. Polar is US-based; transfers rely on Standard Contractual Clauses (and the EU-US Data Privacy Framework where the provider is certified).
- Sentry — Error monitoring and performance tracing. We use Sentry to capture both client-side and server-side (edge function) error events and a sample of performance traces so we can fix bugs and regressions. Broad personally identifiable information is intentionally suppressed (
sendDefaultPii: false); the collected data is limited to error stack traces, page URLs, user-agent strings, Web Vitals timings, and a pseudonymous internal user identifier attached to error events so we can triage issues affecting your account. Sentry is US-based; transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework. - Google Gemini — Primary AI provider for project generation, editing, and all image generation. Google may temporarily retain prompts and responses for abuse monitoring in accordance with their Gemini API Terms of Service. We do not send your name, email, or payment information to Google — only the project-related text you provide. Google AI processing may be served via either Gemini AI Studio or Google Cloud Vertex AI; both are operated by Google LLC and covered by the Google Cloud Data Processing Addendum.
- OpenAI — AI generation fallback ( gpt-5.4-mini). When Gemini is temporarily unavailable, text generation requests may be served by OpenAI instead. The same data that would go to Gemini (your project prompts and content) may go to OpenAI in those cases. Image generation is never sent to OpenAI. OpenAI processes data under their Data Processing Addendum. OpenAI does not use API data for training by default.
- Bunny Fonts (bunny.net) — Font delivery. We use Bunny Fonts, a GDPR-compliant, privacy-first drop-in replacement for Google Fonts operated by BunnyWay d.o.o. (Slovenia, EU). When you load Draftlytic, your browser requests fonts from Bunny's CDN. Bunny Fonts does not log IP addresses, does not set cookies, and does not track users. See Bunny's Privacy Policy for more information.
- Vercel — Hosting, content delivery, and analytics. Vercel processes your IP address and request metadata for traffic routing and DDoS protection. We also use Vercel Web Analytics (cookieless page view tracking) and Vercel Speed Insights (performance metrics) to monitor and improve the service. These tools collect page URLs, referrer URLs, browser/device metadata, and Web Vitals performance data — no cookies are used. We rely on legitimate interest (Art. 6(1)(f) GDPR) for this analytics processing. Our legitimate interest is monitoring and improving Service performance. We have assessed that this interest is not overridden by your fundamental rights because: (a) Vercel Analytics collects no personally identifiable data (no cookies, no cross-site tracking); (b) data is aggregated; (c) you can object by contacting us via the address listed in Section 1. You have the right to object to this processing — contact us at draftlytic@gmail.com to opt out. See Vercel's Privacy Policy.
- Brevo (Sendinblue) — Transactional email delivery. We share your email address with Brevo solely to deliver transactional emails (authentication, account notifications, billing receipts). Brevo processes data under a Data Processing Agreement. DPA. As Brevo is headquartered in France (EU), no transfer outside the EEA occurs; standard GDPR obligations apply.
- PostHog — Product analytics. We use PostHog to capture behavioural events (e.g. signup, project generation, subscription upgrade, churn) so we can measure and improve the service. PostHog is configured in cookieless, in-memory mode — no persistent identifier is written to your device and no autocapture is performed. While you are signed in we associate your Supabase user ID with these events so we can analyse cohort behaviour. Data is sent to PostHog's EU cloud (eu.i.posthog.com), so it remains in the EEA. Legal basis: legitimate interests (Art. 6(1)(f) GDPR — improving the service). You can object to analytics processing by emailing draftlytic@gmail.com. PostHog DPA.
- GitHub — Optional sign-in and PRD push. If you choose "Continue with GitHub", GitHub provides basic profile and email data to authenticate you (we request only
read:useranduser:emailscopes — never repository access at sign-in). Separately, if you install the Draftlytic GitHub App (paid plans), we send the PRD Markdown you choose to push to the repositories you authorize, written as aPRD.mdfile, along with commit metadata that includes your GitHub username and your account email. GitHub is operated by GitHub, Inc. (a Microsoft company) and is US-based; transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework. See GitHub's Privacy Statement.
Data Processing Agreements
We rely on the Data Processing Agreements published and maintained by our sub-processors as required by GDPR:
- Polar.sh — Polar Data Processing Agreement
- Sentry — Sentry Data Processing Agreement
- Google (Gemini) — Google Cloud Data Processing Addendum
- OpenAI — OpenAI Data Processing Addendum
- Supabase — Supabase Data Processing Agreement
- Vercel — Vercel Data Processing Addendum
- Brevo (Sendinblue) — Brevo Data Processing Agreement
- PostHog — PostHog Data Processing Agreement
- GitHub — GitHub Data Protection Agreement
Each of these services has its own privacy policy and data retention practices. We encourage you to review them. When you delete your Draftlytic account, we remove all your data from our systems. However, third-party services (Polar.sh and Google) may retain certain data independently under their own policies — for example, Polar retains transaction records for legal and regulatory compliance, and Google may retain API logs for abuse prevention. If you connected the GitHub App, deleting your account removes our record of the installation, but the Draftlytic GitHub App may remain installed on your GitHub account until you uninstall it there (or disconnect it from Settings > Integrations before deleting your account).
5. Automated Decision-Making
We use AI (Google Gemini) to generate project plans, features, logos, and other content based on the text you provide. This processing is initiated only when you explicitly request it (e.g., by clicking "Generate" or "Edit with AI"). All AI-generated output can be reviewed, edited, and deleted by you.
This does not constitute solely automated decision-making with legal or similarly significant effects under GDPR Art. 22 — the AI assists with content creation, and you retain full control over the output.
6. Data Storage and Security
Your data is stored in Supabase-hosted PostgreSQL databases with row-level security (RLS) policies that ensure each user can only access their own data. We use HTTPS for all data in transit and rely on Supabase's encryption for data at rest.
Additional security measures include:
- Access to production databases is restricted to the service role, not exposed to client-side code
- Payment data is processed entirely by Polar.sh — we never handle or store card details
- AI-generated content is sanitized to prevent cross-site scripting (XSS) attacks. Logos are generated and stored as PNG images
- Rate limiting is enforced on all AI endpoints to prevent abuse
While we take reasonable measures to protect your information, no method of electronic storage is 100% secure.
7. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. We use the following third-party services that process data in the US:
- Supabase (database and authentication) — hosted on AWS. Supabase maintains Standard Contractual Clauses (SCCs) for international transfers. See their Privacy Policy and Data Processing Agreement.
- Polar.sh (payment processing) — US-headquartered. Polar relies on Standard Contractual Clauses and the EU-US Data Privacy Framework for transfers from the EEA. See their Privacy Policy.
- Sentry (client-side error monitoring) — US-based. Sentry relies on Standard Contractual Clauses and the EU-US Data Privacy Framework. PII is suppressed via
sendDefaultPii: false. See Sentry's Privacy Policy. - Google Gemini (AI generation) — US-based processing. Google relies on SCCs and its certification under the EU-US Data Privacy Framework for transfers from the EEA. See the Gemini API Terms of Service.
- OpenAI (AI generation fallback) — US-based. OpenAI relies on Standard Contractual Clauses for EEA-to-US transfers. See OpenAI's Privacy Policy.
- Vercel (hosting, edge compute, and analytics) — relies on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. See Vercel's Privacy Policy.
- GitHub (optional sign-in and PRD push) — US-based, operated by GitHub, Inc. (a Microsoft company). Relies on Standard Contractual Clauses and the EU-US Data Privacy Framework. See GitHub's Privacy Statement.
- Brevo (Sendinblue) (transactional email) — headquartered in France (EU). No EEA transfer occurs; data remains within the EU.
There is currently no general adequacy decision in place for the United States under GDPR, though the EU-US Data Privacy Framework provides a mechanism for certified organisations. Where our providers are not covered by an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal safeguard for these transfers.
8. Data Retention
We retain your data for as long as your account is active, with the following category-specific retention periods:
- Identity Data (email, name, profile) — retained while your account is active; deleted within 30 days of account deletion
- Project Data (projects, features, logos, shared projects) — retained while your account is active; deleted within 30 days of account deletion
- Financial Data (subscription records, credit transactions) — retained for 7 years after the transaction date for legal and tax compliance obligations. Upon account deletion, financial records are anonymized (your user identity is removed) and retained in de-identified form for the statutory retention period; anonymized records older than 7 years are automatically purged on a monthly basis
- AI Call Logs (prompt messages, token counts, model used) — retained for 7 days for debugging and abuse prevention; automatically purged daily thereafter
- Credit Transaction Metadata (credit amounts, transaction type, timestamps) — retained for 7 years after the transaction date alongside Financial Data for legal and tax compliance. Metadata may include a session identifier used for idempotent deduction — retained alongside the transaction record for the same statutory period as the financial data. Upon account deletion, records are anonymized and retained in de-identified form for the statutory period; anonymized records older than 7 years are automatically purged on a monthly basis
- Uploaded Images — stored in Supabase storage and associated with your project; deleted when the project or account is deleted. Individual AI-generated logo images can be deleted on-demand at any time from the project's logo panel. Logos that fail or get stuck during generation are automatically removed by the service within approximately 7 minutes to release resources and refund any credits charged
- Bug Report Data — retained for 3 months to investigate and resolve reported issues, then automatically deleted. On account deletion, your user identifier is removed from the report (anonymised); the report content and diagnostics remain until the 3-month window expires
- Payment History (transaction amounts, currency, status, provider reference) — retained for 7 years after the transaction date for legal and tax compliance. On account deletion, records are anonymized (your user ID is removed) and retained in de-identified form for the statutory period
- Churn Feedback Data — anonymized on account deletion (your user ID and free-text comment are removed); the anonymized record (tier, reason, and event type only) is retained for up to 5 years as an aggregate cohort signal, then purged. No personal data is retained after anonymization
- Attribution Survey Data — retained while your account is active; deleted when your account is deleted
- Referral Program Data (referral code, referred-by code, referral counts and credits) — retained while your account is active; deleted when your account is deleted
- GitHub Integration Data (installation identifier, GitHub account login, and per-project repository links) — retained while your account is active and the integration is connected; deleted when you disconnect the integration or delete your account. Disconnecting from Settings > Integrations uninstalls the Draftlytic GitHub App (removing its access to your repositories); it does not revoke the separate GitHub sign-in authorization, which you can remove yourself from "Authorized GitHub Apps" in your GitHub settings. Deleting your Draftlytic account removes our stored record but does not automatically uninstall the App on GitHub's side — remove it from your GitHub settings if it is still listed
- Email Blacklist Data (email address, date blacklisted, optional internal reason note, identifier of the administrator who applied it) — retained indefinitely for as long as the block continues to serve its protective purpose. If the administrator who applied the block later deletes their own account, their identifier is removed from the record (set to null); the email address and date remain. You may request review or removal by contacting us at the address in §1.
If you delete your account, we will delete your personal data from our systems within the timeframes above, except where we are required to retain it for legal or compliance purposes. Please note that third-party service providers (such as Polar.sh and Google) may independently retain data processed through their platforms in accordance with their own retention policies and legal obligations.
9. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33 (EU/EEA) and the UK GDPR. For users in the EU/EEA, this is the Irish Data Protection Commission (DPC); for users in the United Kingdom, this is the Information Commissioner's Office (ICO). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
Notification will include the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
10. Your Rights
Under GDPR and the Irish Data Protection Act 2018, you have the following rights in relation to your personal data:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your data where there is no compelling reason for continued processing
- Restriction — request that we restrict processing of your data in certain circumstances
- Objection — object to processing based on legitimate interests (see section 3)
- Data portability — receive your data in a structured, commonly used, machine-readable format. You can export all of your personal data at any time from your Account Settings page using the "Export My Data" button, which provides an instant JSON download containing your profile, projects, your generated logo library, credit transaction history, subscription details, project shares, AI call logs, bug reports you have submitted, payment history, any churn feedback you provided, your sign-up attribution survey response, and your GitHub integration details (if connected). Exports are rate-limited to once per 24 hours.
- Withdraw consent — where we rely on consent as the legal basis for processing, you may withdraw it at any time. This will not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us at draftlytic@gmail.com. We will respond within one month. For complex or numerous requests, we may extend this by up to two additional months, in which case we will notify you within the first month.
You also have the right to lodge a complaint with a data protection supervisory authority. The lead supervisory authority for Draftlytic is the Irish Data Protection Commission (DPC), which can be contacted at info@dataprotection.ie or via www.dataprotection.ie. If you are located in the United Kingdom, you may instead lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We would appreciate the chance to address your concerns before you approach the DPC or ICO, so please contact us first.
11. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know — you may request details about the categories and specific pieces of personal information we have collected about you, the sources, business purposes, and categories of third parties with whom we share it
- Right to Delete — you may request deletion of your personal information, subject to certain legal exceptions
- Right to Correct — you may request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing — we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
- Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights
To exercise any of these rights, contact us at draftlytic@gmail.com. We will verify your identity before processing your request and respond within 45 days.
In the preceding 12 months, we have collected the categories of personal information described in Section 2 above. We disclose personal information to the service providers listed in Section 4 for business purposes only. We do not sell personal information.
12. Cookies and Local Storage
We do not use cookies for authentication or tracking. We do not use advertising or third-party tracking cookies.
We use your browser's localStorage for the following purposes:
- Authentication session tokens (strictly necessary) — managed by Supabase Auth to keep you signed in. Without these, the Service cannot function.
- Theme preference — your light/dark mode choice
- In-progress project creation state (including your project description and questionnaire answers) — so you can resume if you navigate away
- UI dismissal preferences — remembering which notices you have dismissed
- Terms consent flag — a temporary flag used during Google or GitHub OAuth signup to record consent on redirect-back
- PRD Workshop session (
draftlytic:prd-workshop:v1:{userId}) — your current PRD Workshop session including PRD text, revisions, and AI conversation history. Stored locally only; cleared when you reset the session. - AI scan results (
draftlytic:project-scan:v1:{userId}:{projectId}) — pending AI scan fix suggestions for a project, including the fix descriptions and affected sections. Stored locally so you can review and apply fixes across page visits; cleared when you dismiss or apply all fixes. - Pending AI action payload (
draftlytic:pending-intent:{userId}) — a temporary store for an in-progress AI action (such as a prompt or PRD content) that was initiated before authentication completed. May include prompt text or PRD content. Cleared once the action is submitted or abandoned. - Landing page pending prompt (
draftlytic_pending_prompt) — the project idea you entered on the landing page before signing up, so it can be pre-filled after account creation. Cleared once used. - Pending referral code (
draftlytic-referral-code-pending) — a referral code captured from a?ref=URL parameter when you visit via a referral link. Stored temporarily so the code survives an OAuth sign-in round-trip. Cleared once the code is applied to your account or confirmed invalid. - Implementation plan generation state (
impl_plan_pending_{projectId}) — tracks whether an implementation plan export is in progress for a project, so the UI can restore state across page reloads. Cleared when the export completes or is cancelled. - Session activity (
draftlytic_last_activity) — a timestamp of your last interaction, used to detect inactivity for security. Cleared on sign-out. - UI preference flags — additional small flags that remember interface preferences, including whether to skip the post-export success modal (
draftlytic:export-success-skip) and the open/closed state of the sidebar (sidebar:state). These contain no personal data.
All localStorage data is local to your device and is not transmitted to our servers (except authentication tokens, which are sent as authorization headers with API requests). You can clear localStorage at any time via your browser settings, though doing so will sign you out.
13. Children's Privacy
Draftlytic is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you are in the EU/EEA, you must be at least 16 years old to use this service.
14. Changes to This Policy
We may update this privacy policy from time to time. We will provide at least 30 days' notice before material changes take effect by posting the new policy on this page and updating the effective date — matching the change-notice period for the Terms of Service. Continued use of the Service after the notice period constitutes acceptance of the updated policy. Non-material changes (typo fixes, clarifying language, broken-link repair) may be made without prior notice; the effective date will still be updated so you can see when the document last changed.
Where we rely on your consent as the legal basis for processing (for example, marketing emails), a policy update will not alter the scope of that consent: any material change to consent-based processing requires you to affirmatively opt in again (GDPR Art. 7(3)).
15. Contact Us
If you have questions about this privacy policy, contact us at draftlytic@gmail.com.
16. Version History
- June 12, 2026 — Added OpenAI as a named sub-processor (AI generation fallback when Gemini is unavailable): listed in third-party services, DPA, and international data transfers sections
- May 27, 2026 — Added GitHub sign-in and the optional GitHub repository push integration: GitHub identity data, the GitHub Integration Data category, GitHub as a third-party service and sub-processor, and international-transfer and retention disclosures
- May 20, 2026 — Initial version