Skip to content

Privacy Policy

Last Updated: February 21, 2026

Draftly (“Draftly,” “we,” “us,” or “our”) is an AI-powered collaborative writing platform that helps users improve and get feedback on drafts from AI editors and human collaborators. This Privacy Policy explains how we collect, use, disclose, and protect information relating to identified or identifiable individuals (“Personal Data”) when you visit our websites, sign up for or use our services, or otherwise interact with us (collectively, the “Services”).

If you do not agree with this policy, please do not use the Services. Where required by law, we will seek your consent.

1) Who we are & how to contact us

Data Controller: Ferhat Beyaz (Draftly)

Address: Schluchseestr. 26, 13469 Berlin, Germany

Email: [email protected]

If you are in the EEA/UK/Switzerland, you may also contact your local data protection authority. If we appoint an EU/UK representative or Data Protection Officer, we will update this section.

2) Scope

This policy applies to Personal Data we process as a controller through our consumer and business Services. It does not apply to websites, services, or applications that we do not own or control, nor to third-party sites linked from our Services.

3) Information we collect

A. Data you provide directly

  • Account & Profile Data: name, email address, password or auth tokens, avatar, locale, and preferences.
  • Billing & Payments: purchase history, subscription tier, invoices, and tax details. Payment card data is processed by our payment provider (Stripe); we do not store full card numbers.
  • User Content: drafts, text you type or paste, uploaded files and images, editor settings, comments, and feedback you send to us.
  • Support & Surveys: information you include in requests, bug reports, or survey responses.

B. Data we receive automatically

  • Usage & Device Data: IP address (with truncation/anonymization where configured), approximate location derived from IP, browser type and version, OS, device identifiers, pages viewed, referring/exit pages, timestamps, time on page, and interactions with UI elements.
  • Event Data (analytics): page views and product events (see §7).
  • Log Data & Diagnostics: error logs, performance metrics, and service telemetry.

C. Data from third parties

  • Identity Providers (e.g., Google OAuth): name, email, and identity tokens if you choose to sign in with a third party.
  • Payment Provider (Stripe): payment status, last 4 digits/brand, and subscription status necessary to provide Services.
  • Service Providers: limited data necessary for hosting, email delivery, security, and support.

We do not intentionally collect sensitive Personal Data (e.g., health data). Please do not include sensitive data in drafts unless strictly necessary.

4) Legal bases for processing (EEA/UK/CH)

  • Contract: to provide, maintain, and support the Services you requested.
  • Legitimate Interests: to secure and improve the Services; to measure engagement; to prevent fraud and abuse; to personalize non-intrusive product experiences; and to defend legal claims.
  • Consent: where required for specific activities (you may withdraw at any time).
  • Legal Obligations: to comply with tax, accounting, and regulatory requirements.

5) How we use information

  • Provide and operate the Services, including account creation, authentication, drafts, feedback, and collaboration features.
  • Process purchases, subscriptions, refunds, credits, and invoices.
  • Enable AI features (e.g., insertions, selections, feedback) by securely sending relevant content to AI model providers for inference.
  • Maintain safety, security, and integrity; detect, prevent, and respond to fraud or abuse.
  • Fix bugs, perform analytics, conduct research, and improve performance and user experience.
  • Communicate with you about service updates, changes, and support; send marketing with your consent or where permitted by law.
  • Comply with legal requirements and enforce our Terms.

We may aggregate or de-identify data so it can no longer reasonably identify you. We may use and share such information for analytics, research, and improving the Services.

6) Sharing your information

We share Personal Data only as described below, applying appropriate contractual and security safeguards:

  • Service Providers (Processors): infrastructure/hosting ((DigitalOcean); AI providers (ChatGPT by OpenAI, Gemini by Google, Claude by Anthropic); payments (Stripe); email delivery (Resend);, see §7). These providers may only process data under our instructions and are bound by confidentiality and data protection terms.
  • AI Model Providers: to deliver AI functionality (e.g., generating suggestions or feedback), we transmit necessary portions of your content to ChatGPT (OpenAI), Gemini (Google), and Claude (Anthropic) for inference. Where feasible, we configure providers to not use your data to train their models and to retain it only as needed for safety or legal compliance. We do not sell your content to AI providers.
  • Business Transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets, under safeguards and with notice where required.
  • Legal & Safety: to comply with law, enforce our agreements, protect rights, property, and safety, and address fraud, abuse, or security issues.
  • With Your Direction: when you integrate a third-party app or share content externally.

We do not sell Personal Data or share it for cross-context behavioral advertising.

7) Analytics

We use self-hosted Analytics to understand product usage and improve Draftly. As configured by us, Umami does not use cookies in the tracking code. Data is anonymized and aggregated; we do not identify individual users from analytics.

We track privacy-respecting events such as login_start and login_success. You can use browser controls to limit analytics (e.g., private browsing). Because our analytics implementation does not rely on third-party advertising cookies, typical cookie-based opt-outs may not apply.

8) Children

Our Services are not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect Personal Data from children in these age groups. If you believe a child provided Personal Data to us, contact us and we will take appropriate steps to delete it.

9) Data retention

  • Account data: kept for your account’s lifetime.
  • User content (drafts, comments): kept while your account is active; if you delete a draft, it is removed from active systems; residual copies may persist in backups for a limited time.
  • Transaction records: retained as required by tax, accounting, and legal obligations.
  • Logs & diagnostics: retained for a limited period to ensure security and reliability.

Upon account deletion, we aim to delete or irreversibly anonymize Personal Data within 90 days, subject to legal holds or backup constraints.

10) Security

We implement technical and organizational measures designed to protect Personal Data, including encryption in transit, restricted access, and monitoring. No system is perfectly secure; we cannot guarantee absolute security. If we learn of a breach affecting your Personal Data, we will notify you and regulators as required by law.

11) International data transfers

We may process and store Personal Data in countries other than your own. Where we transfer Personal Data from the EEA/UK/Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and UK/Swiss equivalents) and supplementary measures where appropriate.

12) Your rights & choices

Depending on your location, you may have the right to:

  • Access the Personal Data we hold about you.
  • Correct inaccurate or incomplete Personal Data.
  • Delete your Personal Data.
  • Restrict or object to certain processing.
  • Port your Personal Data to another service.
  • Withdraw consent where processing is based on consent.
  • Complain to a supervisory authority.

You can exercise many rights via in-product settings (e.g., account deletion, profile updates). Otherwise, email [email protected]. We may need to verify your identity and may decline requests as permitted by law (e.g., where disclosure would harm others’ rights or violate legal requirements).

US State Privacy (e.g., CA/CO/CT/VA/UT): You may have similar rights, including the right to know, delete, correct, and to be free from discrimination for exercising your rights. We do not sell Personal Data or share it for cross-context behavioral advertising. Authorized agents may submit requests on your behalf with proper authorization. You may appeal a decision by writing to [email protected].

13) AI features & automated decision-making

Draftly’s AI features generate text suggestions and feedback based on your inputs. We do not use automated decision-making that produces legal or similarly significant effects about you. We may use limited automated processing for abuse prevention and security.

Training & improvement: We do not use your private drafts to train third-party foundation models without your permission. We may use aggregated, de-identified usage patterns to improve product functionality and safety systems.

14) Cookies & similar technologies

Our analytics implementation does not rely on cookies in its tracking code. Other parts of the Service or providers (e.g., Stripe) may set necessary cookies to provide core functionality like payments or session continuity. We do not use third-party advertising cookies.

15) Third-party links

Our Services may link to third-party websites and services. Their privacy practices govern any information you provide to them. We are not responsible for their content or policies.

16) Data from organizations

If you use Draftly under an organization (e.g., a team or enterprise account), your organization may administer your account and access certain information subject to its policies. Your use may be subject to your organization’s agreements with us.

17) Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and adjust the “Last Updated” date above. If changes materially affect your rights, we will provide additional notice (e.g., in-app or by email) where required by law.

18) Contact

Questions or requests about privacy: [email protected]. We will respond as required by applicable law.

Draftly does not sell Personal Data or share it for cross-context behavioral advertising.