1. Introduction

DraftFill is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy describes what information we collect, how we use it, and your rights regarding your data.

By using DraftFill, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Data Controller

DraftFill
Email: [email protected]
For GDPR-related inquiries, please contact our Data Protection Officer at the email above.

3. Information We Collect

3.1 Information You Provide

• Account Information: Email address (used for authentication)
• Profile Data: Name (optional), preferences, and settings
• Content Data: Documents, blocks, code templates, and custom fields you create
• Payment Information: Processed securely by Stripe (we do not store full card details)
• Communication Data: Messages you send to our support team

3.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on the platform
• Technical Data: IP address, browser type, device information, operating system
• Cookie Data: Authentication tokens, preferences, session management (see Cookie Policy section)
• Security Logs: Login attempts, authentication events, security incidents

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide our services (Article 6(1)(b) GDPR)
• Consent: Cookie preferences, marketing communications (Article 6(1)(a) GDPR)
• Legitimate Interests: Security, fraud prevention, service improvement (Article 6(1)(f) GDPR)
• Legal Obligation: Compliance with tax and financial regulations (Article 6(1)(c) GDPR)

5. How We Use Your Information

• Provide, maintain, and improve our services
• Process payments and subscriptions
• Send service-related notifications (account updates, security alerts)
• Send marketing communications (only with your consent, you can opt-out anytime)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our terms
• Analyze usage patterns to improve user experience
• Provide customer support and respond to inquiries

6. Data Sharing and Disclosure

6.1 Service Providers

We share data with trusted third-party service providers:

• Stripe: Payment processing (PCI DSS compliant)
• SendGrid: Transactional email delivery
• Vercel: Hosting and infrastructure
• Database Provider: Data storage and management

These providers are contractually bound to protect your data and use it only for the purposes we specify.

6.2 Legal Requirements

We may disclose your information if required by law or to:

• Comply with legal processes, court orders, or government requests
• Enforce our Terms of Service and protect our rights
• Protect the safety and security of our users and the public
• Prevent fraud, abuse, or illegal activity

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change.

7. International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions recognizing equivalent data protection levels
• Privacy Shield certification (where applicable)

8. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: TLS/SSL for data in transit, encryption for sensitive data at rest
• Access Controls: Role-based access, principle of least privilege
• Authentication: Secure passwordless authentication via magic links
• Monitoring: 24/7 security monitoring and incident response
• Regular Audits: Security assessments and vulnerability testing
• Database Security: Parameterized queries, row-level security policies

While we take reasonable precautions, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

9. Data Retention

We retain your data for as long as necessary to provide our services:

• Active Accounts: Data retained while your account is active
• Account Deletion: 30-day grace period, then permanent deletion
• Backup Data: Removed from backups within 90 days of deletion
• Legal Requirements: Transaction records kept for 7 years (tax law)
• Audit Logs: Security and data processing logs kept for 2 years (GDPR)

10. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

10.1 Right to Access (Article 15)

Request a copy of all personal data we hold about you. Available via the Privacy Settings page.

10.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete data in your account settings.

10.3 Right to Erasure (Article 17)

Request deletion of your account and data. Subject to a 30-day grace period. Available via the Privacy Settings page.

10.4 Right to Restrict Processing (Article 18)

Request limitation of processing in certain circumstances.

10.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format (JSON). Available via the Privacy Settings page.

10.6 Right to Object (Article 21)

Object to processing based on legitimate interests, including direct marketing. Opt-out of marketing emails anytime.

10.7 Right to Withdraw Consent (Article 7)

Withdraw consent for cookie preferences and marketing communications at any time in your Privacy Settings.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your data protection rights.

11. Cookie Policy

11.1 What are Cookies?

Cookies are small text files stored on your device that help us provide and improve our services.

11.2 Cookie Categories

• Necessary Cookies (Always Active): Essential for authentication, security, and basic functionality. These cannot be disabled.
• Functional Cookies (Optional): Remember your preferences, settings, and UI customizations.
• Analytics Cookies (Optional): Help us understand how you use our service to improve user experience. Data is anonymized.
• Marketing Cookies (Optional): Used for personalized advertising and campaign tracking. You can opt-out anytime.

11.3 Managing Cookies

You can manage your cookie preferences in the Privacy Settings page or through the cookie banner when you first visit our site. Your browser settings also allow you to block or delete cookies, but this may affect site functionality.

12. Children's Privacy

DraftFill is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this page
• Increment the version number
• Notify you via email or a prominent notice in the application
• Request your consent for changes that require it (e.g., new data processing activities)

Your continued use of DraftFill after changes indicates acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us:

• Email: [email protected]
• Data Protection Officer: [email protected]
• GDPR Requests: Use the automated tools in your Privacy Settings or email us at [email protected]

15. Quick Links