1. What data we collect
- Account data: your email address and optional display name, provided at registration.
- Manuscript content: chapters, characters, notes, timelines, and all other content you enter into the service.
- Payment data: processed and stored by Stripe. We receive only a transaction reference and subscription status. We do not see or store your full card number.
- Security metadata: IP address, login timestamps, inferred country code (where available), and device and browser metadata collected at registration and at each login.
2. Legal bases and purposes
We process your data for the following purposes, each with the stated legal basis under GDPR Art. 6:
- Providing and maintaining the service (Art. 6(1)(b): performance of contract): account management, storing your manuscripts, processing payments, and delivering all features you have subscribed to.
- Transactional communications (Art. 6(1)(b): contract): sending password reset emails, account deletion confirmation and lifecycle emails, and payment receipts. These emails are necessary to perform the contract and cannot be opted out of while your account is active.
- Security, fraud prevention, and abuse investigation (Art. 6(1)(f): legitimate interest): retaining IP addresses, login timestamps, country codes, and device metadata to detect unauthorised access, investigate abuse complaints, and protect the integrity of the service. We have assessed that this interest is not overridden by your privacy interests given the limited scope of data retained and the direct security benefit to all users. You have the right to object to this processing (see section 7).
- AI feature processing (Art. 6(1)(b): contract): on Bard and Oracle plans, manuscript text you submit to AI features is sent to OpenAI for processing solely to generate the requested output. This processing is part of the service you have subscribed to.
We do not use your data for advertising, profiling for marketing purposes, or sell it to third parties.
3. Data security
Your manuscripts and all associated data are protected at every layer of the service.
- Encryption in transit: all communication between your browser and Draftory Studio is encrypted using HTTPS/TLS. Your writing is never sent over an unencrypted connection.
- Encryption at rest: your data is encrypted on disk at the infrastructure level. If storage media were ever physically compromised, your manuscripts would remain unreadable.
- Network isolation: our database runs inside a private network and is not exposed to the public internet. Only application servers verified by network-level whitelisting can reach it.
- Daily automatic backups: your data is backed up automatically every day. In the event of hardware failure or any other incident, we can restore it from a recent backup.
- Password security: passwords are stored as cryptographic hashes and are never stored in plaintext. Even we cannot read your password.
We apply reasonable technical and organisational measures to protect your data against unauthorised access, loss, or disclosure.
4. Data breaches
In the event of a personal data breach, we will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of the breach as required by GDPR Art. 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay as required by GDPR Art. 34.
5. Sub-processors and data transfers
We use the following sub-processors to deliver the service. All sub-processors are bound by GDPR-compliant data processing agreements.
- Stripe, Inc. (USA): payment processing. Transfers to the USA are made under Standard Contractual Clauses (Commission Decision 2021/914). Stripe is also certified under the EU-US Data Privacy Framework.
- DigitalOcean, LLC (USA, EU region): application hosting and database hosting. Our application servers and managed database run in DigitalOcean's EU data centre (Frankfurt). DigitalOcean transfers are covered by Standard Contractual Clauses.
- OpenAI, LLC (USA): AI feature processing on Bard and Oracle plans. Manuscript text you submit to AI features is sent to OpenAI solely to generate the requested output and is not used to train OpenAI's models. Transfers are covered by Standard Contractual Clauses. OpenAI is also certified under the EU-US Data Privacy Framework.
- Resend, Inc. (USA): transactional email delivery. Email addresses and message content for account emails are processed by Resend. Transfers are covered by Standard Contractual Clauses.
- Google LLC (USA): website analytics via Google Analytics 4, used only with your explicit consent. If you accept analytics cookies, anonymised usage data (pages visited, session duration, general location derived from IP) is sent to Google. Transfers are covered by Standard Contractual Clauses. Google is also certified under the EU-US Data Privacy Framework.
If we add or replace a sub-processor we will update this policy and notify you by email at least 14 days before the change takes effect.
6. Data retention
- Account data and manuscript content: retained for as long as your account is active. On account deletion, data remains accessible during the 30-day grace period and is permanently deleted at the end of that period.
- Security metadata (IP addresses, login timestamps, country codes, device and browser data): retained for 12 months from the date of collection, after which it is deleted. In cases of an active abuse investigation, legal hold, or dispute resolution, relevant records may be retained beyond this period until the matter is resolved.
- Payment records: retained as required by Estonian accounting law (generally 7 years).
7. Your rights
Under GDPR you have the following rights. To exercise any of them, write to [email protected]. We will respond within 30 days.
- Access (Art. 15): request a copy of the personal data we hold about you.
- Rectification (Art. 16): correct inaccurate personal data. You can update your display name and email directly from your Account settings.
- Erasure (Art. 17): request deletion of your personal data. You can delete your account at any time from your Account settings; your account stays active for 30 days before permanent deletion. You may also contact us to request erasure of specific data.
- Restriction of processing (Art. 18): request that we restrict processing of your data while a dispute about accuracy or lawfulness is resolved.
- Data portability (Art. 20): receive the personal data you have provided to us in a structured, commonly used, machine-readable format. For manuscript content, you can export your manuscripts at any time using the in-app export feature. For account data (email, display name), contact us and we will provide a copy.
- Object to processing (Art. 21): object to processing based on our legitimate interest (security and abuse prevention). If you object, we will stop processing for that purpose unless we can demonstrate compelling legitimate grounds that override your interests.
- Withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
If you are not satisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (andmekaitse.ee) or with the supervisory authority of your EU member state of residence.
8. Automated decision-making
We do not use automated decision-making or profiling as defined by GDPR Art. 22 to make decisions that produce legal or similarly significant effects on you. Enforcement actions under our acceptable use policy are reviewed by a member of our team before any action is taken.
9. AI processing transparency
On Bard and Oracle plans, certain features send portions of your manuscript text to OpenAI for processing. These features are triggered manually by you and are clearly labelled in the app. AI-generated output is always presented as a suggestion for your review. No AI processing occurs in the background without your action.
OpenAI does not use data submitted through the API to train its models. Manuscript text sent to AI features is used solely to generate the requested output for that session.
10. Cookies and analytics
Strictly necessary cookies: Draftory Studio uses a session cookie to keep you logged in. This cookie does not require your consent under the ePrivacy Directive because it is essential to the service you have requested.
Analytics cookies (optional, consent required): With your explicit consent, we use Google Analytics 4 to collect anonymised data about how visitors use this site. This includes pages visited, session duration, and general location derived from IP address. This data helps us understand usage patterns and improve the service. Your full IP address is not stored by Google Analytics. We do not use this data to identify you personally or for advertising.
Analytics cookies are only set after you click "Accept" in the cookie banner. You can withdraw your consent at any time by clearing your browser's local storage for this site or by contacting us at [email protected]. You can also opt out of Google Analytics across all websites using Google's opt-out browser add-on.
Analytics data retention: Google Analytics retains event data for 14 months. Aggregated reports are retained indefinitely but contain no personal data.
11. Children
The service is restricted to users aged 16 and over, in accordance with GDPR Art. 8 and Estonian law. We do not knowingly collect data from anyone under 16. If we become aware that an account has been created by someone under 16, we will delete it and all associated data promptly.
12. Changes to this policy
We may update this policy from time to time. We will notify you by email before significant changes take effect. The current version is always available at this URL. Continued use of the service after the effective date of a change constitutes acceptance.
13. Contact and supervisory authority
For any privacy-related questions or to exercise your rights:
[email protected]
KENKES-SKEDATI OÜ, Estonia
If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate: aki.ee (formerly andmekaitse.ee).