When you use our Website, access our Platform, or use our Service, we may collect Personal Data about you in our capacity as Controller.

This Privacy Policy aims to help you understand what we do to protect these data. 

We are committed to compliance with European Personal Data protection regulations, including the GDPR. For this purpose, we have assigned a Data Protection Officer. 

Please note that all terms written with a capital letter not defined in this Privacy Policy will have the meaning given to them here. 

For more details, please consult the Legal Notice.

When you use our Website and our Platform, you may communicate information, either directly or indirectly, some of which could identify you, either directly or indirectly, and which is therefore classed as Personal Data.

This information will contain data in the following categories in particular:

• Simple identification data such as your email address and technical credentials assigned to you to create an account, and your first and last name if you provide them when you collaborate;
• Additional identification and contact data (your first and last name, telephone number, company, job title, and address of the company) if you contact Draft to obtain information about our offers. This information may be directly provided by you or collected by us from your company.
• Transactional information required if you subscribe to a paid subscription to the Service (for example, the type of subscription chosen, your company, and billing address)
• Your credit card details if you subscribe to a Pro plan. This data is collected and processed exclusively by Stripe, our payment service provider, acting as a data processor, certified with a PCI DSS Level 1. Draft does not store nor access this data.

Where your Personal Data is collected directly, you will be informed whether specific data must be completed or are optional. It may not be possible to complete your request if the mandatory information is not completed.

Some of these Personal Data are collected using cookies or trackers on our Website or Platform. To learn more, you can view our Cookie Policy at any time.

The Personal Data processed by Draft is collected through various channels:

• Personal Data communicated directly by you. Draft may process the Personal Data that you provide to us directly (i) when creating your Draft.io Account or when using the Service, (ii) when you contact us by email, or (iii) when you are in phone or videoconference contact with Draft.
• Personal Data collected from public sources; Draft may use publicly available Personal Data. 
• Personal Data collected from third parties; Draft may use the services of specialist service providers to access up-to-date databases.
• Personal Data that are collected automatically when you use the Website and/or Platform; Draft may collect your Personal Data to establish visitor statistics for our Website. 

We collect and process your Personal Data in accordance with the GDPR and solely on the following legal bases:

• Consent: you have expressly consented to the processing of your Personal Data;
• Contract: processing is necessary for the performance or preparation of a contract entered into with you;
• Statutory obligation: processing is a legal requirement;
• Legitimate interest: processing is necessary for the pursuit of our legitimate interests, in strict compliance with your rights.

We store your Personal Data for a limited time, as necessary for the purpose of processing. A summary can be found in the following table.

The Personal Data of our visitors and Users/Customers is strictly confidential. They may be processed by Draft employees within the limits of their respective authorizations, solely for the purposes set out in this Privacy Policy.

Unless we are bound by a statutory, accounting, or judicial obligation, we will not share your Personal Data in any way whatsoever with third parties other than:

• Our hosting provider for the purpose of hosting the Platform;
• Our service providers and Subprocessors for the purpose of providing the services requested, completing a transaction, or responding to your requests for assistance and information.  

The infrastructure that supports the Platform is located in France. However, if necessary, we may need to transfer your Personal Data to service providers operating outside the European Union. In this case, your data is transferred securely as follows:

• Either data is transferred to a country deemed to offer an adequate level of protection according to a decision by the European Commission;

Or we have entered into a specific contract with our Processors governing transfers of your data outside the European Union, on the basis of Standard Contractual Clauses between a Controller and a Processor approved by the European Commission.

When we use a service provider working as a Processor on our behalf, we adopt a risk-based approach to ensure Draft’s security objectives are aligned with the service provider before communicating any of your Personal Data.

Draft guarantees that you are able to exercise all the rights granted to you by the regulations. You can therefore:

• Access your Personal Data;
• Rectify any inaccurate Personal Data concerning you;
• Have your Personal Data erased;
• Restrict our Processing of your Personal Data;
• Withdraw your consent for the Processing of your Personal Data;
• Object to the Processing of your Personal Data;
• Obtain a copy of your Personal Data (right to data portability); 
• Indicate instructions for the retention, erasure, and communication of your Personal Data after your death.

You may exercise these rights by contacting us at the following address: hi@draft.io. We may ask you to provide additional information or documents to prove your identity when doing so.

You may also access the Personal Data concerning you at any time by logging in to your Draft.io Account and amending them in your profile settings. 

If you are not satisfied with the response you receive, you can file a complaint with the relevant supervisory authority concerning the collection and use of your Personal Data. In France, you can contact the Commission nationale de l’informatique et des libertés (CNIL) via its website at: http://www.cnil.fr.

As a User, you may decide to store and use personal data in visual documents. You are responsible for the potential processing of such personal data. Draft provides hosting and technical support for this data, acting as a data processor on your behalf. Draft staff does not have access to the data you choose to store in the visual documents, except for technical support purposes, at your request and under your instructions. 

You can decide to share your visual documents with other users or third parties by providing them with a URL link, which a password can secure. In this regard, you can determine the access settings for your visual documents (public or private), the persons to whom you provide the URL link to access them, and the third-party websites or services where you decide to share the link. In such cases, your visual documents (including your personal data) will be accessible to all these recipients.

We may amend this Privacy Policy at any time to introduce regulatory, case-law, or technical changes that improve your Personal Data’s level of protection.

For minor amendments, we will change the “Latest update” date at the top of the page to indicate the date on which the amendments were made. Conversely, in the case of substantial amendments to this Privacy Policy (concerning processing, Personal Data collected, exercise rights, or transfer of Personal Data), we will inform you by email. Any access to and use of the Website and the Service after this communication will be subject to the terms of the new Privacy Policy.

We invite you to check this page regularly for any amendments or updates to our Privacy Policy.

You are also welcome to contact us at the following address: hi@draft.io.