Privacy Commitments

Draftrow is a tool that service business operators use to manage customer inquiries. Privacy on the platform has three roles:

You, the operator. You are the data controller. You decide what customer conversations to process and what bookings to save. Your obligations to your customers under privacy laws remain your obligations. We provide the technical infrastructure; you maintain the customer relationship.

Draftrow, the processor. We process the conversations you paste or upload. We extract booking details using AI (Anthropic Claude). We store the structured bookings you save. We do not contact your customers, market to them, or use their information for any purpose other than fulfilling your requests.

Your customers, the data subjects. They have rights under the privacy laws that apply where they live. Most commonly: the right to access their information, the right to correct it, the right to ask for deletion, the right to know how it is being used. They exercise these rights through you, their service provider, not through Draftrow directly.

This structure is the same as how you use QuickBooks for invoicing, Stripe for payments, or Google Workspace for email. Draftrow is one of the tools you use to run your business.

When a customer sends you a Messenger inquiry asking about renting chairs, photographing their wedding, or pressure washing their driveway, they are voluntarily disclosing information for a commercial purpose. Under PIPEDA's reasonable person standard and similar frameworks in other jurisdictions, customers reasonably expect that:

1. You will read and respond to their message
2. You will record their booking details in some form (calendar, app, notebook)
3. You will use ordinary software tools (calendars, spreadsheets, payment processors, scheduling apps) to manage their booking
4. You may use modern tools, including AI-assisted ones, to help you process their inquiry efficiently

This means Draftrow does not require you to obtain separate consent from each customer before processing their conversation. The implied consent from their voluntary business inquiry is sufficient, the same way it is sufficient when you use a spreadsheet or invoicing tool.

What you should still do as a responsible operator:

1. Have a privacy notice on your business profile, website, or pricing sheet explaining that you use software tools to manage bookings and customer information
2. Use customer information only for the original purpose (fulfilling their service request)
3. Honor customer requests to access, correct, or delete their information
4. Don't share customer information with parties not involved in fulfilling the service

We provide a free Operator Privacy Notice template at /resources/privacy-notice-template that you can adapt for your business.

We use Anthropic as our primary AI provider. Anthropic processes commercial API inputs and outputs under their commercial data policy: no training on customer data by default, 30-day retention for trust and safety review, then deletion. Flagged content may be retained up to 2 years for policy enforcement. Safety classification scores may be retained up to 7 years. We are pursuing Zero Data Retention which would eliminate the 30-day retention window.

If Anthropic is unavailable, we fall back to OpenAI. OpenAI does not train on API data by default. OpenAI may log API requests for abuse monitoring for up to 30 days, after which they are deleted unless required to be retained for legal or service-protection reasons.

Your customers have rights under privacy laws including PIPEDA (Canada), GDPR (European Union and UK), CCPA (California), and similar frameworks elsewhere. These rights generally include:

• Right to access: Your customers can ask what information you hold about them
• Right to correct: They can ask you to fix incorrect information
• Right to delete: They can ask you to delete their information
• Right to object: They can object to certain processing
• Right to portability: They can ask for their information in a portable format
• Right to know: They can ask how their information is used and who has access

Because Draftrow is your processor, your customers exercise these rights through you, not directly with us. When a customer asks you for any of these, you handle it within Draftrow:

• Access: Show them the booking record you have, or export it as CSV
• Correction: Edit the booking record
• Deletion: Delete the booking. This triggers a 30-day soft delete followed by permanent hard delete from our databases.

If you receive a complex request you cannot handle yourself (for example, a customer requesting a Subject Access Request under GDPR with a tight deadline), email us at security@draftrow.com and we will help you respond appropriately.

When you paste a conversation into Draftrow, you may be processing personal information that belongs to your customer. As the service operator, you are responsible for ensuring you have a lawful basis to process this information. Typically this is established because the customer initiated contact to inquire about your services.

We recommend you do not paste:

• Conversations from customers who have asked you to delete their information
• Conversations containing payment card details or government IDs (we redact these before AI processing, but you should not transmit them)
• Conversations from customers who are minors without parental consent

If you or any of the customers whose information you process is located in the European Union or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply.

• Legal basis: We process personal information on behalf of operators who have a legitimate interest in operating their business or who have obtained implied consent from their customers. We do not process personal information for our own marketing or profiling.
• International transfers: Customer information may be transferred to Canada (where our databases are hosted) and to the United States (where Anthropic processes extraction requests). Canada has been recognized by the European Commission as providing adequate protection for personal data. Anthropic operates under SCCs (Standard Contractual Clauses) for any data transferred to the United States.
• Data Protection Officer: As a small operator, we do not have a designated Data Protection Officer. Privacy inquiries should be sent to security@draftrow.com.
• Your rights: EU residents have all the rights listed above (access, correction, deletion, objection, portability, knowledge). They can be exercised through the operator (data controller) or directly with us by emailing security@draftrow.com.
• Right to complain: EU residents have the right to file complaints with their national data protection authority if they believe their rights have been violated.

We are not currently established in the EU and do not target EU operators specifically. If you are an EU-based operator considering Draftrow, please contact us first so we can confirm our service is appropriate for your jurisdiction.

Operators who require a formal Data Processing Agreement (for their own compliance documentation or for their customers' regulatory requirements) can request one by emailing hello@draftrow.com. We provide a standard DPA template at no charge for all Pro and Hibernation tier customers.

The DPA establishes:

• The controller/processor relationship between you and Draftrow
• The scope and purpose of data processing
• Categories of personal information processed
• Subprocessor disclosures (Anthropic, Stripe, Resend, Sentry, Neon, Vercel, Upstash, Clerk)
• Security measures applied
• Breach notification procedures
• International transfer mechanisms (if applicable)

You can also view the DPA template publicly at /resources/dpa-template.

When you paste a conversation, upload a screenshot, or upload a WhatsApp chat export (.txt file), the input is processed entirely in memory. After extraction completes and the response returns to your browser, the input is discarded. Specifically:

• The pasted conversation text is never written to disk
• The uploaded image bytes are never written to disk
• The uploaded chat file contents are never written to disk
• None of these are written to log files, error reports, or backups
• The structured output is only saved if you click Save Booking
• If you discard an extraction, no record persists beyond the metadata (token count, cost, confidence)

You can:

• Access all data we hold about you (export from Settings → Your data)
• Correct any inaccurate data (edit bookings directly or contact us)
• Delete your account and all associated data (30-day recovery window)
• Object to processing or withdraw consent (close your account)
• File a complaint with the Office of the Privacy Commissioner of Canada