← Back to Draftli

Privacy Policy

Last updated: April 23, 2026

Overview

Draftli ("we", "us", or "our") respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

This policy applies to all users of the Draftli platform, including creators who create accounts and their clients who access review pages.

Data Controller & Processor Roles

Draftli serves as a platform that creators use to share deliverables with their clients. This creates a specific relationship under data protection law:

  • For creator accounts: Draftli is the data controller. We determine how your account data, uploaded content, and usage information are processed.
  • For clients using review pages: The creator who shared the review link with you is the data controller — they decided to collect your data (such as your name, comments, and approval actions) by sharing the review page with you. Draftli acts as a data processor, operating the platform on the creator's behalf.

If you are a client using a review page and wish to exercise your data rights (access, correction, deletion, or portability), you may contact the creator who shared the link with you directly, or reach out to us at privacy@draftli.io and we will assist in directing your request.

Information We Collect

We collect the following categories of information:

  • Account information: email address, business name, and authentication credentials when you create an account.
  • Uploaded content: files you upload for client review, including images and PDFs.
  • Review data: annotations, comments, and approval actions made by clients on review pages.
  • Payment information: processed securely by Stripe. We do not store credit card numbers or full payment details on our servers.
  • Usage data: information about how you interact with the Service, including pages visited and features used.
  • IP address:we log your IP address when you make a payment, download a file, or submit an abuse report. For file downloads, we also log your browser's user-agent string.
  • Authentication data from Google: if you sign in with Google, we receive your email address (and, if available, your name and profile picture) from Google for the purpose of creating and authenticating your account.

How We Use Your Information

  • To provide, maintain, and improve the Service.
  • To process transactions and send related notifications via email.
  • To generate watermarked preview versions of uploaded content for client review.
  • To respond to your requests, comments, or questions.
  • To detect, investigate, and prevent fraudulent or unauthorized activity.
  • To measure aggregate, anonymous usage of the Service via Plausible Analytics.
  • To investigate and defend against fraud, chargebacks, and abuse.
  • To comply with legal obligations.

Data Storage & Security

Your data is stored securely using Supabase infrastructure. Uploaded files are stored in separate storage buckets — watermarked previews are publicly accessible via review links, while original files are stored in a private bucket with no public access and are only released after client approval and payment.

We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest. However, no method of transmission over the Internet is 100% secure.

Third-Party Services (Sub-processors)

We use the following third-party services to operate the platform. When Draftli acts as a data processor on behalf of creators, these services act as sub-processors:

  • Supabase: authentication, database, and file storage.
  • Stripe: payment processing (Stripe Connect for client payments; Stripe Billing for subscription payments). Stripe processes payment data under its own Privacy Policy.
  • Vercel: hosting and deployment.
  • Resend: transactional email delivery.
  • Plausible Analytics (Plausible Insights OÜ, Estonia): cookieless, EU-hosted product analytics. See Plausible's Privacy Policy.
  • Cloudflare: Turnstile bot protection on sign-in, sign-up, and comment forms. See Cloudflare's Privacy Policy.
  • Google:OAuth sign-in, when you choose "Continue with Google". See Google's Privacy Policy.

Cookies

We use essential cookies to maintain your authentication session and preferences. We do not use advertising or tracking cookies. Our analytics service (Plausible) is cookieless. For more details, see our Cookie Policy.

Data Retention

We retain your account, profile, and project data for as long as your account is active. When you delete your account, we delete your personal data within 30 days, except as described below. Financial transaction records (including payment amounts, dates, and Stripe transaction identifiers) are retained as required by applicable tax and accounting regulations, typically 6–10 years, even after account deletion. Download logs are retained with the project and deleted when the project is deleted.

International Data Transfers

Some of our sub-processors (including Supabase, Stripe, and Vercel) may process or store data outside of your country, including in the United States. Where required, these transfers are protected by Standard Contractual Clauses and/or the EU-US Data Privacy Framework. Plausible Analytics is hosted exclusively in the European Union.

Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request that we correct inaccurate data.
  • Deletion: request that we delete your personal data.
  • Portability: request an export of your data in a machine-readable format.
  • Objection: object to our processing of your personal data.

You can exercise your right to data export and account deletion directly from your Account Settings. For other requests, contact us at privacy@draftli.io.

Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service with a new "Last updated" date.

Contact

If you have questions about this Privacy Policy, contact us at privacy@draftli.io.