Last updated: May 25, 2026
Privacy Policy
This Privacy Policy describes how Drafto ("we", "us") collects, uses, and discloses information when you use trydrafto.com and the Drafto document generator (the "Service").
1. Who we are
Drafto is an online legal document generator. The data controller for this Service is Drafto. You can contact us at contact@trydrafto.com.
2. Information we collect
- Account & billing data — name, email, and payment metadata (handled by Stripe; we do not store full card numbers).
- Document inputs — text or voice descriptions you provide so we can assemble your document. Voice transcription is processed in real time and not retained as audio.
- Usage & device data — pages visited, generator events, browser and IP, collected via PostHog and standard server logs to operate and improve the Service.
- Cookies — essential cookies for session and security, and analytics cookies (PostHog). See "Cookies" below.
3. How we use information
- To provide, secure, and improve the Service.
- To generate, save, and deliver the documents you request.
- To process payments and prevent fraud (Stripe).
- To send transactional emails (e.g. document delivery, support replies via Resend).
- To respond to support requests sent to our contact email or form.
- To comply with legal obligations.
4. Legal bases (GDPR / UK GDPR)
We rely on the following legal bases: performance of a contract (delivering the Service), legitimate interests (security, product analytics), consent (non-essential cookies and marketing emails, where applicable), and legal obligation.
5. Subprocessors we use
- Vercel — application hosting (US/EU).
- Stripe — payment processing.
- OpenAI — voice transcription and information extraction from your inputs.
- PostHog — product analytics.
- Resend — transactional email delivery.
- Upstash Redis — rate limiting and short-lived caching.
6. International transfers
Some subprocessors are located in the United States. Where required, we rely on the EU Standard Contractual Clauses and equivalent UK transfer mechanisms.
7. Data retention
- Generated documents linked to your account: retained until you delete them.
- Billing records: retained as required by tax and accounting law (typically 6–10 years).
- Server logs: typically up to 90 days.
- Analytics events: up to 12 months in aggregated form.
8. Your rights
Depending on your location (EU/UK, California/CCPA, Canada/PIPEDA, Singapore/PDPA, UAE/PDPL), you may have rights to access, correct, delete, port, or object to processing of your data, and to lodge a complaint with a supervisory authority. To exercise any of these rights, email contact@trydrafto.com.
9. Cookies
We use a small number of essential cookies and analytics cookies. You can clear cookies via your browser settings at any time. Where required by law, we will request your consent before non-essential cookies are set.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect their data.
11. Security
We use industry-standard safeguards including TLS in transit, access controls, and least-privilege subprocessors. No method of transmission is 100% secure.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated on this page with an updated "Last updated" date.
13. Contact
Questions about this Privacy Policy? Email contact@trydrafto.com.