Privacy Policy

Last modified: February 28, 2022

1. Objective of this policy

Draft SAS (hereinafter “Draft”) respects the privacy rights of both its customers and other data subjects whose data is processed.

This Privacy Policy aims at informing you about the processing of your personal data when you access the website https://draft.io/ (hereinafter the “Platform”), when you use the services provided by the Platform or when you contact Draft (hereinafter the “Services”).

It provides you with information on the origin and use of the collected information, as well as the rights and options available to you under the applicable data protection rules and regulations.

This Privacy Policy also informs you of the processing of your personal data using cookies and other tracking devices (hereinafter "Cookies") on the Platform.

The processing of your personal data described in this policy is carried out by Draft SAS, a French company; whose registered offices are located at 3 rue de l’Ouche Brûlée; 44118, La Chevrolière, France; registered on the Nantes Trade and Companies Register under number 848 959 268 (“Draft”), which publishes the Platform, and which is thus the “Data Controller” under the data protection laws.

2. Purposes and legal basis of the processing performed by Draft

Your personal data is collected and processed when Draft has a legal basis for doing so.

Based on your consent, including to manage your requests:
- To send you information about our services and news;
- To follow up on your inquiries concerning our service offerings and online help;
- To improve the performance of the Platform by generating audience and usage statistics;
- To organize webinars to help you use the Platform.
To provide you with Services and to comply with the contractual obligations, and in particular:
- To enable you to create an online account;
- To enable you to create a visual document online, in particular, using images, text, audio, and video content;
- To host such a visual document online;
- To allow you to share such visual documents with other users either on the Platform or on third-party sites and services, and to allow these other users to access and modify it;
- To allow you to subscribe to a Pro or a Team subscription if required, pay for the service, and allow us to manage the billing;
- To enable us to provide you with technical support;
- To manage any other service, whether current or future, in connection with the services and registered in the corresponding general terms of use.
To pursue Draft’s legitimate interests in managing the distribution and marketing of the Services, including:
- To manage Draft’s contractual relationship with you, including by keeping a database of existing and potential users and customers;
- To ensure the administration and security of the Platform;
- To improve the functioning of the Platform by producing audience and usage statistics.

For all these purposes based on Draft’s legitimate interest, Draft considers any potential impact that such data collection may have upon you and upon the Platform users in general. Should Draft believe that your interests or your fundamental rights and freedoms transcend its legitimate interests, it will refrain from using your personal data on this legal basis and may ask you for your consent on a case-by-case basis.

Processing carried out by you as a Platform user and for which you are the data controller

As a Platform user, you may decide to store and use personal data in visual documents. You are responsible for such potential processing of personal data. Draft provides hosting and technical support for this data, acting as a data processor on your behalf. Draft staff does not have access to the data you choose to store in the visual documents, except for technical support purposes, at your request and under your instructions.

You can decide to share your visual documents with other users or third parties by providing them with a URL link, which a password can secure. In this regard, you can determine the access settings for your visual documents (public or private), the persons to whom you provide the URL link to access them, and the third-party websites or services where you decide to share the link. In such cases, your visual documents (including your personal data) will be accessible to all these recipients.

3. Categories of data processed by Draft

3.1 Information that you provide to Draft directly

Draft collects information that you provide directly to Draft when you use the Platform and the Services:

Your email address and password to create an account if you are a free user;
Additional identification and contact data (your first and last name, telephone number, company, and job title) if you subscribe to a Pro or Team offer or if you contact Draft; This information may also be directly provided by and collected from your company.
Transactional information required if you subscribe to a paid subscription to the Services (for example, the type of subscription chosen, your company, and billing address)
Your credit card details if you subscribe to the Pro or Team. This data is collected and processed exclusively by Stripe, our payment service provider, acting as a data processor, certified with a PCI DSS Level 1. Draft does not store nor access this data

The personal data that Draft needs to fulfill the purposes described above are indicated at the time of their collection. If you do not enter the required information, Draft will not be able to respond to your requests and/or provide you with the requested services. The other information is optional and allows Draft to improve its communications and services to you.

3.2 The information that Draft generates when you access the Platform or use the Services

Other data is collected automatically when you access the Platform or use the Services:

Service Data: any data or information, including visual documents that you create and submit or store with Draft, in connection with your use of the Services.
Data relating to the management of your contractual relationship with Draft (for example, your account number, the history of your subscriptions, your authorized users, your contacts and requests, or your correspondence with the Draft sales or customer success department).

3.3 The information Draft automatically collects via cookies

A cookie is a small text file downloaded on your device (computer, tablet, smartphone, etc.), which collects and stores some of your personal data related to your browsing during the cookie's lifetime (e.g., your login information, type of connecting device, preferences, actions, time and number of visits).

We also use other tracking devices which have a similar function to cookies (collectively referred to as "cookies"). This policy also covers those other cookies.

You can find further information at https://www.cnil.fr/fr/site-web-cookies-et-autres-traceurs and https://www.youronlinechoices.com/.

3.3.1 Cookies enabling or facilitating our electronic communication and cookies strictly necessary for the provision of the service

We, our partner Matomo and our partner Stripe use these cookies to secure our Platform against fraud and to provide you with our core functionalities (e.g. authentication to access restricted areas of our Platform, display of the cookie banner, etc.) and to measure and analyze our platform audience, performance, and traffic.

Matomo Analytics (in its version 4) is the open-source and self-hosted solution that we use to measure and analyze the audience of our Platform and is configurated to be exempted from the CNIL's (the French Data Protection Authority’s) consent requirement.

These cookies cannot be deactivated in our system, as they are used for our legitimate interest in ensuring security, technical functioning, accessibility of our Platform, as well as for audience measurement.

You may configure your browser to block these cookies or notify you of their presence in order to block them. However, all or part of our Platform may not function as a result.

The cookies that enable or facilitate our electronic communication and the cookies that are strictly necessary for the provision of the service are the following:

Cookie name	Description
First-party cookies (internal)
_session_id	This cookie creates a temporary session ID that is used as a user ID during a session.
Self-hosted third-party cookies
_pk_id*	Matomo cookie used to analyze traffic and measure performance.
_pk_ses*	Matomo cookie used to analyze traffic and measure performance.
Third-party cookies
_stripe_sid	Cookie from Stripe. Used for fraud prevention purposes to assess the risk associated with a transaction attempt.
_stripe_sid	Cookie from Stripe. Used for fraud prevention purposes to assess the risk associated with a transaction attempt.

4. Recipients of your personal data

4.1 Sharing your visual documents

You can decide to share your visual documents with other users or third parties by providing them with a password-protected URL. In this way, you can determine what access settings your visual materials should have (public or private), who you provide the URL to access them to, and whether or not you choose to share them with other websites or third-party services. In either case, your visual documents (including your personal data) will be accessible to all these persons.

4.2 Sharing your visual documents

Your personal data is processed by Draft. It will only be transferred or made accessible to any of Draft's subcontractors and service providers who intervene exclusively for technical and logistical purposes (e.g. the Platform's hosting and maintenance providers).

Your payment data is processed by our payment system provider.

4.3 Customer and user management and marketing

Your personal data is only accessible to authorized Draft personnel with whom you come in contact for contractual relationship management.

4.4 Protection and defense of Draft's rights

Your personal data is accessible to the authorized personnel working at Draft with which you are in contact, for the management of the contractual relationship.

4.5 Protection and defense of Draft's rights

Ultimately, Draft may disclose your personal data to third parties when such disclosure is required by law, regulation, or court order, or if such disclosure is necessary to protect and defend its rights.

5. Transfer of your data outside the European Economic Area

The Platform is managed by our teams in France and hosted by our hosting provider in France.

Your data is transferred to our service providers based outside the European Economic Area for the following services:

Purposes	Type of services provided by our contractors based outside the European Economic Area	Countries where your data is processed
Manage your Pro or Team subscription payment and billing	Payment and billing	USA
Manage your Platform subscription	Automated emailing	USA
Respond to your inquiries regarding our service	Emailing and online storage	USA
Organize webinars to help you get started with the platform	Organization of webinars	USA
Manage Team clients	Provision of online spreadsheets	USA

Sub-processing agreements incorporating the European Commission's standard contractual clauses have been signed with all our service providers that process your personal data outside the European Union to ensure RGPD compliance.

6. Transfer of your data outside the European Economic Area

Draft does not store your personal data beyond the period necessary to fulfill the purposes for which it was collected in order to comply with our legal obligations and protect and defend our rights.

6.1 Contact and complaints

Your personal data and general information about your requests (e.g., requests for information about Drafts Services, subject of the request, and your information) collected and processed through the "Contact Us" section or through contact with its staff are stored for the duration of the period required to respond to your request and for 3 years after the last contact with you.

6.2 Data concerning the use of Draft’s Services, subscriptions, and the contractual relationship

Draft will keep your subscription data for as long as you remain a customer or a user (i.e. you have an active customer or user account and/or a contract with Draft) and until the expiry of the applicable warranties. This data will only be kept beyond that time with your consent or for accounting and evidence purposes or to meet Draft’s legal obligations.

6.3 Account data

Your account on the Platform will remain active as long as you have not decided to close it and as long as you continue to use the Services on the Platform. In case of prolonged inactivity on your part for a period of 3 years, your account will be deactivated.

You may always close your account at any time. To do so, you can contact customer service by e-mail at hi@draft.io.

Lastly, the connection logs collected under your consent with the cookies and other tracking devices implemented on the Platform will be stored in accordance with the applicable regulations for a period not exceeding thirteen (13) months.

6.4 Cookie data

The data collected by cookies are stored for the following periods:

Cookie name	Lifetime
_session_id	1 month
_stripe_mid	1 year
_stripe_sid	30 minutes
_pk_id*	1 month
_pk_ses*	End of the session

7. Third-party website and services

The Platform and Services contain links to third-party websites and services, including for the purpose of enabling you to share visual documents on such third-party websites and services. Draft has no control over the content, privacy policy, or actions of these third-party websites and services and is not liable for any transfer or disclosure to third parties of information contained in your visual documents when you post such visual documents on these third-party websites or services.

The use of the information that you may provide to third parties on other websites or services or that these third parties may gather on those other websites or services is not governed by this Privacy Policy. You should carefully examine the privacy and data protection policies of any third-party websites and services and contact the publishers of these websites and services should you have any questions about the way in which they use your personal data. Draft hereby disclaims liability for any failure by a third party to use your personal data in accordance with their confidentiality policy or in accordance with any contractual or legal obligation that is binding upon them.

Our third-party cookie partners:

Stripe	Used for fraud prevention purposes to assess the risk associated with a transaction attempt
Matomo (self-hosted)	Used to measure how users interact with our platform and to help us analyze these interactions

8. Security

Draft has implemented appropriate technical and organizational measures to guarantee the confidentiality and the security of your personal data against any loss, destruction, alteration, unauthorized access, or disclosure. In particular:

Draft’s computer systems are equipped with state-of-the-art hardware and software protections. Physical and electronic backup of the data collected on the Platform is implemented in compliance with the French and European data protection regulations.
Draft’s employees who may access your personal data in the performance of their duties are subject to confidentiality obligations.
Draft's service providers and sub-processors are bound by written agreements to implement adequate security measures to ensure the protection of your personal data in accordance with applicable legislation.
All data you provide through the Platform and the Drafts Services is encrypted using the HTTPS protocol in accordance with the TLSv1.2 standard (or higher) to protect the data in transit between your terminal and the Draft servers and in accordance with the AES 256 encryption protocol on the Draft servers.

9. Change and update to the Privacy policy

This Privacy Policy may be amended and updated to take account of changes in Draft's practices or to ensure compliance with any changes to regulations.

In the event of a change or update, the updated Privacy Policy will be made available on the Platform with the last update date. You will be informed by a banner on the Platform inviting you to consult the updated Privacy Policy.

10. Your rights and options

10.1 Access and rectification

You have the right to access your personal data and to request the rectification or deletion of any inaccurate data. If you have a Draft account, you can directly access the data contained in your online account and rectify/delete them if needed.

10.2 Erasure

You may also request the deletion of your personal data if it is no longer necessary to Draft.

10.3 Opposition and limitation

You may also object to the processing of your personal data or request to limit its processing unless the processing is necessary for the management of the subscribed services.

10.3.1 Opposition to the storage of cookies

The deposit of cookies on your device is subject to your consent unless they enable or facilitate our electronic communication or are strictly necessary for the provision of the service. You can choose to accept or refuse all or some of the cookies we use at any time.

10.3.1.1 Accept, reject or configure cookies on your first visit

As soon as you access our Platform, a banner containing information on how cookies are used is displayed. This banner allows you to accept or refuse all or part of the cookies.

You can change your preferences at any time by clicking on "I want to choose" on the cookie banner icon at the bottom of the page. You can also withdraw your consent at any time by clicking on "No, thanks".

10.3.1.2 Accept, refuse, or manage cookies via your browser or smartphone.

You can also manage cookie deposits via your browser settings. You can choose to accept or refuse them, either systematically or according to their origin. You can also configure it so as to be notified in the presence of a new cookie before it is deposited in order to accept or refuse it.

You can also change your smartphone's privacy settings.

The cookie management tools differ depending on your browser or smartphone.

Please note that your settings are likely to modify your internet browsing and your conditions of access to certain services requiring the use of cookies.

10.4 Withdrawal of consent

You may exercise your right to portability (i.e. to obtain your data in a structured machine-readable form) with regards to the personal data which you have submitted to Draft directly on the basis of your consent or your contract and which are subject to automated processing.

10.5 Portability

10.6 Instructions

You may also let Draft know your instructions regarding the preservation, erasure, and disclosure of your personal data after your death and modify these instructions at any point in time.

These rights may be exercised directly with Draft in accordance with the terms below. You may be asked for proof of identity.

11. Contact Draft

If you have any questions about this policy and Draft's personal data protection practices, please do not hesitate to contact us via the "Contact Us" section on the Platform, by sending an email at hi@draft.io or by sending a letter addressed to Draft SAS, 3, rue de l'Ouche Brûlée, 44118 La Chevrolière France.

In the event of a dispute concerning the way in which Draft collects and processes your personal data, you can file a complaint to the CNIL, France’s data protection authority via the following link: https://www.cnil.fr/fr/plaintes/ or, if you live in another country of the European Union, to the supervisory authority of your usual place of residence or of the place where you have been in contact with Draft.

Terms and Privacy

Privacy policy