Privacy Policy

Overview

Draftli ("we", "us", or "our") respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

This policy applies to all users of the Draftli platform, including creators who create accounts and their clients who access review pages.

Operator and Controller

Draftli is operated from Bulgaria (European Union). References to "Draftli", "we", "us", and "our" in this Policy mean the operator. Full legal entity details will be published here once available; in the meantime, please use the contact addresses below for any privacy or legal correspondence.

For privacy questions, contact us at privacy@draftli.io. For legal questions, contact us at legal@draftli.io.

Data Controller & Processor Roles

Draftli serves as a platform that creators use to share deliverables with their clients. This creates a specific relationship under data protection law:

• For creator accounts: Draftli is the data controller. We determine how your account data, uploaded content, and usage information are processed.
• For clients using review pages: The creator who shared the review link with you is the data controller — they decided to collect your data (such as your name, comments, and approval actions) by sharing the review page with you. Draftli acts as a data processor, operating the platform on the creator's behalf.

If you are a client using a review page and wish to exercise your data rights (access, correction, deletion, or portability), you may contact the creator who shared the link with you directly, or reach out to us at privacy@draftli.io and we will assist in directing your request.

Information We Collect

We collect the following categories of information:

• Account information: email address, business name, and authentication credentials when you create an account.
• Uploaded content: files you upload for client review, including images and PDFs.
• Review data:annotations, comments, and approval actions made by clients on review pages. Clients can edit or delete their own comments without signing in; to make this possible, an opaque random token is stored locally in the client's browser (only a one-way hashed form ever reaches our servers).
• Payment information: processed securely by Stripe. We do not store credit card numbers or full payment details on our servers.
• Usage data: information about how you interact with the Service, including pages visited and features used.
• IP address:we log your IP address when you make a payment, download a file, or submit an abuse report. For file downloads, we also log your browser's user-agent string.
• Authentication data from Google: if you sign in with Google, we receive your email address (and, if available, your name and profile picture) from Google for the purpose of creating and authenticating your account.

Projects with deposits.For projects where the creator has configured a deposit, Draftli stores two payment rows per project — one for the deposit and one for the final balance — together with a timestamped client acknowledgement (consent record) that includes the client's IP address and the version of the disclosure terms shown. The acknowledgement is captured at the moment the client clicks "I authorize" on the payment disclosure interstitial, before being redirected to Stripe. This data is purpose-limited to transaction processing and chargeback defense. Proofing-only projects do not generate payment data; for such projects, no payment-related information is collected by Stripe or stored by Draftli.

How We Use Your Information

• To provide, maintain, and improve the Service.
• To process transactions and send related notifications via email.
• To generate watermarked preview versions of uploaded content for client review.
• To respond to your requests, comments, or questions.
• To detect, investigate, and prevent fraudulent or unauthorized activity.
• To measure aggregate, anonymous usage of the Service via Plausible Analytics. In addition to pageviews, we record non-identifying usage events related to account, project, and payment activity; aggregate revenue figures (amount and currency) on payment events; and real-user performance metrics. We attach segmentation properties such as your subscription tier and whether you are signed in. URLs are sanitized before being sent so that private review-link tokens are never transmitted, and we never send identifiers such as email addresses, account or project identifiers, share tokens, file names, client names, or business names. Plausible does not use cookies or persistent identifiers; your IP address is used only to derive an anonymous, daily-rotating visitor hash and is then discarded.
• To investigate and defend against fraud, chargebacks, and abuse.
• To comply with legal obligations.

Lawful Bases for Processing (GDPR)

Where the GDPR applies, we rely on the following Article 6 lawful bases for processing your personal data:

• Performance of a contract (Art. 6(1)(b)) — for account creation, project hosting, payment processing, and providing the Service to you under our Terms of Service.
• Legal obligation (Art. 6(1)(c)) — for retaining financial transaction records to meet tax and accounting requirements, and for responding to lawful requests from authorities.
• Legitimate interests (Art. 6(1)(f)) — for fraud detection and prevention, abuse investigation, security monitoring, and aggregate, privacy-friendly usage analytics. We balance these interests against your rights and freedoms; you may object at any time by contacting privacy@draftli.io.
• Consent (Art. 6(1)(a)) — where specifically requested (for example, optional marketing communications, if and when offered). You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Data Storage & Security

Your data is stored securely using Supabase infrastructure. Uploaded files are stored in separate storage areas — watermarked previews are publicly accessible via review links, while original files are stored in a private area with no public access and are only released after client approval and payment.

We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest. However, no method of transmission over the Internet is 100% secure.

Data Breach Notification. In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR, and notify the competent supervisory authority within 72 hours of becoming aware where required by Article 33 GDPR.

Third-Party Services (Sub-processors)

We use the following third-party services to operate the platform. When Draftli acts as a data processor on behalf of creators, these services act as sub-processors:

• Supabase: authentication, database, and file storage.
• Stripe: payment processing (Stripe Connect for client payments; Stripe Billing for subscription payments). Stripe processes payment data under its own Privacy Policy.
• Vercel: hosting and deployment.
• Resend: transactional email delivery.
• Plausible Analytics (Plausible Insights OÜ, Estonia): cookieless, EU-hosted product analytics. See Plausible's Privacy Policy.
• Cloudflare: Turnstile bot protection on sign-in, sign-up, and comment forms. See Cloudflare's Privacy Policy.
• Google:OAuth sign-in (when you choose "Continue with Google"); and, with your explicit consent, Google Ads conversion tracking to measure which marketing campaigns bring creators to Draftli. See Google's Privacy Policy.

Cookies

We use essential cookies to maintain your authentication session and preferences. By default, we do not use advertising or tracking cookies. With your explicit consent, we use a small number of Google Ads cookies to measure subscription sign-ups; you can revoke this at any time from our Cookie Policy. Our product analytics service (Plausible) is fully cookieless. For more details, see our Cookie Policy.

Testimonials

After a creator completes a project through Draftli (either a fully-paid project or a proofing-only project that has been approved by their client), we send them a one-time email invitation to submit a testimonial. Submission is voluntary and there is no incentive offered in exchange.

What we collect when you submit: the quote you write, your role and company/studio, a photo (if you choose to upload one), a portfolio link (if you choose to provide one — a Behance, Dribbble, or Instagram profile URL), the timestamp of your submission, your IP address (for abuse triage), and the explicit consent you give by ticking the consent checkbox on the submission form.

Lawful basis: consent under UK GDPR / GDPR Art. 6(1)(a). We do not rely on legitimate interests or any other lawful basis for testimonial publication.

Where it appears: once approved by us, your testimonial may be displayed on the Draftli marketing website (draftli.io, including the landing page and the pricing page) and on related Draftli-owned marketing surfaces. We do not currently republish testimonials on social media, in paid advertising, or in third-party publications; if we ever wanted to do so, we would ask for your separate consent first.

Retention: approved testimonials remain published until you withdraw consent or until we remove them at our discretion. The consent record itself (timestamp, IP, the version of the consent text shown to you) is retained for as long as the testimonial is published plus a reasonable period thereafter to evidence lawful processing.

Withdrawing consent: you may withdraw your consent at any time by emailing privacy@draftli.io. On withdrawal, we will remove the testimonial from all Draftli marketing surfaces within 30 days. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.

Accuracy & honesty:testimonials must reflect your genuine experience. Per the U.S. Federal Trade Commission's 2023 Endorsement Guides, if we ever offer any material incentive (e.g. a free upgrade) in exchange for a testimonial, the testimonial itself will carry a clear disclosure of that relationship. As of the date above, no such incentive is offered.

Data Retention

We retain your account, profile, and project data for as long as your account is active. When you delete your account, we delete your personal data within 30 days, except as described below. Financial transaction records (including payment amounts, dates, and Stripe transaction identifiers) are retained as required by applicable tax and accounting regulations, typically 6–10 years, even after account deletion. Download logs are retained with the project and deleted when the project is deleted.

International Data Transfers

Some of our sub-processors (including Supabase, Stripe, and Vercel) may process or store data outside of your country, including in the United States. Where required, these transfers are protected by Standard Contractual Clauses and/or the EU-US Data Privacy Framework. Plausible Analytics is hosted exclusively in the European Union.

Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request that we correct inaccurate data.
• Deletion: request that we delete your personal data.
• Portability: request an export of your data in a machine-readable format.
• Objection: object to our processing of your personal data.

You can exercise your right to data export and account deletion directly from your Account Settings. For other requests, contact us at privacy@draftli.io. The data export includes both payment rows for deposit-enabled projects together with the timestamped client acknowledgement records described above; the cascading deletion that runs when an account is deleted removes those rows alongside the rest of your project data, subject to the financial-records retention exception in the "Data Retention" section.

Right to lodge a complaint. If you believe our processing of your personal data infringes data protection law, you have the right to lodge a complaint with a data protection supervisory authority — in particular, the authority of the EU/EEA member state where you live, work, or where the alleged infringement occurred. As Draftli is established in Bulgaria, our lead supervisory authority is the Commission for Personal Data Protection (Комисия за защита на личните данни) — www.cpdp.bg. A list of EU authorities is available at edpb.europa.eu. UK users may contact the ICO at ico.org.uk.

Notice for California Residents (CCPA/CPRA)

This section provides additional disclosures required by the California Consumer Privacy Act (as amended by the CPRA). It applies to California residents and supplements the rest of this Policy.

Categories of personal information collected. In the past 12 months we have collected the following categories of personal information:

• Identifiers — email address, name, IP address.
• Commercial information — subscription tier, payment metadata, transaction records.
• Internet or other electronic network activity — page interactions, download events, aggregated performance metrics.
• Audio, visual, or similar information — uploaded files where applicable (image and PDF deliverables).
• Inferences — limited to aggregate usage patterns; we do not build individual consumer profiles.

We collect this information directly from you, automatically when you use the Service, and from Stripe and Google when you use those features.

Purposes. Operating and providing the Service, processing payments, fraud prevention, security, legal compliance, and aggregate, privacy-friendly analytics — as described elsewhere in this Policy.

No sale or sharing for cross-context behavioral advertising. We do not sell your personal information and we do not share it for cross-context behavioral advertising. We have not done so in the preceding 12 months.

Sensitive personal information. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CPRA without limitation rights, and we do not use it for the purpose of inferring characteristics about a consumer.

Your CCPA/CPRA rights. If you are a California resident, you have the right to know what personal information we collect and how we use it; the right to delete your personal information; the right to correct inaccurate personal information; the right to data portability; the right to opt out of the sale or sharing of your personal information (not applicable — we do neither); the right to limit the use and disclosure of sensitive personal information (not applicable — see above); and the right not to be subject to retaliation for exercising any of these rights. To exercise any of these rights, use the export and delete tools in your Account Settings or contact us at privacy@draftli.io. We verify requests by matching against the email address on your account.

Authorized agents.You may designate an authorized agent to make a request on your behalf. We will require written proof of the agent's authority and may verify your identity directly.

Retention.See the "Data Retention" section above for the periods for which we retain each category of personal information.

Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service with a new "Last updated" date.

Contact

If you have questions about this Privacy Policy, contact us at privacy@draftli.io.