1. Roles and Scope

DraftDrop is operated by Michael Tarchyla. For this website, product support, license service, and related customer operations we run directly, Michael Tarchyla acts as the data controller. Stripe processes payment data under its own terms and privacy notice.

Contact: [email protected] | LinkedIn profile

2. Data We Process

• Website usage data: IP address, device/browser metadata, pages viewed, timestamps, referrer.
• Cookie preferences: consent status stored in local storage/cookies.
• Contact data: name, email, and message content submitted through contact channels.
• Download tracking data: IP address, user-agent, requested page/source, version label, and timestamps when download links are used.
• Licensing and subscription metadata: order reference, subscription ID, product identifier, license key metadata, customer email, and status events received from Stripe webhooks.
• License email delivery data: purchase email, order identifier, plan label, and generated license key delivery metadata.
• Optional app-side AI and voice data: if you enable remote AI providers, note content and prompts may be sent to the provider you configure. If you enable voice input, microphone audio is processed for transcription.

3. Legal Bases (GDPR Art. 6)

• Contract performance: providing licenses, subscription status handling, email delivery, and support for purchased plans.
• Legitimate interests: service security, fraud prevention, diagnostics, support handling, and understanding which website entry points lead to downloads.
• Consent: analytics cookies and analytics tracking (only after your explicit opt-in).
• Legal obligations: compliance, record keeping, and lawful requests from authorities.

4. Purposes of Processing

• Operate and secure the website and licensing API.
• Process support requests and customer communications.
• Send license emails after successful purchases.
• Validate licenses and enforce subscription entitlement states.
• Measure download link usage and basic attribution source data.
• Analyze aggregate website traffic where analytics consent is provided.
• Transmit user-selected note content to remote AI providers only when the user enables and configures those providers.

5. Recipients and Service Providers

We share data only with providers needed to deliver the service, including:

• AWS (hosting, infrastructure, API delivery, and storage).
• Cloudflare (DNS, proxy, and delivery/security layer).
• Google Analytics 4 (optional analytics, consent-based).
• Stripe (checkout, billing, subscription management, and payment processing).
• Resend (license email delivery).
• Telegram (delivery of support/contact notifications and internal operational summaries).
• User-selected remote AI providers such as OpenAI, Anthropic, Google, DeepSeek, or a custom OpenAI-compatible endpoint, only when enabled by the user inside the app.

6. International Data Transfers

Some providers may process data outside your country. Where required, transfers are based on lawful safeguards such as Standard Contractual Clauses or equivalent legal mechanisms.

7. Data Retention

• Contact requests: up to 24 months after last communication, unless longer retention is legally required.
• License/security logs and billing metadata: while the account/license is active and up to 6 years for legal, accounting, chargeback, or fraud-defense purposes.
• Download tracking counters and related identifiers: retained as needed for product analytics, abuse prevention, and operational reporting.
• Analytics data: according to configured GA4 retention settings, only when consent was granted.

8. Your Rights

Depending on your location, you may have rights to access, rectify, erase, restrict, object, and request portability of personal data. You may also withdraw cookie consent at any time using the Cookie settings link in the website footer.

To submit a privacy request, contact [email protected].

9. Providing Data and Consequences

Providing website analytics consent is optional. Providing contact details is required only if you want a reply from support. For paid transactions, billing and payment data required by Stripe must be provided to complete checkout under Stripe's legal terms. Remote AI providers inside the app are optional and only used when you configure and enable them.

10. Complaints to Supervisory Authorities

If you believe your data is handled unlawfully, you can lodge a complaint with your local data protection authority. For users in Poland, this is the President of the Personal Data Protection Office (UODO).

11. Automated Decision-Making

We do not use solely automated decision-making that produces legal or similarly significant effects under GDPR Art. 22.

12. Children

DraftDrop is not directed to children under 16, and we do not knowingly collect personal data from children.

13. US State Privacy Notice (incl. California)

We do not sell personal information for money. Depending on applicable US state law, you may have rights to know, delete, correct, and opt out of certain sharing/targeted advertising uses. DraftDrop currently operates as a small business and may not meet all state-law statutory thresholds in all periods; however, we honor verified privacy requests where required by applicable law.

14. Changes to this Policy

We may update this policy from time to time. Material changes will be posted on this page with a new effective date.