Privacy Policy

1. Introduction

This Privacy Policy describes how Draftr ("we," "us," or "our") collects, uses, stores, and shares information when you use our email productivity application and related services (the "Service").

Draftr helps you manage your email and scheduling more efficiently by providing AI-assisted draft replies, writing-style personalization, inbox categorization, and optional scheduling support.

By using Draftr, you agree to this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create a Draftr account, we collect your name, email address, and authentication credentials. This information is required to provide and secure your account.

2.2 Google User Data (Gmail & Google Calendar)

When you connect your Google account, we access only the minimum data required to provide your selected features. This includes:

From Gmail (Restricted Scope)

Used only for email-related features you initiate

• Email content (subject lines & body text): Used solely to generate contextual draft replies.
• Sent email content: Used only to learn your writing style so Draftr's suggestions match your tone.
• Email metadata (timestamps, labels, folders): Used solely for inbox categorization and organization.
• Sender/recipient information: Used solely to support contextual drafting.

Storage: Gmail message content is processed in real time and never stored. We may store non-reversible vector embeddings derived from your sent messages solely for writing-style personalization. These cannot be reconstructed into original content.

From Google Calendar (Restricted Scope)

Used only for scheduling-related features you initiate

• Event summaries, titles, times, attendees, and locations: Used solely to provide context for drafting emails, understanding availability, or assisting with scheduling suggestions.
• Calendar metadata: Used solely to support user-facing scheduling features.

Storage: Calendar event content is processed in real time and never stored. No Calendar data is used for analytics, advertising, profiling, or model training.

2.3 Usage Information (Non-Google Data Only)

We collect non-Google usage data such as:

• Feature usage patterns
• App preference settings
• Non-Google performance metrics

This data never includes Gmail or Calendar content or metadata.

2.4 Device Information

We may collect device details (IP address, browser type, operating system, device identifiers) for security and fraud-prevention purposes.

3. How We Use Your Information

3.1 Google User Data (Gmail & Calendar) — Limited Use

We use Gmail and Calendar data obtained through restricted-scope APIs only to provide user-visible features that you explicitly initiate.

Gmail-related features include:

• Generating AI-assisted draft replies
• Learning your writing style (per-user only)
• Categorizing and labeling emails

Calendar-related features include:

• Drafting emails that involve scheduling
• Understanding your availability
• Presenting scheduling suggestions
• Displaying relevant event context inside the app

Google User Data Is Never Used For:

• Advertising or marketing
• Retargeting or interest-based advertising
• Selling or renting data
• Market research or analytics
• Training general-purpose AI or ML models
• Product development beyond the immediate feature you initiate
• Combining with third-party data for profiling or ad targeting

3.2 Service Improvement (Non-Google Data Only)

We use only non-Google data to:

• Maintain performance
• Improve stability
• Develop new features
• Provide support
• Diagnose technical issues

Gmail and Calendar content or metadata is never used for general service improvement or analytics.

3.3 Security and Compliance

We use your information to:

• Detect abuse or fraud
• Protect platform integrity
• Comply with legal obligations

These uses do not expand our permissions beyond Google's policies.

4. Restrictions on Use of Google User Data

These restrictions apply to all Gmail and Calendar data.

4.1 No Data Transfers Except as Permitted

We do not transfer Gmail or Calendar data to third parties except:

• To provide or improve core features you use
• For security purposes (e.g., abuse investigation)
• To comply with applicable law
• As part of a merger/acquisition with your explicit prior consent

4.2 No Human Access Except in Narrow Cases

Draftr employees and contractors do not read your Gmail or Calendar content except when:

• You explicitly request it (e.g., support)
• It is necessary for security or abuse investigation
• Required by applicable law
• Data is aggregated and anonymized

4.3 Prohibited Uses

We will never use Gmail or Calendar data for:

• Advertising, retargeting, or personalized ads
• Data sales, rental, or transfer to brokers
• Creditworthiness or lending decisions
• Surveillance or monitoring
• Model training beyond your individual account
• Creating datasets for general AI models

4.4 No General AI/ML Model Training

We do not use Gmail or Calendar data to train:

• General-purpose AI models
• Shared models across users
• Any system outside your individual Draftr account

Your data never improves models for other users.

5. Information Sharing and Disclosure

5.1 Service Providers

We work with trusted infrastructure vendors. These providers:

• Are contractually obligated to protect your data
• May use data only to perform services for Draftr
• Do not receive or store Gmail or Calendar content except when required to provide a user-initiated feature
• May not use your data to train their models

(This applies equally to OpenAI, Anthropic, or any similar provider, if used.)

5.2 Legal Requirements

We may disclose information if required by courts, laws, or government requests.

5.3 Business Transfers

If Draftr is acquired or merges, we will:

• Request your explicit consent before transferring Google User Data
• Provide notice before any changes take effect

6. Data Security

6.1 Encryption

• TLS 1.2+ encryption for data in transit
• AES-256 encryption for data at rest

6.2 Access Controls

• Role-based access
• Encrypted OAuth tokens
• Secure key management

6.3 Monitoring & Audits

• Continuous monitoring
• Regular penetration testing
• CASA Tier 2 compliance
• GDPR-aligned practices

6.4 Incident Response

We notify Google and affected users promptly if a security incident involves Google User Data.

7. Data Retention

• Account Data: Stored while your account is active
• Gmail Content: Not stored
• Calendar Content: Not stored
• Embeddings: Stored only for writing-style personalization
• Usage Data: Retained only in aggregated form
• Deleted Accounts: All personal data deleted within 30 days

8. Your Rights & Choices

You may:

• Access your personal data
• Request corrections or deletion
• Download/export your data
• Withdraw consent
• Disconnect Google access at any time
• Disable features that use Gmail or Calendar data

Contact: privacy@draftr.org

We respond within 30 days.

9. Third-Party Services

9.1 Gmail & Google Calendar Integrations

Draftr complies with:

• Google API Services User Data Policy
• Additional Requirements for Restricted Scopes
• Google Workspace API Data Policy
• Google's Limited Use requirements

Your use of Gmail and Calendar is subject to Google's Privacy Policy and Terms of Service.

9.2 Other Integrations

Other connected services follow their own privacy policies.

10. International Data Transfers

We use lawful mechanisms such as:

• Standard Contractual Clauses
• Adequacy decisions
• Equivalent safeguards

11. Children's Privacy

Draftr is not for children under 13. We delete such data if discovered.

12. Changes to This Policy

We notify users of significant changes before they take effect.

13. Contact Us

We respond within 30 days.