Privacy Policy

When you sign in with Google we receive your email address, name and profile picture. We store these to identify you, populate your workspace and send you transactional emails.

We also store:

• Apps, components and configurations you create with the builder.
• API connections you configure. Credentials and OAuth tokens are encrypted at rest using AES-256-GCM.
• Billing data managed by Stripe (we never store payment card details on our servers).
• Aggregated technical logs (timestamps, status codes, error traces) for debugging and abuse prevention.

We process personal data to:

• Authenticate you and operate the Service.
• Deploy the apps you build to our hosting provider.
• Charge your subscription and provide receipts.
• Send transactional emails (sign-in confirmation, billing receipts, trial and renewal notices, security alerts).
• Diagnose errors and improve reliability.

We do not sell your personal data and we do not use the content of your apps to train AI models.

We rely on the following sub-processors to deliver the Service. Each is bound by a data-processing agreement appropriate to the jurisdiction.

• Google (OAuth authentication).
• Supabase (database hosting and authentication backend).
• Vercel (application hosting and edge network).
• Stripe (payment processing).
• Resend (transactional email delivery).
• OpenAI / Anthropic (AI generation, only when explicitly invoked).
• Sentry (error monitoring).
• Upstash (rate limiting).

We retain your account data for as long as your account is active. You can delete your account from Settings at any time. Deleting your account permanently removes your apps, configurations, connections, encrypted credentials and audit logs within 30 days. Stripe and Sentry retain limited records for legal and accounting purposes.

Under the GDPR, the CCPA and similar regulations you have the right to access, rectify, port and erase your personal data, and to object to or restrict certain processing.

You can exercise these rights directly from the application:

• Export your data: visit Settings → Data & privacy and click Export my data.
• Delete your account: same screen, click Delete account.

For other requests, contact us at privacy@draftyourapp.com.

Communications use TLS in transit. Sensitive credentials are encrypted at rest with AES-256-GCM. Database access is restricted via Row Level Security. Webhook payloads are verified with cryptographic signatures.

Our infrastructure runs primarily in the EU and the United States. When data is transferred outside the EEA we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards.

The Service is not directed to children under 16. We do not knowingly collect personal data from minors.

We may update this policy from time to time. Material changes will be notified via email or via a prominent notice in the Service before they take effect.

Questions, requests or complaints? Write to privacy@draftyourapp.com.