Legal
Privacy Policy
Last updated:
Draftiro ("we," "us," or "our") is committed to protecting the privacy and confidentiality of the legal professionals who use our platform. This Privacy Policy explains what data we collect, how we use it, and your rights with respect to that data.
1. Data We Collect
We collect the following categories of data when you use Draftiro:
- Account information: Name, email address, and (if you sign in with Google) profile picture. You can register with either email + password or Google OAuth — passwords are stored as bcrypt hashes by Supabase Auth and are never visible to us.
- Case data: Case names, client information, notes, deadlines, and related metadata you enter into the platform.
- AI conversation history: Messages you send to and receive from the AI assistant, stored per-case for continuity.
- Uploaded documents: Files you upload to cases (PDFs, Word documents, etc.) stored in your account storage.
- Calendar events: Calendar data synced from your connected Outlook calendar, limited to event titles, dates, and times.
- Usage data: Feature interactions, page views, and error logs used to improve service reliability.
2. How We Use Your Data
We use the data we collect solely to:
- Provide, operate, and maintain the Draftiro service.
- Process AI queries and return relevant legal research and drafting assistance.
- Sync and display your connected calendar events within the platform.
- Send transactional emails (billing confirmations, account alerts, support responses).
- Improve the quality of the AI service — only with your opt-in consent. You may opt out of contributing anonymized usage data to AI quality improvements at any time from your account settings.
- Detect, investigate, and prevent fraudulent or illegal activity.
We do not use your data for advertising, behavioral profiling, or any purpose unrelated to delivering and improving the Service.
3. Data Storage
Your data is stored on the following infrastructure:
- Database & file storage: Supabase PostgreSQL database and Supabase Storage, hosted on Amazon Web Services (AWS) us-east-1 (Northern Virginia, USA).
- Application delivery: Vercel global CDN for frontend delivery. No user data is stored on Vercel's CDN.
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Supabase's security practices and certifications are documented at supabase.com/security.
4. AI Processing
When you send messages to the AI assistant, your query and relevant case context are transmitted to the Google Gemini API for processing. Google's privacy policy governs how Google handles data sent to its API and is available at policies.google.com/privacy.
Your data is never used to train AI models. Draftiro uses the Google Gemini API on Google's paid tier, under terms that prohibit using your inputs or outputs to train Google's models. Gemini calls are stateless. Your AI conversation history is stored in your Draftiro account and is visible only to you.
5. Data Sharing
We do not sell your personal data. We share your data only with the following service providers strictly as necessary to deliver the Service:
- Supabase: Database and file storage infrastructure.
- Vercel: Application hosting and global content delivery.
- Google / Gemini API: AI processing of queries you submit (see Section 4).
- Stripe: Payment processing for paid subscriptions. Draftiro does not store your full credit card information. Stripe's privacy policy applies to payment data.
We may also disclose your data when required by law, regulation, or valid legal process (e.g., a court order or subpoena), or to protect the safety, rights, or property of Draftiro or its users.
6. Attorney-Client Confidentiality
Draftiro stores the content you enter into the platform (including client-related case notes and documents) but does not analyze, review, or access this content outside of fulfilling your AI queries and displaying it back to you.
We do not assert any privilege over your data, nor does our processing of your data waive any attorney-client privilege you hold. All content is encrypted in transit and at rest. Access controls ensure that only you (and any team members you explicitly authorize under a Practice plan) can view your cases and documents.
You remain solely responsible for complying with your jurisdiction's professional responsibility rules regarding the use of third-party technology services with confidential client information.
7. Your Rights
You have the following rights with respect to your personal data:
- Access: Request a copy of the personal data we hold about you.
- Export: Download your cases, documents, and AI conversation history from your account settings at any time.
- Correction: Update inaccurate account information directly in your profile settings.
- Account deletion is a reviewed request. When you request deletion, we run legal-hold and billing checks, then delete or irreversibly anonymize your firm's data — typically within 30 days of a verified request. Encrypted backups age out on their normal cycle. Export anything you want to keep first.
To exercise any of these rights, contact us at privacy@draftiro.com. We will respond within 30 days.
8. GDPR & CCPA
EU/EEA residents (GDPR): If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including the right to data portability, the right to restrict processing, and the right to lodge a complaint with your national data protection authority. Our legal basis for processing your data is the performance of a contract (providing the Service you subscribed to).
California residents (CCPA/CPRA): If you are a California resident, you have the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your California rights, contact us at privacy@draftiro.com.
9. Cookie Policy
Draftiro uses a minimal number of cookies strictly necessary for the operation of the Service:
- Authentication session cookie: A secure, HTTP-only cookie used to maintain your logged-in session. This cookie is set by Supabase Auth and expires when you sign out or after a period of inactivity.
We do not use advertising cookies, third-party tracking cookies, or analytics cookies that track you across other websites.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and/or a notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our privacy team at: privacy@draftiro.com