Privacy Policy

1. How We Protect Your Data

This Website is designed to be a "client-side" utility. This means it works like a calculator or a pen and paper: it is a tool you use locally, not a service that collects your information.

• Everything Stays on Your Device: All processing happens inside your web browser. When you enter information or create a document, that data is stored only in your computer's temporary memory (RAM). It is never sent to our servers or stored by us.
• We Cannot See Your Data: Because we do not use a central database, we have no technical way to see, access, or retrieve any information you type. We cannot provide your data to anyone else because we never have possession of it.
• Instant Deletion: Your data is temporary. As soon as you close the browser tab, refresh the page, or end your session, all information you entered is immediately and permanently erased from your device's memory.
• No Tracking or Transmission: The Website does not "phone home." We do not use any background tools to track your inputs, nor do we mirror your data to any third-party services. Your session is private and stays between you and your browser.

2. Information We Do Not Collect and Our Legal Basis

The Website is engineered to function without the collection of Personal Data. To meet global transparency standards (including GDPR, CCPA/CPRA, and PIPEDA), we categorize the data associated with our platform into three distinct areas:

A. Your Information (What Stays on Your Device)

We do not collect, store, or process any "Personal Information" or "Personal Data." We do not collect any categories of personal information directly through the Website. Because our software logic runs entirely in your own web browser, the following information never reaches our servers:

• Identifiable Details: We do not ask for or store your name, email, phone number, or government identifiers within the tool itself.
• Form Inputs: The answers you provide and the business details you select while using our generator stay in your browser. They are never transmitted to us.
• Your Documents: The final text of any policy you create exists only on your local device. We cannot read your documents, and we do not have a copy of them.

B. Payment and Donation Data

We do not process payments directly on the Website. If you choose to make a voluntary donation, you will be redirected to Stripe, our secure third-party payment processor. Stripe acts as an independent data processor and handles your payment information under their own Privacy Policy and Data Processing Agreement. We encourage you to review Stripe's privacy practices at stripe.com/privacy.

• What Stripe Collects: To process your payment and prevent fraud, Stripe collects your name, email, billing address, and payment details directly on their platform.
• What We See: As the account holder, we can see the name, email address, and billing details associated with your donation in our Stripe dashboard. We use this information only to manage your donation or provide support. We do not see or store your full credit card number or CVV.
• Legal Basis: Processing of donation records is based on contractual necessity (GDPR Art. 6(1)(b)) to fulfil your transaction, legal obligation (Art. 6(1)(c)) to meet financial recordkeeping and tax requirements, and legitimate interests (Art. 6(1)(f)) in managing our donation activity.

C. Technical Logs and Infrastructure Security

When you visit the Website, your browser automatically shares basic technical details so the site can load properly. This data is handled by our infrastructure provider, Cloudflare.

• Technical Metadata: This includes your IP address, browser type, and the time of your visit. Under the GDPR, we process this based on Legitimate Interests (Art. 6(1)(f)) as a technical necessity to keep the site secure.
• Log Retention: We do not directly retain technical logs. Cloudflare retains security and infrastructure logs in accordance with their own data retention policies. For details, please refer to Cloudflare's Privacy Policy at cloudflare.com/privacypolicy.
• Cross-Border Processing: Cloudflare operates a global network, meaning technical metadata may be processed on servers located outside your home country, including in the United States. Where such processing occurs outside of Canada, Cloudflare relies on appropriate safeguards including Standard Contractual Clauses (SCCs) to ensure your data is protected to a standard equivalent to that of the GDPR.
• Strictly Necessary Cookies: While we do not use tracking or advertising cookies of any kind, Cloudflare may place security cookies (such as _cf_bm for bot detection or cf_clearance for CAPTCHA) to identify malicious traffic and protect the Website from cyber-attacks. These cookies do not track your personal identity and do not require your consent under applicable law.
• Global Privacy Control (GPC): The Website recognizes and honors Global Privacy Control (GPC) signals. Because our architecture is designed to prevent tracking and data collection by default, your request to opt-out is technically pre-fulfilled for every visitor.

3. User Rights and Global Compliance

International privacy laws (such as the GDPR, CCPA/CPRA, and PIPEDA) grant you specific rights over your personal data. Because DraftPolicy processes data in three distinct ways, your rights apply differently depending on how you interact with the Website.

A. Tool Usage (The Document Generator)

Since we do not transmit, see, or store any information you enter into the generator, we hold no records to provide, rectify, or delete. You maintain exclusive control of your data at all times.

To exercise your rights: simply close your browser tab or clear your cache. Your data is immediately and permanently erased from your device's memory. Because we hold no user database, we cannot fulfill a formal Access Request for tool usage — we cannot give you what we do not have.

B. Voluntary Donations (Stripe)

If you choose to support the Website via a donation, a transaction record is created in our Stripe account. This is the only context in which we hold identifiable personal data.

• Records we maintain: Name, email address, and billing details associated with your donation, retained to meet financial recordkeeping and tax obligations.
• Legal basis: Contractual necessity, legal obligation (GDPR Art. 6(1)(c)), and legitimate interests in financial recordkeeping.
• Your rights: You may request access to, rectification of, or erasure of your donation record. Note that erasure may be limited where retention is required by law (e.g., tax records). To exercise these rights, contact us at info@draftpolicy.com with your transaction ID.

C. Technical Metadata (Infrastructure and Security)

When you load the Website, standard technical metadata (such as your IP address and browser User Agent) is processed by our infrastructure provider, Cloudflare.

• Security monitoring: While we have disabled detailed visitor analytics, we utilize Cloudflare's security tools to protect the Website from malicious activity such as brute-force attacks or automated scrapers.
• What we see: If a request is flagged as a potential threat, Cloudflare logs the associated IP address, country of origin, and a unique Ray ID for the event. We use this data exclusively for security forensics to maintain the integrity of the platform.
• Legal basis: Legitimate interests (GDPR Art. 6(1)(f)) in defending against cyber-attacks and ensuring website uptime.
• How to limit this: You may use a VPN or a privacy-focused browser to mask your IP address from the network layer.

D. California Residents (CCPA/CPRA)

We do not sell, rent, or share personal information as defined under the California Consumer Privacy Act (CCPA/CPRA). We do not collect any categories of personal information directly through the Website. The limited donation and infrastructure data described above is never sold or disclosed for advertising purposes. California residents retain all rights granted under the CCPA/CPRA, including the right to know, the right to delete, and the right to opt out of sale — though no sale occurs.

E. Supervisory Authority Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority. In Canada, this is the Office of the Privacy Commissioner (priv.gc.ca). In the EU, contact your national data protection authority. In the UK, contact the Information Commissioner's Office (ico.org.uk). In the United States, relevant complaints may be directed to the Federal Trade Commission (ftc.gov) or your state attorney general.

Exercising Your Rights

Address all formal privacy inquiries to our Privacy Officer at info@draftpolicy.com. For donation-related requests, please include your transaction ID so we can locate your record. We will respond within the timeframe required by your applicable law, typically 30 days (GDPR/PIPEDA) or 45 days (CCPA/CPRA).

4. Data Security and Storage Architecture

The Website uses a "Zero-Persistence" design to ensure the security of your information. Unlike traditional web applications, we do not use a database, and we do not write your information to your device's permanent storage.

• In-Memory Processing: All information you enter into the document generator is stored only in your browser's temporary memory (RAM). This data exists only while your specific browser tab is active.
• Automatic Data Destruction: Because we do not use Local Storage, Session Storage, or cookies to track your inputs, your data is automatically and permanently destroyed the moment you close the tab, refresh the page, or navigate away. No digital footprint of your session remains on your device or our infrastructure.
• No Server-Side Transmission: Your inputs are never sent to our servers or any third-party tools. The software logic required to build your document is downloaded once to your browser, and all processing happens locally on your device.
• Donation Record Retention: Transaction records associated with voluntary donations are retained in our Stripe account for seven years to meet Canadian financial recordkeeping and tax obligations under the Income Tax Act. Once that period has elapsed, records are deleted. You may request early erasure by contacting us at info@draftpolicy.com, noting that erasure may be limited where retention is required by law.
• Data Breach Protocol: Because of our Zero-Persistence architecture, we do not store your personal information, document text, or session data on our servers. In the event of a security incident affecting our infrastructure or Cloudflare, there is no user database or personal information for an attacker to access. In the event of a breach affecting donation records held in Stripe, we will notify affected donors directly at the email address associated with their transaction, and will report to the relevant supervisory authority where required by law.
• User Responsibility and Browser Auto-Fill: While our system does not store your data, your web browser may have Auto-Fill settings enabled that suggest previous entries. These settings are controlled entirely by your local device. For maximum privacy, we recommend using a private or Incognito window, especially when using a shared or public computer.
• Third-Party Links: Our resources include links to external websites such as government regulators and law societies. These sites operate independently and we are not responsible for how they handle data. We encourage you to review their policies when you visit them.
• Voluntary Support (Stripe): If you choose to support the Website with a donation, the transaction is handled entirely by Stripe as an independent data processor. We never see or store your credit card number or CVV. Stripe's handling of your payment data is governed by their own privacy policy and data processing terms.

5. Automated Decision-Making

We do not engage in automated decision-making or profiling as defined under GDPR Art. 22. In plain terms, this means we never use software to automatically evaluate, score, or classify you in a way that produces legal or similarly significant effects. This includes things like determining your eligibility for a service, pricing you differently based on inferred characteristics, or targeting you with advertising based on your behaviour.

Because the Website does not collect or retain any personal data from tool usage, automated profiling of our users is not technically possible. The only personal data we hold is limited to voluntary donation records in Stripe, which are used solely for financial recordkeeping and are never fed into any profiling or decision-making system.

6. Business Transfers

In the event of a merger, acquisition, or transfer of ownership of Sociable Studio, any limited personal data we hold may be transferred to the acquiring entity as part of that transaction. In practice, this affects only the voluntary donation records maintained in our Stripe account, as the Website itself holds no user database or personal information.

Should such a transfer occur, we will notify affected donors at the email address associated with their transaction prior to any transfer of their personal data. The receiving entity will be required to honour the terms of this Policy or provide donors with notice of any material changes before those changes take effect.

7. Children's Privacy and International Data Transfers

The Website is a professional utility designed for adults and business owners. We do not intentionally design our services to appeal to, or collect information from, minors.

Children's Privacy

The Website is intended for users who have reached the legal age of majority (18 years of age or older). Because our architecture prevents the collection of personal identifiers like names, emails, or physical locations, we do not knowingly collect or maintain data from children under the age of 13. If a minor utilizes the tool, simply closing the browser tab will immediately and permanently erase any information they may have entered from their device's memory.

International Users and Data Residency

We operate the Website from Toronto, Ontario, Canada.

• Global Infrastructure: While your documents are generated locally on your device, the initial request to load the Website is processed through Cloudflare's global network. This means technical metadata, such as your IP address, may be processed on servers located outside of your home country, including in Canada or the United States.
• Data Protection Standards: Canada is recognized by the European Commission as providing an "adequate level" of data protection. For users in the EU, UK, or Switzerland, this ensures that any technical metadata processed in Canada is handled with a level of care equivalent to that of the GDPR.

8. Modifications and Amendments

We reserve the right to update or replace this Policy at any time to reflect changes in our technical design, new legal requirements, or shifts in global standards. Any changes become effective immediately once they are posted on the Website.

• Notification: Because the Website operates on a Zero-Collection framework, we do not maintain a database of user contact information and cannot notify general visitors of updates directly. However, if you have made a voluntary donation, we may notify you of material changes to this Policy at the email address associated with your transaction.
• Your Responsibility: We encourage all users to check the "Last Updated" date at the top of this page periodically to stay informed of any changes.
• Acceptance of Terms: By continuing to use the Website after we post changes, you acknowledge and accept the revised Policy.
• Your Remedy: If you do not agree with the updated terms, your only remedy is to stop using the tool and close your browser session, which will immediately erase any active data from your device's memory.

9. Contact Information and Accountability

We are committed to being transparent about our privacy practices. If you have any questions or concerns about this Policy or how the Website handles your information, you may contact Sociable Studio through the following channels:

• By Email: info@draftpolicy.com
• Online: Visit our official studio website at sociablestudio.com

Accountability and Governance

Under global privacy frameworks, we have established clear lines of responsibility for your data protection:

• Data Controller: For the purposes of the GDPR and other international laws, Sociable Studio acts as the Data Controller for the technical metadata (such as IP addresses) processed when you load the Website.
• Privacy Officer: In accordance with Canada's PIPEDA, we have appointed a designated Privacy Officer. They are responsible for ensuring our "Zero-Collection" architecture is strictly maintained and for responding to any inquiries regarding our privacy governance. You may address any formal privacy requests to the Privacy Officer via the email address listed above.