# Privacy Policy - DraftPolicy

**URL:** https://draftpolicy.com/privacy
**Last updated:** April 29, 2026
**Indexed:** No

This Privacy Policy explains how your information is handled by DraftPolicy (the "Website"), owned and operated by Sociable Studio, a registered business in Toronto, Ontario, Canada.

---

## Legal Disclaimer

DraftPolicy is a technical utility, not a law firm. We do not provide legal advice or create a lawyer-client relationship. Generated documents are templates that must be reviewed by a qualified legal professional in your jurisdiction before use.

## Scope and Agreement

This Policy applies only to this Website and its subdomains. By using the Website, you acknowledge this Policy and our Zero-Persistence technical framework. Your use is also governed by our Terms of Use at https://draftpolicy.com/terms. Together, these two documents form the complete agreement between you and us regarding your use of the Website.

---

## 1. How We Protect Your Data

This Website is a client-side utility. It works like a calculator: a tool you use locally, not a service that collects your information.

- **Everything stays on your device:** All processing happens inside your web browser. Data is stored only in your computer's temporary memory (RAM) and is never sent to our servers.
- **We cannot see your data:** We have no technical way to see, access, or retrieve any information you type. We cannot provide your data to anyone because we never have possession of it.
- **Instant deletion:** As soon as you close the browser tab, refresh, or end your session, all information you entered is immediately and permanently erased.
- **No tracking or transmission:** The Website does not use any background tools to track your inputs or mirror your data to any third-party services.

---

## 2. Information We Do Not Collect and Our Legal Basis

The Website is engineered to function without collecting Personal Data.

### A. Your Information (What Stays on Your Device)

We do not collect, store, or process any Personal Information or Personal Data. The following never reaches our servers: your name, email, phone number, or government identifiers; the answers and business details you enter into the generator; and the final text of any document you create.

### B. Payment and Donation Data

We do not process payments directly. Voluntary donations redirect to Stripe, our third-party payment processor, which acts as an independent data controller under their own Privacy Policy (stripe.com/privacy).

- **What Stripe collects:** Name, email, billing address, and payment details directly on their platform.
- **What we see:** Name, email, and billing details associated with your donation in our Stripe dashboard, used only to manage your donation or provide support.
- **Legal basis:** Contractual necessity (GDPR Art. 6(1)(b)), legal obligation (Art. 6(1)(c)) for financial recordkeeping and tax requirements, and legitimate interests (Art. 6(1)(f)).

### C. Technical Logs and Infrastructure Security

When you visit the Website, your browser shares basic technical details handled by Cloudflare, our infrastructure provider.

- **Technical metadata:** IP address, browser type, and time of visit. Processed on Legitimate Interests (GDPR Art. 6(1)(f)) as a technical necessity for site security.
- **Log retention:** We do not directly retain technical logs. Cloudflare retains security logs under their own retention policies (cloudflare.com/privacypolicy).
- **Cross-border processing:** Cloudflare operates globally; technical metadata may be processed outside your home country. Cloudflare relies on Standard Contractual Clauses (SCCs) for cross-border transfers.
- **Strictly necessary cookies:** Cloudflare may place security cookies (_cf_bm, cf_clearance) for bot detection and CAPTCHA. These do not track personal identity and do not require consent under applicable law.
- **Global Privacy Control (GPC):** The Website recognizes and honours GPC signals. Because our architecture prevents tracking by default, opt-out is technically pre-fulfilled for every visitor.

---

## 3. User Rights and Global Compliance

### A. Tool Usage (The Document Generator)

We hold no records from tool usage. To exercise your rights, simply close your browser tab or clear your cache. Because we hold no user database, we cannot fulfill a formal Access Request for tool usage.

### B. Voluntary Donations (Stripe)

If you have donated, a transaction record exists in our Stripe account.

- **Records we maintain:** Name, email, and billing details, retained to meet financial recordkeeping and tax obligations.
- **Your rights:** You may request access, rectification, or erasure of your donation record. Erasure may be limited where retention is required by law (e.g., tax records). Contact info@draftpolicy.com with your transaction ID.

### C. Technical Metadata (Infrastructure and Security)

Standard technical metadata is processed by Cloudflare for security purposes.

- **Legal basis:** Legitimate interests (GDPR Art. 6(1)(f)) in defending against cyber-attacks and ensuring uptime.
- **How to limit this:** You may use a VPN or a privacy-focused browser to mask your IP address.

### D. California Residents (CCPA/CPRA)

We do not sell, rent, or share personal information. We do not collect any categories of personal information directly through the Website. California residents retain all CCPA/CPRA rights, including the right to know, delete, and opt out of sale - though no sale occurs.

### E. Supervisory Authority Complaints

If you believe your data protection rights have been violated, you may contact:
- **Canada:** Office of the Privacy Commissioner (priv.gc.ca)
- **EU:** Your national data protection authority
- **UK:** Information Commissioner's Office (ico.org.uk)
- **United States:** Federal Trade Commission (ftc.gov) or your state attorney general

### Exercising Your Rights

Contact our Privacy Officer at info@draftpolicy.com. For donation-related requests, include your transaction ID. We respond within the timeframe required by your applicable law: typically 30 days (GDPR/PIPEDA) or 45 days (CCPA/CPRA).

---

## 4. Data Security and Storage Architecture

The Website uses a Zero-Persistence design.

- **In-memory processing:** All information is stored only in your browser's temporary memory (RAM), existing only while your browser tab is active.
- **Automatic data destruction:** Because we do not use Local Storage, Session Storage, or cookies to track your inputs, your data is destroyed the moment you close the tab, refresh, or navigate away.
- **No server-side transmission:** Your inputs are never sent to our servers. Software logic is downloaded once to your browser and all processing happens locally.
- **Donation record retention:** Transaction records are retained in our Stripe account for seven years to meet Canadian financial recordkeeping and tax obligations under the Income Tax Act.
- **Data breach protocol:** Our Zero-Persistence architecture means there is no user database for an attacker to access. In the event of a breach affecting donation records in Stripe, we will notify affected donors directly and report to the relevant supervisory authority where required by law.
- **Browser auto-fill:** Your browser may have Auto-Fill settings that suggest previous entries. For maximum privacy, use a private or Incognito window, especially on shared or public computers.

---

## 5. Automated Decision-Making

We do not engage in automated decision-making or profiling as defined under GDPR Art. 22. We never use software to automatically evaluate, score, or classify you in a way that produces legal or similarly significant effects. Because the Website does not collect or retain any personal data from tool usage, automated profiling is not technically possible.

---

## 6. Business Transfers

In the event of a merger, acquisition, or transfer of ownership of Sociable Studio, any limited personal data we hold - in practice, only voluntary donation records in Stripe - may be transferred to the acquiring entity. We will notify affected donors before any transfer of their personal data occurs.

---

## 7. Children's Privacy and International Data Transfers

The Website is intended for users aged 18 and older. We do not knowingly collect or maintain data from children under 13. If a minor uses the tool, closing the browser tab immediately and permanently erases any information entered.

**International users:** We operate from Toronto, Ontario, Canada. Technical metadata may be processed through Cloudflare's global network on servers outside your home country. Canada is recognized by the European Commission as providing an adequate level of data protection for EU, UK, and Swiss users.

---

## 8. Modifications and Amendments

We reserve the right to update this Policy at any time. Changes are effective immediately upon posting. Because we do not maintain a user contact database, we cannot notify general visitors directly. If you have donated, we may notify you of material changes at the email address associated with your transaction.

By continuing to use the Website after changes are posted, you acknowledge and accept the revised Policy.

---

## 9. Contact Information and Accountability

- **Email:** info@draftpolicy.com
- **Online:** sociablestudio.com

**Data Controller:** Sociable Studio acts as Data Controller for technical metadata processed when you load the Website.

**Privacy Officer:** In accordance with PIPEDA, we have appointed a designated Privacy Officer responsible for maintaining our Zero-Collection architecture and responding to privacy inquiries. Address formal privacy requests to info@draftpolicy.com.

---

**Part of DraftPolicy** - [draftpolicy.com](https://draftpolicy.com)
**Operated by** Sociable Studio, Toronto, Ontario, Canada
**Contact:** info@draftpolicy.com