← Back to Draft Lift

Privacy Policy

Last updated:

Privacy Statement

Draft Lift("we," "us," "our," or the "Company") operates the Draft Lift platform at draftliftai.comand related mobile and online resources (collectively, the "Service"). In this Privacy Policy, "you" and "your" refer to any individual who accesses or uses the Service.

This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit, use, or interact with our Service. It applies to information collected through our website, applications, and any other online or offline resources where this Privacy Policy is posted or referenced.

The Service is intended for users who are at least 18 years of age. By accessing or using the Service, you represent that you are at least 18 years old and agree to this Privacy Policy. If you do not agree, please do not access or use the Service.

Notice to California Residents:We collect categories of personal information as described in the "What We Collect" section below. For a full description of your rights under the California Consumer Privacy Act (CCPA), please see the "The California Consumer Privacy Act (CCPA)" section of this Privacy Policy.

Who We Are

Draft Liftis an AI-powered content generation platform that helps thought leaders create and repurpose professional content. For the purposes of the EU General Data Protection Regulation (GDPR), we are the "data controller" of the personal information we collect through the Service. For the purposes of the California Consumer Privacy Act (CCPA), we are a "Business" that collects, uses, and processes consumer personal information.

Who We Collect Personal Information From

We collect personal information from the following sources:

  • Users and customers: Individuals who create accounts, use the Service, subscribe to paid plans, or communicate with us.
  • Website visitors: Individuals who visit our website or interact with our online resources, even without creating an account.
  • Third-party vendors and partners: Authentication providers (Google, LinkedIn, GitHub), payment processors, and analytics services that provide information to us in connection with the Service.

As used in this Privacy Policy, "personal information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes the definitions of "personal data" under the GDPR and "personal information" under the CCPA.

What We Collect

Information You Voluntarily Submit

  • Account information: When you create an account via OAuth (Google, LinkedIn, or GitHub), we receive your name, email address, and profile picture from the authentication provider.
  • Content you create: Text content, memories (research notes and theses), reference materials, and templates you create or upload through the Service.
  • Payment information: When you subscribe to a paid plan, payment details (credit card number, billing address) are collected and processed directly by Stripe, our PCI-DSS compliant payment processor. We do not store your full credit card number or payment card details on our servers. We receive only a tokenized reference, card brand, last four digits, and expiration date for display purposes.
  • Communications and support: If you contact us for support, provide feedback, or otherwise communicate with us, we retain the content, date, and metadata of those communications.

Information Collected Automatically

  • Cookies and similar technologies:We use cookies and similar tracking technologies (described further in the "Cookies and Tracking Technologies" section below) to operate the Service and collect usage information.
  • Device information: Browser type and version, operating system, device type, screen resolution, and language preferences.
  • Log and network data: IP address, access times, referring URLs, pages visited, and error logs.
  • Usage data: Pages visited, features used, button clicks, time spent on pages, content generation interactions, and other behavioral data collected through PostHog analytics.
  • Local storage: We use browser local storage (IndexedDB) to save draft content on your device so you do not lose work in progress. This data stays on your device and is not transmitted to our servers.

How We Use Your Information

We process your personal information on the following lawful bases, as applicable: (a) performance of a contract with you (providing the Service), (b) your consent, (c) our legitimate interests (improving the Service, fraud prevention, security), and (d) compliance with legal obligations.

Specifically, we use the information we collect to:

  • Provide, operate, maintain, and improve the Service, including AI-powered content generation and conversion features.
  • Process transactions and manage your subscription, billing, and account.
  • Improve our AI models and content quality through our learning pipeline, using anonymized and aggregated data from content generation interactions.
  • Analyze usage patterns and trends through analytics to improve user experience and Service performance.
  • Send you service-related communications, such as cost alerts, account notifications, and product updates.
  • Send you marketing communications where you have opted in or where permitted by applicable law.
  • Detect, prevent, and address technical issues, fraud, abuse, or security incidents.
  • Comply with legal obligations, enforce our Terms of Service, and protect our rights, property, or safety and that of our users.

When and With Whom We Share Personal Information

We do not sell or rent your personal information to third parties. We may share your information in the following circumstances:

Third-Party Service Providers

We share information with third-party service providers who perform services on our behalf, subject to contractual obligations to protect your data. These providers include:

  • Supabase— Authentication, database hosting, and backend infrastructure.
  • Stripe— Payment processing and subscription management. Stripe is PCI-DSS Level 1 compliant. When you make a purchase, your payment information is transmitted directly to Stripe and is subject to Stripe's Privacy Policy.
  • OpenAI— AI content generation. Content you submit for generation is sent to OpenAI's API for processing. We do not opt in to OpenAI using your data for model training.
  • PostHog— Product analytics and usage tracking to help us understand how the Service is used and improve the user experience.
  • Vercel— Frontend hosting and content delivery.
  • Sentry— Error monitoring and performance tracking to identify and resolve technical issues.
  • Render— Backend application hosting and infrastructure.

Legally Compelled Disclosures

We may disclose your personal information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government requests.

To Prevent Harm

We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our Terms of Service, suspected fraud, situations involving potential threats to the safety of any person, or as evidence in litigation in which we are involved.

Business Transfers

If we are involved in a merger, acquisition, financing, bankruptcy, dissolution, reorganization, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or uses of your personal information.

Payments

All payment processing for the Service is handled by Stripe, a PCI-DSS Level 1 certified payment processor. When you subscribe to a paid plan or make a purchase, your payment card information is collected and processed directly by Stripe. We do not receive, store, or have access to your full credit card number, CVV, or other sensitive payment card details.

We receive only limited information from Stripe for record-keeping purposes, including a tokenized reference, the card brand, the last four digits of the card number, and the expiration date. For more information about how Stripe handles your payment data, please review Stripe's Privacy Policy.

Email Communications

We may send you the following types of email communications:

  • Service emails: Transactional emails related to your account, such as subscription confirmations, billing receipts, cost alerts, security notifications, and account activity. These emails are necessary for the operation of the Service and cannot be unsubscribed from while you maintain an active account.
  • Marketing emails:Promotional communications about new features, product updates, or offers. You may opt out of marketing emails at any time by clicking the "unsubscribe" link included in each email or by contacting us at support@draftliftai.com.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate, analyze, and improve the Service.

What Are Cookies?

Cookies are small text files placed on your device by a website when you visit it. They are widely used to make websites work more efficiently and to provide information to site operators. Web beacons (also known as "pixels" or "clear GIFs") are tiny transparent images embedded in web pages or emails that allow us to track whether content has been accessed.

How We Use Cookies

  • Essential cookies: Required for authentication, session management, and core Service functionality. These cannot be disabled without impairing the Service.
  • Analytics cookies: Used by PostHog to collect usage data, such as pages visited, features used, and interactions with the Service. These help us understand how the Service is used so we can improve it.

How to Opt Out

You can control or delete cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling essential cookies may prevent the Service from functioning properly.

You may also opt out of PostHog analytics tracking by using a browser extension that blocks tracking scripts or by enabling your browser's "Do Not Track" setting. See the "Opt-Out Preference Signals and Do Not Track" section below for more information.

Your Rights and Options

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate or incomplete personal information.
  • Deletion: Request that we delete your personal information, subject to certain exceptions (such as legal obligations or ongoing disputes).
  • Data portability: Request a copy of your data in a structured, commonly used, machine-readable format.
  • Objection: Object to the processing of your personal information for certain purposes, including direct marketing.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at support@draftliftai.com. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

You may also delete your account and associated data at any time from your account settings within the Service.

The California Consumer Privacy Act (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information. This section describes your CCPA rights and how to exercise them.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers: Name, email address, IP address, account ID, and OAuth identifiers.
  • Commercial information: Subscription records, purchase history, and billing information (processed by Stripe).
  • Internet or other electronic network activity: Browsing history on the Service, usage data, device information, and interactions with the Service.
  • Professional or employment-related information: Information you voluntarily provide in content you create, such as professional titles or affiliations.
  • Inferences: Inferences drawn from the above categories to create a profile reflecting your preferences and usage patterns.

Your Rights Under the CCPA

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions permitted by law (such as completing a transaction, detecting security incidents, or complying with a legal obligation).
  • Right to correct: You may request that we correct inaccurate personal information we maintain about you.
  • Right to opt out of sale or sharing: We do not sell your personal information and have not sold personal information in the preceding 12 months. We do not share your personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights, including by denying goods or services, charging different prices, or providing a different level of quality.

How to Exercise Your Rights

To exercise your rights, please contact us at support@draftliftai.com. We will verify your identity by matching the information you provide with the information we have on file for your account. If you use an authorized agent to submit a request, we may require proof of authorization and identity verification. We will respond to verifiable consumer requests within 45 days.

Virginia Residents

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) provides you with specific rights regarding your personal data. This section describes those rights and how to exercise them.

Your Rights Under the VCDPA

  • Right to access: You may confirm whether we are processing your personal data and access that data.
  • Right to correct: You may request correction of inaccuracies in your personal data.
  • Right to delete: You may request deletion of your personal data.
  • Right to data portability: You may obtain a copy of your personal data in a portable, readily usable format.
  • Right to opt out: You may opt out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

How to Exercise Your Rights and Appeal

To exercise your rights, please contact us at support@draftliftai.com. We will respond to your request within 45 days. If we decline your request, you may appeal our decision by contacting us at the same email address with the subject line "VCDPA Appeal." We will respond to your appeal within 60 days. If you are not satisfied with our response to your appeal, you may contact the Virginia Attorney General at oag.state.va.us.

The EU General Data Protection Regulation (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following applies to our processing of your personal data under the General Data Protection Regulation (GDPR).

Lawful Basis for Processing

We process your personal data on the following lawful bases:

  • Performance of a contract: Processing necessary to provide the Service to you and fulfill our contractual obligations.
  • Legitimate interests: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your rights.
  • Consent: Processing based on your freely given, informed consent, such as for analytics and marketing communications. You may withdraw consent at any time.
  • Legal obligation: Processing necessary to comply with applicable laws and regulations.

Cross-Border Data Transfers

Your personal data may be transferred to and processed in the United States, where our servers and third-party service providers are located. When we transfer personal data outside the EEA, UK, or Switzerland, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

Your Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right to transparency and information: You have the right to be informed about how we collect and use your personal data, as described in this Privacy Policy.
  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate or incomplete personal data.
  • Right to erasure: You may request deletion of your personal data in certain circumstances.
  • Right to data portability: You may request to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to restriction and objection: You may request restriction of processing or object to processing of your personal data in certain circumstances, including processing based on legitimate interests or for direct marketing.

Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates your rights under the GDPR.

Opt-Out Preference Signals and Do Not Track

Some browsers and browser extensions transmit "Do Not Track" (DNT) or Global Privacy Control (GPC) signals. We recognize and process GPC signals as valid opt-out preference signals where required by applicable law, including for California residents under the CCPA.

At this time, there is no universally accepted standard for how websites should respond to DNT signals. We will continue to monitor developments around DNT standards and update our practices as appropriate.

How We Protect Collected Personal Information

We maintain a comprehensive security program designed to protect your personal information from unauthorized access, use, alteration, disclosure, or destruction. Our security measures include:

  • Encryption: Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
  • Access controls: We enforce role-based access controls and the principle of least privilege to limit access to personal information to authorized personnel who need it to perform their job functions.
  • Infrastructure security: Our infrastructure providers (Supabase, Vercel, Render) maintain SOC 2 and other industry-standard compliance certifications.
  • Monitoring: We use error tracking and monitoring tools (Sentry) to detect and respond to anomalies and potential security incidents.
  • Incident response: We maintain an incident response process to promptly investigate and address security incidents, including notification procedures where required by law.

While we take reasonable measures to protect your personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you the Service. Specific retention practices include:

  • Active accounts: We retain your personal information for the duration of your account.
  • Account deletion: If you delete your account, we will delete your personal information within 30 days, except where we are required to retain it for legal, accounting, tax, or regulatory purposes.
  • Anonymized data: Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.
  • Usage and log data: Automatically collected usage and log data is retained for a shorter period (typically up to 12 months) and then deleted or anonymized.

Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age. In compliance with the Children's Online Privacy Protection Act (COPPA), if we learn that we have collected personal information from a child under 13, we will take steps to delete that information as promptly as possible.

If you believe that a child under 18 has provided us with personal information, please contact us immediately at support@draftliftai.com so that we can take appropriate action.

Changes to This Privacy Statement

We reserve the right to update or modify this Privacy Policy at any time. If we make material changes, we will notify you by posting the updated Privacy Policy on this page and updating the "Last updated" date at the top. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically for any changes. In the event of any inconsistency between the English version of this Privacy Policy and any translated version, the English version shall control.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

support@draftliftai.com

© 2026 Draft Lift. All rights reserved.