Privacy Commitments

Specific commitments. Not vague promises.

Last updated: June 7, 2026

Who we are

Draftrow is operated by 17145608 Canada Inc., a corporation incorporated under the laws of Canada, carrying on business as AQM Hub, located in Whitby, Ontario, Canada. For privacy questions, contact privacy@draftrow.com or call 416-570-3433. We process personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

How privacy works on Draftrow

Draftrow is a tool that service business operators use to manage customer inquiries. Privacy on the platform has three roles:

You, the operator. You are the data controller. You decide what customer conversations to process and what bookings to save. Your obligations to your customers under privacy laws remain your obligations. We provide the technical infrastructure; you maintain the customer relationship.

Draftrow, the processor. We process the conversations you paste or upload. We extract booking details using AI (Anthropic Claude). We store the structured bookings you save. We do not contact your customers, market to them, or use their information for any purpose other than fulfilling your requests.

Your customers, the data subjects. They have rights under the privacy laws that apply where they live. Most commonly: the right to access their information, the right to correct it, the right to ask for deletion, the right to know how it is being used. They exercise these rights through you, their service provider, not through Draftrow directly.

This structure is the same as how you use QuickBooks for invoicing, Stripe for payments, or Google Workspace for email. Draftrow is one of the tools you use to run your business.

Implied consent and reasonable use

When a customer sends you a Messenger inquiry asking about renting chairs, photographing their wedding, or pressure washing their driveway, they are voluntarily disclosing information for a commercial purpose. Under PIPEDA's reasonable person standard and similar frameworks in other jurisdictions, customers reasonably expect that:

  1. You will read and respond to their message
  2. You will record their booking details in some form (calendar, app, notebook)
  3. You will use ordinary software tools (calendars, spreadsheets, payment processors, scheduling apps) to manage their booking
  4. You may use modern tools, including AI-assisted ones, to help you process their inquiry efficiently

This means Draftrow does not require you to obtain separate consent from each customer before processing their conversation. The implied consent from their voluntary business inquiry is sufficient, the same way it is sufficient when you use a spreadsheet or invoicing tool.

What you should still do as a responsible operator:

  1. Have a privacy notice on your business profile, website, or pricing sheet explaining that you use software tools to manage bookings and customer information
  2. Use customer information only for the original purpose (fulfilling their service request)
  3. Honor customer requests to access, correct, or delete their information
  4. Don't share customer information with parties not involved in fulfilling the service

We provide a free Operator Privacy Notice template at /resources/privacy-notice-template that you can adapt for your business.

Data flow

Text path

You paste text
Sensitive IDs redacted
AI extracts booking
Text discarded

Chat file path (.txt)

Upload .txt file
Sensitive IDs redacted
AI extracts booking
File discarded

Screenshot path

Strip EXIF (browser)
Validate + strip EXIF (server)
AI vision extraction
Image discarded

SMS path (optional integration)

Customer texts your number
Twilio webhook
24h Redis buffer
You extract booking
Buffer cleared

Email path (optional integration)

Customer emails you
You forward to Draftrow address
24h Redis buffer
You extract booking
Buffer cleared

Public booking form path (optional)

Customer fills form
Bot check (Turnstile)
PII encrypted
Draft booking created
You review and confirm

Our commitments

Conversation text is not stored by default

After extraction, the conversation is dropped from our servers. Only the structured booking fields are saved. If you enable "Store conversation text" in Settings, the text is stored encrypted (AES-256-GCM) for up to 14 days for draft review, then automatically deleted.

We encrypt customer information at rest

Customer names, phone numbers, addresses, and notes are encrypted using AES-256-GCM. Decryption is audit-logged.

We use AI providers that do not train on your data

Conversation content is sent to Anthropic (primary) or OpenAI (fallback) for extraction. No other third party receives conversation content. Both operate under no-training commercial API policies. Anthropic retains data for up to 30 days for safety review, then deletes it. We are pursuing Zero Data Retention with Anthropic.

We redact financial identifiers before AI processing

Credit card numbers, government IDs, and similar patterns are stripped from the conversation text before it reaches our AI provider.

Logs never include your conversation

Our server logs strip conversation text automatically. Error reports also exclude request bodies from the extraction endpoint.

Decryption is always logged

Every time customer PII is decrypted from the database, an entry is written to the audit log with your user ID, the resource, and timestamp.

You can delete your account anytime

30-day recovery window, then permanent deletion of your data including bookings, extractions, and audit logs. Export from Settings anytime.

Facebook Page Messaging uses your Business Page only

If you connect a Facebook Business Page, Draftrow receives messages sent to that Page. We have no access to your personal Facebook profile, friends, or timeline.

SMS and email messages are ephemeral

Inbound SMS texts and forwarded emails are buffered in memory (Redis) for up to 24 hours. They are never written to our database in raw form. Once you extract a booking from a message, the buffer is cleared.

Public booking form submissions are transparent

Customers who submit your public booking page know they are contacting a service business. Their submitted details are encrypted at rest using the same AES-256-GCM encryption as all other customer PII.

What data we collect

CategoryWhatPurpose
Account dataName, emailAuthentication, billing, support
Business dataInventory, pricing rules, booking historyCore product functionality
Customer PIINames, phones, addresses, notes extracted from conversationsSaved bookings (encrypted at rest)
Conversation textThe raw text you pasteNot persisted by default. If you enable "Store conversation text" in Settings, stored encrypted for draft review and deleted after 14 days or when draft is resolved.
Usage dataPage views, feature usage, error logsProduct improvement (no personal identifiers in logs)
Payment dataBilling details via StripeSubscription management (Stripe is the processor. We do not see card numbers.)

How long we keep it

Account data
While your account is active, then 30 days after deletion
Business data
Same as account data
Customer PII (in bookings)
Same as account data. Deleted with the booking on soft-delete plus 30 days.
Conversation text
Not persisted by default. If storage is enabled: encrypted at rest, deleted after 14 days or on draft resolution, whichever comes first.
Usage data
90 days
Audit log entries
1 year

Screenshots

If you upload a screenshot of a conversation, here is exactly what happens:

  1. 1Your browser strips EXIF metadata (including GPS coordinates from photos taken with your phone) before upload begins.
  2. 2The image is resized and compressed locally to reduce file size.
  3. 3The image is sent over TLS to our server.
  4. 4Our server validates the image and strips EXIF again as a defense-in-depth measure.
  5. 5The image is sent to Anthropic for extraction under their commercial API policy.
  6. 6Anthropic returns the structured booking details.
  7. 7Our server discards the image. It is never written to disk, logs, or backups.
  8. 8Only the structured fields you confirm are saved (encrypted at rest, same as text extractions).
Anthropic processes images under the same data policy as text: no training, 30-day retention, then deletion. We are pursuing Zero Data Retention which would eliminate the 30-day window.

Who we share data with (subprocessors)

SubprocessorPurposeLocationData shared
AnthropicAI extraction (primary)USAConversation text (transient)
OpenAIAI extraction (fallback)USAConversation text (transient)
Meta (Facebook)Page Messaging (optional — only if you connect a Facebook Page); outgoing replies via Send API (optional, per-Page opt-in)USAPage ID, message text (transient, 24h Redis buffer); outgoing reply text when you explicitly send
ClerkAuthenticationUSAName, email
StripePayment processingUSA/IrelandBilling details
TwilioSMS inbound (optional — only if you provision an SMS number)USAPhone number, message text (transient, Redis buffer)
ResendTransactional email + inbound email forwarding (optional)USAEmail address, message content (transient for inbound, persisted for outbound)
NeonDatabase hostingUSAEncrypted business data
VercelApplication hostingGlobalAggregate usage logs
SentryError trackingUSAError messages (PII stripped)
UpstashRate limitingUSAIP addresses (hashed)

AI provider data policies

We use Anthropic as our primary AI provider. Anthropic processes commercial API inputs and outputs under their commercial data policy: no training on customer data by default, 30-day retention for trust and safety review, then deletion. Flagged content may be retained up to 2 years for policy enforcement. Safety classification scores may be retained up to 7 years. We are pursuing Zero Data Retention which would eliminate the 30-day retention window.

If Anthropic is unavailable, we fall back to OpenAI. OpenAI does not train on API data by default. OpenAI may log API requests for abuse monitoring for up to 30 days, after which they are deleted unless required to be retained for legal or service-protection reasons.

Facebook Page Messaging (optional integration)

If you choose to connect a Facebook Business Page, Draftrow receives messages sent to that Page via Meta's Messenger Platform API. This integration is optional and requires your explicit authorization through Meta's OAuth flow.

Messages are buffered in Redis (Upstash) for up to 24 hours. They are never written to our Postgres database. After you review and save a booking draft, the buffer for that sender is cleared. If you do not review within 24 hours, the messages expire automatically.

We request only the minimum permissions required: pages_show_list, pages_messaging, and pages_manage_metadata. We do not access your personal Facebook profile, friends list, timeline, or any other data outside your Business Page messages.

Your Page access token is encrypted at rest using AES-256-GCM before being stored in our database. It is decrypted only when needed to authenticate with Meta's API.

You can disconnect your Page at any time from Settings → Integrations. When you disconnect, Draftrow immediately unsubscribes from your Page's webhooks and marks the connection as inactive. The 24-hour buffer for any unreviewed messages will still expire on schedule.

Sending replies via your Page (optional)

If you enable “Allow replies via Send API” for a connected Page (Settings → Integrations), Draftrow can send messages to your customers on your behalf via Meta's official Send API. Here is exactly what happens:

  • Opt-in per Page. You explicitly enable this per Page. The default is off.
  • Confirmation per send. Every “Send reply” click opens a confirmation modal showing the exact text to be sent. The send only happens after you confirm. There is no “send without confirming” option.
  • No auto-send. Draftrow never sends a reply automatically. Cron jobs, webhooks, and background processes cannot trigger a send.
  • 24-hour messaging window. Meta restricts replies to within 24 hours of the customer's last message. If the window has expired, the send button is disabled.
  • Audit log. Every send is recorded in our page_reply_log table with encrypted message text, timestamp, send status, and any failure information. You can request your audit log at any time.
  • Failure fallback. If the send fails, we show you the message text so you can send it manually via Messenger.

Your customers' rights

Your customers have rights under privacy laws including PIPEDA (Canada), GDPR (European Union and UK), CCPA (California), and similar frameworks elsewhere. These rights generally include:

  • Right to access: Your customers can ask what information you hold about them
  • Right to correct: They can ask you to fix incorrect information
  • Right to delete: They can ask you to delete their information
  • Right to object: They can object to certain processing
  • Right to portability: They can ask for their information in a portable format
  • Right to know: They can ask how their information is used and who has access

Because Draftrow is your processor, your customers exercise these rights through you, not directly with us. When a customer asks you for any of these, you handle it within Draftrow:

  • Access: Show them the booking record you have, or export it as CSV
  • Correction: Edit the booking record
  • Deletion: Delete the booking. This triggers a 30-day soft delete followed by permanent hard delete from our databases.

If you receive a complex request you cannot handle yourself (for example, a customer requesting a Subject Access Request under GDPR with a tight deadline), email us at security@draftrow.com and we will help you respond appropriately.

Your responsibility for customer data

When you paste a conversation into Draftrow, you may be processing personal information that belongs to your customer. As the service operator, you are responsible for ensuring you have a lawful basis to process this information. Typically this is established because the customer initiated contact to inquire about your services.

We recommend you do not paste:

  • Conversations from customers who have asked you to delete their information
  • Conversations containing payment card details or government IDs (we redact these before AI processing, but you should not transmit them)
  • Conversations from customers who are minors without parental consent

GDPR rights (for EU residents)

If you or any of the customers whose information you process is located in the European Union or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply.

  • Legal basis: We process personal information on behalf of operators who have a legitimate interest in operating their business or who have obtained implied consent from their customers. We do not process personal information for our own marketing or profiling.
  • International transfers: Customer information is stored and processed in the United States (AWS us-east-1). Our database (Neon), rate limiting and message buffer (Upstash), application hosting (Vercel), and AI extraction (Anthropic, OpenAI) are all operated in the United States. The company is incorporated in Canada, but no infrastructure resides there. All United States sub-processors with whom personal data is shared operate under Standard Contractual Clauses (SCCs) for transfers of European personal data.
  • Data Protection Officer: As a small operator, we do not have a designated Data Protection Officer. Privacy inquiries should be sent to security@draftrow.com.
  • Your rights: EU residents have all the rights listed above (access, correction, deletion, objection, portability, knowledge). They can be exercised through the operator (data controller) or directly with us by emailing security@draftrow.com.
  • Right to complain: EU residents have the right to file complaints with their national data protection authority if they believe their rights have been violated.

We are not currently established in the EU and do not target EU operators specifically. If you are an EU-based operator considering Draftrow, please contact us first so we can confirm our service is appropriate for your jurisdiction.

Data Processing Agreement

Operators who require a formal Data Processing Agreement (for their own compliance documentation or for their customers' regulatory requirements) can request one by emailing privacy@draftrow.com. We provide a standard DPA template at no charge for all Pro and Hibernation tier customers.

The DPA establishes:

  • The controller/processor relationship between you and Draftrow
  • The scope and purpose of data processing
  • Categories of personal information processed
  • Subprocessor disclosures (Anthropic, Stripe, Resend, Sentry, Neon, Vercel, Upstash, Clerk, Meta)
  • Security measures applied
  • Breach notification procedures
  • International transfer mechanisms (if applicable)

You can also view the DPA template publicly at /resources/dpa-template.

What we don't store

When you paste a conversation, upload a screenshot, or upload a WhatsApp chat export (.txt file), the input is processed entirely in memory. After extraction completes and the response returns to your browser, the input is discarded. Specifically:

  • The pasted conversation text is never written to disk
  • The uploaded image bytes are never written to disk
  • The uploaded chat file contents are never written to disk
  • None of these are written to log files, error reports, or backups
  • The structured output is only saved if you click Save Booking
  • If you discard an extraction, no record persists beyond the metadata (token count, cost, confidence)

Your rights

You can:

  • Access all data we hold about you (export from Settings → Your data)
  • Correct any inaccurate data (edit bookings directly or contact us)
  • Delete your account and all associated data (30-day recovery window)
  • Object to processing or withdraw consent (close your account)
  • File a complaint with the Office of the Privacy Commissioner of Canada

Security breach notification

If we experience a breach of security safeguards that poses a real risk of significant harm to you, we will notify you as soon as feasible. We maintain records of all breaches per PIPEDA requirements.

Children's privacy

Draftrow is not directed at children. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete it. If you believe a child has provided us with personal information, contact us at privacy@draftrow.com.

Changes to this policy

We will notify you by email of material changes at least 30 days before they take effect.

Contact

Privacy questions: privacy@draftrow.com
Security issues: security@draftrow.com
Full security details: /security

Privacy Commitments | Draftrow