Legal
Privacy Policy
Effective 4 March 2026
Draft.red (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This policy sets out the basis on which we process personal data in connection with your use of draft.red (the “Service”). Please read it carefully. If you do not agree with this policy, you should not use the Service.
We act as a data controller under the UK General Data Protection Regulation (“UK GDPR”) as implemented by the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (“EU GDPR”). We comply with the Data (Use and Access) Act 2025 (“DUAA 2025”) as it applies to our processing activities.
1. Who we are
The data controller for the Service is Draft.red. For privacy-related queries, contact us at privacy@draft.red or by post at the address provided in our contact page.
2. Personal data we collect
We collect the following categories of personal data:
| Data | How collected | Purpose |
|---|---|---|
| Email address | Registration | Account creation, service delivery, communications |
| Hashed password | Registration | Authentication (bcrypt; plaintext never stored or accessible) |
| Subscription plan and billing history | User action / payment processor | Billing management, quota enforcement, plan access control |
| Payment card data | Payment processor only | We do not receive or store raw card data. Your card is handled by our payment processor under their privacy policy. |
| IP address | Automatic on service access | Security, fraud prevention, rate limiting, abuse detection |
| Session cookies | Automatic on login | Authentication session management (see Cookie Policy) |
| Analysis results (editorial commentary) | Generated by AI from your manuscript | Stored in your account so you can review, export, and compare findings across drafts |
| Manuscript content | User upload | Processed in memory only during analysis. Not stored on our servers after analysis completes. |
| Usage metadata (analysis counts, timestamps, tier) | Automatic | Quota tracking, service operation, aggregate product improvement |
3. Lawful basis for processing
We rely on the following lawful bases under UK GDPR Article 6:
Contract performance (Article 6(1)(b)): Account creation, service delivery, billing, session management, manuscript analysis. Processing is necessary to provide the service you have requested.
Legal obligation (Article 6(1)(c)): Retention of financial and billing records as required by HMRC and applicable tax law.
Legitimate interests (Article 6(1)(f)): Security monitoring, fraud and abuse prevention, and service integrity. We have conducted a Legitimate Interests Assessment (LIA) and determined our interests are not overridden by your rights, given the minimal privacy impact of security-oriented processing.
4. AI processing of your manuscript
The Service uses artificial intelligence to analyse manuscript content you upload. Your manuscript text is transmitted to an AI system for the purpose of generating editorial analysis. The AI reads your text and returns structured commentary. It does not generate replacement content, rewrites, or new creative material.
Your manuscript is not stored permanently. The text is held in working memory during the analysis process and is not written to persistent storage after analysis completes. Only the analysis results (the editorial commentary and findings) are stored in our database, linked to your account.
We do not use your manuscript content to train AI models. We do not share manuscript content with third parties beyond the sub-processors listed in section 5 who are involved in delivering the analysis.
The analysis performed by the AI does not constitute solely automated decision-making with significant legal effects under Article 22 UK GDPR. The output is editorial commentary. No binding decisions about you or your work are made based on the analysis.
5. Data sharing and sub-processors
We share personal data only as necessary to operate the Service. Current sub-processors include:
Cloud infrastructure provider (Railway): Hosts our database and application servers. Processes account data, analysis results, and usage metadata under a data processing agreement.
Payment processor: Processes payment card data and subscription billing. We do not receive or store raw card data.
Email service provider: Used to send account-related transactional email (password resets, service notifications). Processes your email address.
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.
Where sub-processors are located outside the UK or EEA, transfers are safeguarded using the ICO International Data Transfer Agreement (“IDTA”), Standard Contractual Clauses (“SCCs”), or transfers to countries with a UK adequacy decision.
6. Data retention
7. Your rights under UK GDPR
You have the following rights in relation to your personal data. To exercise any of them, contact us at privacy@draft.red. We will respond within one calendar month.
Right to be informed
You have the right to be informed about how we use your personal data. This privacy policy fulfils that obligation.
Right of access (Subject Access Request)
You may request a copy of the personal data we hold about you. We will provide it in a structured, commonly used, machine-readable format where technically feasible.
Right to rectification
You may request correction of inaccurate personal data. Many data points (such as your email address) can be updated directly in your account settings.
Right to erasure
You may request deletion of your account and all associated personal data. We will comply subject to retention obligations under law (billing records are retained for 7 years as required by HMRC rules). Email us at privacy@draft.red to request erasure.
Right to restriction of processing
You may request that we restrict processing of your personal data while you contest its accuracy or object to our use of it.
Right to data portability
Where processing is based on contract performance and carried out by automated means, you may request your data in a structured, machine-readable format. This applies to your account data and analysis results.
Right to object
You may object to processing based on legitimate interests. We will honour your objection unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right not to be subject to automated decision-making
We do not make any decisions about you that produce significant legal effects or similarly significant effects solely by automated means.
Right to complain
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
ico.org.uk | 0303 123 1113
EU-based users may also contact their national supervisory authority.
8. Security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, or alteration. Passwords are hashed using bcrypt. Data in transit is encrypted using TLS. Our infrastructure is hosted on services with industry-standard security certifications. We cannot guarantee absolute security, and we encourage you to use a strong, unique password for your account.
9. Children’s data
The Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a minor, we will delete it promptly. If you believe we have inadvertently collected data from a minor, contact us at privacy@draft.red.
10. Changes to this policy
We may update this policy from time to time. We will post any changes on this page and update the effective date at the top. For material changes, we will notify you by email to the address associated with your account. Continued use of the Service after the effective date of any change constitutes your acceptance of the updated policy.
Questions? Contact us at privacy@draft.red.