Privacy Policy

1. Introduction

This Privacy Policy describes how Anders Forge LLC, doing business as Draft BI (“we”, “us”, or “our”), collects, uses, and discloses information when you use the Draft BI website at draftbi.com and the Draft BI application (collectively, the “Service”).

We are committed to handling your personal information with transparency and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and UK GDPR for users in the European Economic Area (EEA) and United Kingdom, the Personal Information Protection and Electronic Documents Act (PIPEDA) for users in Canada, the Australian Privacy Act 1988 for users in Australia, and the California Consumer Privacy Act (CCPA/CPRA) for users in California. We use the data categories below as a common disclosure framework applicable to all users.

If you have questions about this policy, please contact us at privacy@draftbi.com.

2. What We Collect

We collect the following categories of personal information:

We do not collect precise geolocation data, biometric data, health or financial account data, Social Security numbers, government-issued IDs, or information about racial or ethnic origin.

3. How We Collect It

• Account registration — when you create an account, we collect your name and email address.
• Service use — when you use the Service, we collect data about your interactions with features (projects, themes, layouts, AI actions).
• Analytics — we use PostHog to collect usage events and session data. Analytics cookies are only placed with your consent where required by applicable law (see Section 8 — Cookies). PostHog is proxied through our own domain (/ingest/) to reduce ad blocker interference.
• Payment flow — when you subscribe to a paid plan, Polar (our Merchant of Record) collects your payment information. We receive confirmation of your subscription status but do not receive or store your payment card details.

4. Why We Collect It

• Identifiers — to create and manage your account, authenticate your sessions, and send service-related communications.
• Internet or Network Activity — to understand which features are used, diagnose issues, and improve the product experience.
• Commercial Information — to manage your subscription, apply the correct feature limits, and process billing through Polar.
• User-Submitted Content— to deliver AI-powered features (AI Wireframing, Model Studio) that process your content via our AI providers' APIs (Anthropic and Google AI).
• Inferences — to identify usage trends and improve product features over time.

5. Legal Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases as required by the General Data Protection Regulation (GDPR) and applicable national laws:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Draft BI service you have subscribed to, including account creation, authentication, and delivering AI-generated outputs.
• Legitimate Interests (Article 6(1)(f)): Processing for product analytics, security monitoring, fraud prevention, and service improvement. We have assessed that these interests are not overridden by your fundamental rights and freedoms. You may object to this processing at any time (see Section 12 — Your Privacy Rights).
• Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws, including retention of records for tax or legal proceedings.
• Consent (Article 6(1)(a)): Where we use non-essential cookies or similar tracking technologies, we rely on your consent, which you may withdraw at any time through your cookie preferences.

For AI feature processing involving content you submit as prompts, we process this data under contract performance. We do not use your submitted content to train AI models.

6. Service Providers

We share personal information with the following service providers to operate the Service. All of these parties are service providers under contract — they process your data only for the specified business purpose and are not permitted to use it for their own marketing.

We do not sell or share your personal information with third parties for their own marketing purposes. All disclosures listed below are to service providers under contract.

Polar (Payment Processing)

We use Polar as our Merchant of Record for subscription billing. When you purchase a paid plan, we share your name, email address, and billing information (identifiers and commercial information) with Polar to process your payment. Polar acts as the seller of record and is an independent data controller for your payment card data — Draft BI does not receive or store your credit card details. View Polar's Privacy Policy.

PostHog (Product Analytics)

We use PostHog for product analytics. PostHog receives identifiers and internet or network activity (usage events, session data, IP address) to help us understand how the product is used. Analytics requests are proxied through our own domain — your data is not sent directly to PostHog servers from your browser. For users in the EEA and UK, analytics cookies are only placed with your consent. View PostHog's Privacy Policy.

Supabase (Database and Authentication)

We use Supabase as our database and authentication provider. Supabase stores your account information (identifiers) and the data you create in the Service — projects, canvas layouts, themes, and saved DAX measures (user-submitted content and customer records). View Supabase's Privacy Policy.

Vercel (Hosting and CDN)

The Service is hosted on Vercel. Vercel processes identifiers such as your IP address and request logs as part of serving web traffic. View Vercel's Privacy Policy.

Anthropic and Google AI (AI Feature Processing)

AI features in the Service (AI Wireframing and Model Studio) are powered by Anthropic (Claude) as the primary provider, with Google AI (Gemini) used as a failover provider when the primary provider is unavailable. When you use these features, the content you submit — such as TMDL schema text or DAX prompt descriptions (user-submitted content) — is sent to whichever provider handles your request at that time. We do not send personally identifiable account information to either provider as part of AI requests. Content is processed transiently to generate your AI response and is not stored or used to train models by either provider. View each provider's privacy policy: Anthropic Privacy Policy and Google Privacy Policy.

7. International Data Transfers

Draft BI is operated by Anders Forge LLC, based in the United States. When you use our Service from outside the United States, your personal data will be transferred to and processed in the United States and other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, for UK transfers, UK International Data Transfer Agreements (IDTAs) or UK addenda to SCCs, as applicable. We have entered into Data Processing Agreements incorporating these safeguards with each of our sub-processors listed below.

Our key sub-processors and their primary data locations are:

You may request a copy of the applicable transfer safeguards by contacting us at privacy@draftbi.com.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Service and, with your consent where required, to analyze usage patterns.

• Essential cookies — required for authentication, security, and core Service functionality. These cannot be disabled without impairing Service operation. No consent is required for essential cookies.
• Analytics cookies — we use PostHog to understand how users interact with Draft BI. These cookies are non-essential. For users in the EEA, UK, and other jurisdictions where prior consent is required, analytics cookies are only placed after you have given your consent via our cookie consent banner.

You can manage your cookie preferences at any time by clicking the “Cookie Settings” link in our footer. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.

9. Data Retention

We retain your personal data for the following periods:

• Account data (name, email, profile): For the duration of your account, plus 90 days following account deletion to allow for recovery requests, then permanently deleted.
• Usage logs and analytics: 24 months from collection, then aggregated or deleted.
• AI prompt and output data: Not retained on our servers beyond your current session unless you explicitly save a project. Saved project content is retained for the duration of your account plus the 90-day recovery window.
• Billing records: 7 years from the transaction date to comply with US tax law and applicable international accounting requirements. Note that billing records are primarily held by Polar as Merchant of Record.
• Support communications: 3 years from the date of the last communication.
• Security and fraud logs: 12 months from collection.

Where retention is required by law (for example, financial records), data will be retained for the legally mandated period regardless of account status.

10. Security

We implement industry-standard security measures to protect your personal information, including encryption in transit (HTTPS) and access controls on our database. However, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your information.

11. Children

The Service is not directed at users under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at privacy@draftbi.com and we will take steps to delete it.

12. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@draftbi.com. We will respond within 30 days. EEA and UK users: we will respond within one calendar month as required by GDPR Article 12. We may need to verify your identity before fulfilling a request.

All Users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your data, subject to legal retention obligations.

EEA, UK, and Switzerland Users (GDPR / UK GDPR)

In addition to the rights above, you have the right to:

• Restriction: Request that we restrict processing of your data while a dispute is resolved.
• Portability: Receive your data in a structured, machine-readable format and transmit it to another controller.
• Object: Object to processing based on legitimate interests or for direct marketing. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds.
• Withdraw Consent: Where processing is based on consent (such as analytics cookies), withdraw that consent at any time without affecting the lawfulness of prior processing.
• Lodge a Complaint:File a complaint with your local supervisory authority. For EU users, this is the data protection authority in your member state. For UK users, this is the Information Commissioner's Office (ICO) at ico.org.uk.

California Users (CCPA/CPRA)

California residents have the right to:

• Know what personal information we collect, use, disclose, and sell.
• Delete personal information we have collected from you.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
• Non-discrimination for exercising your CCPA rights.

Canadian Users (PIPEDA)

Canadian residents have access and correction rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. To exercise these rights, contact us at privacy@draftbi.com. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Australian Users (Privacy Act 1988)

Australian residents have access and correction rights under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). You may also make a complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have breached the Australian Privacy Principles.

Draft BI discloses personal information to overseas service providers as listed in Section 7. By using Draft BI, Australian users consent to this overseas disclosure to the extent that the overseas recipient is not subject to a law substantially similar to the APPs (APP 8.1).

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify you via email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact

If you have questions about this Privacy Policy or our data practices, please contact us at: privacy@draftbi.com

Data Controller: Anders Forge LLC, doing business as Draft BI, Michigan, United States.