Privacy Policy

The data controller for the Drafty service is BRIAN MCCALLUM DRAUGHTING LIMITED (Company № SC333546), registered at 9 Mount Annan Court, Bishopbriggs, Glasgow, G64 2FA, Scotland. We do not have a separate Data Protection Officer; for any privacy request, write to support@brianmccallumdraw.com.

We deliberately collect the minimum needed to draw your gardens. Specifically:

• Account data: email address, hashed password (or OAuth identifier), display name.
• Patch data: prompts you write, photos you upload, plans we generate, reels we render. You own this data; we keep it so you can return to it.
• Billing data: handled by Stripe, our payment processor. We see plan, billing country, and last four digits of the card; we never see full card numbers.
• Usage data: pages visited, features used, anonymised performance data (errors, load times). Used to improve the product.
• Device & log data: IP address, browser, operating system, timestamps. Used for security and abuse prevention.

• To provide the service: drafting plans, rendering reels, billing, supporting you.
• To keep the service safe: detecting fraud, preventing abuse, complying with legal requests.
• To communicate: transactional emails (receipts, plan changes), and — only if you opted in — occasional product updates.
• To improve Drafty: aggregated, anonymised analytics that cannot be traced back to you.

• Contract: account creation, plan delivery, billing.
• Legitimate interests: service improvement, fraud prevention, security logging — balanced against your rights.
• Consent: marketing emails, non-essential cookies. You can withdraw consent any time.
• Legal obligation: tax records, law-enforcement requests we are legally required to honour.

We share data only with carefully chosen sub-processors, contractually bound to GDPR-equivalent terms:

• Stripe (USA, Ireland) — payment processing.
• Supabase (USA, EU regions) — database and authentication storage.
• Vercel (USA) — hosting and content delivery.
• AI inference partners — model providers used to render plans and reels. Inputs are sent for generation only and are not retained for training.

International transfers from the UK / EU rely on Standard Contractual Clauses (SCCs) and / or UK Addendum.

• Patch data: retained while your account is active. You can delete plans and reels from /app/billing; deletion is final after 30 days.
• Account data: retained for as long as you have an account, then anonymised within 30 days of closure.
• Billing records: retained for 7 years to satisfy UK tax law.
• Server logs: 90 days, then aggregated.

Under UK / EU GDPR and CCPA, you have the right to:

• Access a copy of your data.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent at any time.
• Lodge a complaint with the UK ICO (ico.org.uk) or your local data protection authority.

California residents additionally have the right to know what information is collected, to opt out of "sale" of personal information (we do not sell), and to non-discrimination for exercising rights.

To exercise any right, email support@brianmccallumdraw.com. We respond within 30 days.

Drafty is not directed at children under 16. We do not knowingly collect data from children under 16; if you believe a child has provided us with data, contact us and we will delete it.

Patch data is encrypted in transit (TLS 1.2+) and at rest. We follow the principle of least privilege inside our team. We will notify affected users without undue delay if a personal-data breach occurs and will report qualifying breaches to the ICO within 72 hours.

If we make material changes we will notify you by email and at the top of this page at least 14 days before the new version takes effect. The current version is dated 2026-05-06.