Privacy Policy

Last updated: 2/14/2026

Controller & Data Protection Contact

Controller: draft.
Address: Bei den Mühren 1, 20457 Hamburg, Germany
Data Protection Contact: privacy@draft.social

Introduction

This Privacy Policy describes how we collect, use, and protect your information when you use our social media planning application. By using our service, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Personal Information

  • Name and email address when you create an account
  • Profile information from connected social media accounts
  • Content you create, schedule, or publish through our platform

Social Media Data

Instagram

  • Account identifiers and profile information (e.g., username, profile picture) needed to link your account
  • Media objects and captions you create, schedule, or publish through draft. for the purpose of post creation, scheduling, publishing, and analytics
  • Insights and metrics (e.g., impressions, reach, profile views, followers, engagement) used to display performance analytics

Pinterest

  • Boards and pins you choose to import or schedule, used to manage content, drafts, and scheduled posts
  • Basic engagement and performance metrics used for analytics and reporting

We do not access, store, or process private messages, private media, or personal conversations from connected social media accounts.

Usage Information

  • How you interact with our application
  • Features you use most frequently
  • Device and browser information
  • IP address and location data

How We Use Your Information

  • To provide and improve our social media planning services
  • To schedule and publish your content across connected platforms
  • To generate analytics and insights about your content performance
  • To personalize your experience and recommend relevant features
  • To communicate with you about your account and our services
  • To ensure the security and integrity of our platform

Data Storage and Security

We use Supabase (PostgreSQL) for data storage and authentication. We apply reasonable technical and organizational measures to protect data:

  • Encryption in transit
  • Access controls and least-privilege practices
  • Authenticated access to user data

Third-Party Services

We integrate with the following third-party services:

  • Instagram API: For content publishing and analytics
  • Pinterest API: For board management and pin scheduling
  • Stripe: For payment processing (if applicable)
  • Supabase: For secure data storage and authentication

All third-party integrations comply with their respective privacy policies and terms of service.

Legal Bases (GDPR Art. 6)

  • Contract (Art. 6(1)(b)) for providing the Service (account, scheduling, analytics).
  • Consent (Art. 6(1)(a)) for connecting social accounts & publishing on your behalf.
  • Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, product improvement.

Where processing is based on your consent, you may withdraw that consent at any time by disconnecting the relevant social media account or requesting data deletion.

Data Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • With your explicit consent
  • To comply with legal obligations or court orders
  • To protect our rights, property, or safety
  • With service providers who assist in our operations (under strict confidentiality agreements)

Your Rights

You have the following rights regarding your personal information:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete information
  • Erasure: Request deletion of your personal data (see Data Deletion)
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to certain types of data processing

You can exercise these rights by contacting us at contact@draft.social or visit our Data Deletion page. See our Terms of Service for more information. You also have the right to lodge a complaint with a supervisory authority.

Meta/Instagram Scopes & Fields

Default scopes we request (Instagram Graph via Meta): pages_show_list, pages_read_engagement, instagram_basic, instagram_manage_insights, instagram_content_publish.

Optional scope (only in edge cases, not requested by default): business_management — requested only when enabled via environment flag (e.g. META_INCLUDE_BUSINESS_MANAGEMENT=1).

Data pulled: account id/username, followers_count; insights metrics such as impressions, reach, profile_visits, etc.

Publishing endpoints: /{ig_user_id}/media, /{ig_user_id}/media_publish, /{ig_media_container_id}?fields=status_code (Graph API v24.0).

Processors/Recipients

  • Vercel (hosting)
  • Supabase (DB/storage/auth)
  • Meta Platforms (Instagram Graph API)
  • Email provider

All under appropriate DPAs / SCCs.

Data Retention

We retain personal information only as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy. You can disconnect social accounts and request deletion at any time (see /data-deletion). We may retain limited data where required for legal, security, or operational reasons.

Cookies and Tracking

We use cookies and similar technologies to enhance your experience, analyze usage patterns, and improve our services. You can control cookie settings through your browser preferences. Some features may not function properly if cookies are disabled.

International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure that such transfers comply with applicable data protection laws and implement appropriate safeguards (e.g., SCCs) to protect your personal information.

Children's Privacy

Our service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child has provided us with personal data, please contact us so that we can delete such information.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: contact@draft.social

Response Time: We will respond to your inquiry within 48 hours.