Privacy Policy

Last updated: February 2026

1. Our Data Minimisation Principle

PolicyDraft.org is committed to collecting and storing the absolute minimum amount of personal information necessary to operate the platform. We do not collect data for advertising, profiling, or any purpose beyond running the service.

2. Personal Information We Collect

We collect only what is strictly required for your account to function:

  • Email address — used for authentication, password resets, and essential platform notifications (e.g. invitation links)
  • Password — stored only in irreversibly hashed form (bcrypt); we never store or have access to your plaintext password
  • Display name (optional) — shown alongside your contributions if you choose to provide one

We do not collect phone numbers, physical addresses, payment information, government IDs, or any other personal identifiers.

3. Collaborative Content (Nodes, Edges, Thematics)

The core of PolicyDraft.org is collaborative knowledge — nodes, edges, thematics, merge proposals, publications, and related data that users create together. This content is:

  • Retained for collaboration: Collaborative content is stored indefinitely to maintain the integrity of the shared knowledge graph, even if your account is deleted (in which case it is anonymised)
  • Visible to other users: Depending on thematic privacy settings, your contributions may be visible to other platform users
  • Not treated as personal data: Nodes, edges, and thematic content are considered collaborative contributions to a shared knowledge base, not personal data belonging to any single user

Important: You should not include sensitive personal information (e.g. your address, health details, financial data, or information about identifiable individuals) in node titles, descriptions, edge labels, or any other collaborative content. PolicyDraft.org accepts no responsibility or liability for personal information that users voluntarily include in collaborative content. By contributing, you acknowledge that such content may be viewed, edited, merged, or published by other users and AI-assisted processes.

4. How We Use Your Information

Your personal information (email and name) is used solely to:

  • Authenticate you and manage your account session
  • Send essential transactional communications (password resets, invitation links, waiting list updates)
  • Attribute contributions to your account within the platform
  • Comply with legal obligations

We do not use your personal information for marketing, advertising, analytics profiling, or sale to third parties.

5. Data Sharing

We do not sell, rent, or trade your personal data. We may share your information only:

  • With your explicit consent
  • To comply with a legal obligation, court order, or law enforcement request
  • With infrastructure providers who host and operate the platform (e.g. cloud hosting, email delivery), under strict confidentiality obligations and solely for service delivery

6. AI Processing

PolicyDraft.org uses AI services (e.g. OpenAI) to suggest node merges, propose connections, and assist with content analysis. When AI processing occurs:

  • Only collaborative content (node text, edge labels, thematic context) is sent to AI services — never your email, password, or account credentials
  • We use API-based services configured not to train on your data

7. Your Rights (GDPR)

You have the right to:

  • Access: Request a copy of your personal data via the Data Export feature on your Account Settings page
  • Rectification: Update your email or name at any time through your account
  • Erasure: Delete your account, which anonymises your personal data; collaborative content is retained in anonymised form
  • Portability: Export your data in JSON format
  • Objection & Restriction: Contact us to object to or restrict processing

8. Data Security

We implement appropriate measures to protect your data:

  • Passwords hashed with bcrypt (irreversible)
  • All traffic encrypted via HTTPS
  • JWT-based session tokens with expiry
  • Role-based access controls

9. Data Retention

  • Personal data (email, name) is retained while your account is active. Upon account deletion, personal data is anonymised within 30 days.
  • Collaborative content (nodes, edges, thematics) is retained indefinitely in anonymised form after account deletion to preserve the integrity of the shared knowledge graph.

10. Cookies & Local Storage

We use only essential browser storage for authentication tokens and session management. We do not use tracking cookies, analytics cookies, or advertising cookies.

11. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. Continued use of the platform after changes constitutes acceptance.

13. Contact Us

If you have questions about this privacy policy or wish to exercise your rights, please contact us through your Account Settings or via the platform.