Privacy
Operational summary — what is retained, what is not, and who processes it.
This page is the operational summary for engineers. The full, legally binding policy is at /legal/privacy.
What is never retained
- Prompt content. Request bodies are hashed and discarded after the upstream call completes.
- Completion content. Response bodies are hashed, signed into the receipt, and discarded.
- Training. Nothing you send is used to train models — not by Draftworks, and, under the Azure OpenAI data-processing terms, not by Microsoft or OpenAI.
What is retained
| Data | Purpose | Retention |
|---|---|---|
| SHA-256 hashes of request and response bodies | Signed receipts | Indefinite |
| Token counts (input, cached input, output) | Billing, receipts, usage dashboards | Indefinite |
| Request metadata (timestamp, endpoint, model id, key id, latency, status) | Billing, debugging, abuse prevention | Indefinite |
| Account data (email, hashed API keys, credit ledger) | Operating your account | Life of account |
A hash commits to content without revealing it: given only prompt_sha256, the prompt cannot be reconstructed. Given the prompt, anyone can confirm the hash matches. That asymmetry is what makes receipts possible without content retention.
store defaults to false
On the Responses API, OpenAI and Azure default store to true, persisting request and response content server-side for 30 days. Draftworks defaults it to false. Server-side conversation state (previous_response_id) therefore requires an explicit "store": true per request — an opt-in, never a surprise.
Subprocessors
| Subprocessor | Role | Sees prompt content |
|---|---|---|
| Microsoft Azure | Model inference | Yes, transiently, to run the model — under Azure OpenAI data-processing terms; not retained, not used for training |
| Vercel | API gateway and hosting | Transit only (TLS-terminated request handling) |
| Convex | Database — metadata, hashes, credit ledger | No |
| Stripe | Payments | No |
The authoritative subprocessor list, notification procedure for changes, and data-processing terms are in the full policy: /legal/privacy.