Privacy Policy
Last updated: July 7, 2026
We do not train models on your data. We do not monitor, read, or store the content of your prompts or responses. What passes through the API stays yours.
1. What we never collect
Prompt and response content is proxied to the inference backend and discarded. It is not written to our database, not written to logs, not sampled for quality review, and not used to train or fine-tune any model, ours or anyone else's. No employee or system of ours reads your traffic.
The only trace of a request's content that we keep is a SHA-256 hash of the raw request and response bodies. A hash cannot be reversed into content; it exists so that signed receipts can prove what was served.
2. What we store
- Account data. Email address, name, and a password hash. We never store plaintext passwords.
- API keys. Keys are shown once at creation and stored only as hashes. We cannot recover a lost key.
- Per-request metadata. Token counts (input, cached input, output), timestamps, latency measurements, request IDs, and the SHA-256 hashes of request and response bodies used for receipts.
- Billing records. Credit purchases, usage deductions, and invoice history.
3. The store parameter
On the Responses API, the store parameter defaults to false on Draftworks. OpenAI and Azure default it to true; we flip that default so nothing is retained unless you ask for it.
If you explicitly set store: true, the conversation state for that request is retained by Microsoft Azure to power previous_response_id. That retention happens on Azure's side under Microsoft's data policies, not in our systems.
4. Subprocessors
Four third parties process data on our behalf. Honestly stated, this is where your data actually goes:
| Subprocessor | Purpose | Data handling |
|---|---|---|
| Microsoft Azure | Model inference | Prompt and response content is processed transiently in memory to serve your request. Per Microsoft's Azure OpenAI data policies, content may be processed by automated abuse-monitoring systems on Microsoft's side. If you set store: true on the Responses API, Azure retains that conversation state (see section 3). |
| Stripe | Payments | Card details go directly to Stripe. We never see or store card numbers; we keep only Stripe's transaction references and invoice records. |
| Convex | Application database | Stores account data, API key hashes, request metadata, and billing records. Never stores prompt or response content. |
| Vercel | Hosting and edge network | Routes API and web traffic. Standard infrastructure logs (IP address, timestamp, path); no request bodies are logged. |
5. Data retention
Request metadata and billing records are kept for billing accuracy and audit. When you close your account, we delete your account data, key hashes, and request metadata, except billing records we are legally required to keep (tax and accounting law), which are deleted when that obligation ends.
6. Your rights
You can access, export, or delete your data at any time. Email support@draftworks.dev and we will act on the request within 30 days. Exports are machine-readable. Deletion follows the retention rules in section 5.
7. Cookies and tracking
No ads. No sale of data, ever. No cross-site tracking or third-party analytics beacons. The only cookies we set are first-party session cookies required to keep you signed in.
8. Breach notification
If we confirm a breach affecting your personal data, we will notify you by email within 72 hours of confirmation, including what was affected and what we are doing about it.
9. Changes to this policy
We will announce material changes to this policy by email before they take effect. The latest version is always at this URL. Questions: support@draftworks.dev.