Privacy Policy

Effective date: February 24, 2026

Log inSign up
At a glance

Quick Summary

Your estimates, invoices, change orders, and customer records are stored to operate the Service. You can delete them at any time.
Postmark delivers emails you send to clients. We track delivery, opens, and clicks so you can see when clients engage.
Plaid supports transaction monitoring for connected accounts. DraftSpan does not receive or store your bank login credentials.
Stripe handles payment processing for subscriptions and client invoice payments. Full card numbers never touch our servers.
Contents1/15
0%
01

Information We Collect

Information you provide

  • Account informationName, email, and basic profile details when you create an account
  • Business informationCompany name, business email, phone, address, and website you enter in your settings
  • Estimates, invoices, and change ordersTitles, line items, pricing, tax rates, addresses, notes, and status history for documents you create
  • Customer recordsNames, email addresses, phone numbers, and addresses you enter for your clients
  • Receipts and attachmentsImages or PDFs you upload, along with any notes or tags you add
  • Support communicationsEmails and messages you send to our support team

Information from connected accounts (via Plaid)

When you connect a bank account, we receive transaction information to power transaction monitoring and receipt matching. Transaction information may include the date, description/merchant, amount, category, and account identifiers. We do not receive or store your bank login credentials.

Note: Some limited account metadata (such as account name/type or masked account number) may be returned as part of enabling transaction monitoring, depending on the connection and provider.

Information collected automatically

  • Device and usage dataIP address, browser type/user agent, pages viewed, and timestamps for reliability and security
  • Approximate locationCity, region, and country derived from your IP address, used for session security and fraud prevention
  • Device signals at signupBrowser timezone, language, screen resolution, and platform, combined into a device hash for abuse prevention. Device records are automatically purged after 90 days
  • Cookies and local storageTo keep you signed in, maintain session security, and remember preferences (see Cookies & Analytics section)
  • Performance metricsPage load times and web performance data collected via Vercel Speed Insights to monitor and improve reliability

Information from address lookups (via Google)

When you type an address in an address field, we use the Google Places API to provide autocomplete suggestions. The text you type and your general location are sent to Google to return results. We do not store data from Google; results are only used to populate address form fields.

02

How We Use Information

  • Provide and operate the Service including creating, sending, and tracking estimates, invoices, and change orders; managing customer records; transaction monitoring; receipt storage; and export tools
  • Process payments and manage subscriptions/billing
  • Send transactional emails on your behalf to your clients (e.g., delivering estimates, invoices, and change orders you choose to send)
  • Maintain security, prevent fraud/abuse, and enforce access controls
  • Improve the Service, fix bugs, and understand feature usage
  • Communicate with you about updates, support, and account-related notices

We do not use your clients' contact information to market DraftSpan to them.

Purpose mapping (category → primary use)
  • Account & business info → operate the Service, authenticate you, display your branding on documents
  • Estimates, invoices, change orders, customer records → create, store, send, and export documents on your behalf
  • Financial/transaction data (via Plaid) → transaction monitoring, receipt matching, exports
  • Payment data (via Stripe) → process subscriptions and client invoice payments
  • Device, usage & location data → security, fraud prevention, reliability monitoring
  • Email tracking events → show you delivery/open/click status for documents you send
Email and link tracking: When you send an estimate, invoice, or change order to a client via DraftSpan, we track whether the email was delivered, opened, or clicked using tracking pixels embedded in the email, and whether the client viewed the shared link. Open tracking relies on pixel loading, which may be inaccurate if the recipient's email client blocks images. Recipients can limit tracking by disabling remote image loading in their email settings. This tracking information is shown to you in your activity timeline so you can follow up appropriately.
Sensitive data: Financial account and transaction data may be considered sensitive under certain state privacy laws. We process this data only to provide the features you request (transaction monitoring, receipt matching, and exports) and do not use it for unrelated purposes such as advertising or profiling.
03

Plaid (Bank Connections)

We use Plaid to connect your financial accounts to DraftSpan. When you link an account, you authenticate directly with Plaid.

Important: We do not receive or store your bank login credentials.
What we access and store
  • Transaction information used for features you enable (such as monitoring, receipt matching, and exports)
  • Plaid connection identifiers (e.g., item/account IDs)
  • Tokens/keys needed to access transaction information (stored with access restrictions)
We use Plaid for transaction monitoring. We do not use Plaid to collect payment credentials.

You can disconnect a bank connection within the app at any time. Disconnecting stops future data pulls. You may also request deletion of stored data, subject to limited exceptions described below.

Plaid's collection and use of information is governed by Plaid's own policies, which you can review during the Plaid Link flow.

04

Stripe (Payments)

We use Stripe to process payments. Payment card information is collected and processed directly by Stripe.

Important: We do not store full card numbers on our servers.

We may receive limited billing information from Stripe (such as billing status, plan, the last four digits of a card, and payment method type) to provide customer support and manage your subscription.

Stripe Connect (receiving payments from your clients)

If you set up Stripe Connect to receive payments on invoices, your clients' payment information is collected and processed directly by Stripe. We store Stripe Connect account identifiers, payout eligibility status, and masked external account metadata (e.g., last four digits of a linked bank account) to display your payout status. Your clients' full payment card details never pass through DraftSpan's servers.

05

How We Share Information

We do not sell or share your personal information for cross-context behavioral advertising (as those terms are defined under applicable state privacy laws, including the California Consumer Privacy Act).

We may disclose information in the following situations:

  • Service providers / processorsThat help us operate the Service under contract, including: Supabase (database and authentication), Vercel (hosting and performance monitoring), Postmark (email delivery and tracking), Google (address autocomplete via Places API), and Upstash (rate limiting). These providers only process data as needed to perform services on our behalf.
  • Financial partnersYou explicitly use (Plaid for bank connections; Stripe for subscription billing and invoice payments)
  • Your clientsWhen you send an estimate, invoice, or change order, the recipient receives the document content and your business contact information via email
  • Legal/safetyWhere required by law, legal process, or to protect rights, safety, and security
  • Business changesSuch as merger, acquisition, or sale of assets where information may transfer (we will notify you before information is transferred and becomes subject to a different privacy policy)
Your clients' data: our role

When you enter your clients' contact information into DraftSpan, we act as a service provider/processor on your behalf. We process your clients' information only on your instructions and as needed to provide the Service (for example, delivering documents you choose to send). We do not use your clients' contact information for our own marketing. You are responsible for providing any notices to your clients required by applicable law regarding their personal information.

We share information with service providers under contract and only as needed for them to perform services on our behalf.

06

Security

We use reasonable safeguards designed to protect your information, including HTTPS/TLS encryption in transit and access controls (including MFA for administrative access). Data stored in our systems is protected using provider security controls, including encryption-at-rest features offered by our hosting and database providers.

Encryption
HTTPS/TLS for data in transit
Access Control
MFA + least-privilege admin access
Patching
Regular dependency/runtime updates and security alerts
Incident response

If we become aware of a security breach that may affect your personal information, we will notify affected users and relevant authorities as required by applicable law. We maintain an internal incident response process to investigate and address security events.

No system is 100% secure, so we cannot guarantee absolute security.

07

Data Retention & Deletion

We retain personal information only as long as reasonably necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

Typical retention (high level)
  • Account & profile data: retained while your account is active.
  • Estimates, invoices, and customer records: retained while you keep them in your account. You can delete or archive individual records at any time.
  • Receipts/uploads: retained while you keep them in your account, unless you delete them.
  • Connected-account data (Plaid): retained while the connection is enabled and as needed for features you use; disconnecting stops future syncing.
  • Device signals: signup device records are automatically purged after 90 days unless flagged for abuse.
  • Security and operational logs: session records, audit logs, and email delivery/tracking events are retained for a limited period for reliability, fraud prevention, and abuse detection.
  • Backups: copies may persist for a limited time and are deleted on a rolling basis.
Deletion note: When you request deletion, we will delete or de-identify personal information, subject to limited exceptions (e.g., security, fraud prevention, legal compliance, or completing transactions you requested).

To request deletion, contact us at support@draftspan.com.

08

Your Choices & Rights

Disconnect Plaid
Stop future transaction syncing anytime in the app
Access/Update
Update your profile details within the app
Delete
Request full account and data deletion

To request access, correction, portability, or deletion, contact us at support@draftspan.com.

Some rights depend on your state of residence and may be subject to verification and legal exceptions.

09

U.S. State Privacy Disclosures

This section provides additional disclosures for residents of U.S. states with comprehensive privacy laws. These laws vary by state, but generally provide rights to access, delete, correct, and obtain a copy of your personal information, and in some states to opt out of certain processing.

Categories we collect (examples)
  • Identifiers (name, email, phone, account IDs)
  • Business records (estimates, invoices, change orders, customer records, line items, pricing, and job addresses you create)
  • User content (receipts, attachments, notes, tags)
  • Financial and transaction data (transaction details received via Plaid when you connect accounts; payment records via Stripe)
  • Internet/device activity (IP address, approximate geolocation, device/browser, timezone, app interactions, performance metrics)
  • Support communications (messages you send us)
The specific categories and fields depend on the features you use (for example, whether you connect a bank account).
Sale, sharing, targeted advertising, profiling
We do not sell or share personal information for cross-context behavioral advertising (as those terms are defined under applicable state privacy laws, including the CCPA). We do not use personal information for targeted advertising based on your activity across unaffiliated websites or apps, or for automated profiling that produces legal or similarly significant effects.
Sensitive data
Financial account and transaction data may be considered sensitive under certain state privacy laws. We process this data only to provide the features you request (transaction monitoring, receipt matching, and exports) and not for unrelated purposes. You have the right to limit the use or disclosure of sensitive personal information where required by applicable law.
Your rights (may vary by state)
  • Access: request the personal information we maintain about you
  • Correction: request that we correct inaccurate personal information
  • Deletion: request that we delete personal information, subject to exceptions
  • Portability: request a copy of certain personal information in a usable format
  • Opt-out (some states): targeted advertising, sale, or certain profiling (we do not engage in these as defined above)
  • Non-discrimination: we will not discriminate for exercising privacy rights

How to exercise your rights

Submit a request by emailing support@draftspan.com. To help us respond, include the email address associated with your account and describe the request (access, correction, deletion, portability).

We may need to verify your identity before completing a request. If you use an authorized agent (where permitted), we may require proof of authorization and may still verify your identity directly.

Response timing
We aim to respond within 45 days where applicable. If an extension is needed, we will notify you as required by law.
Appeals
If we deny your request, you may appeal by replying to our response or emailing support@draftspan.com with "Privacy Appeal" in the subject line.
If you have questions about state-specific disclosures (including California disclosures), contact us at support@draftspan.com.
10

Cookies & Analytics

We use cookies and similar technologies to keep you signed in, remember preferences, and help secure the Service. We use Vercel Speed Insights to collect page performance metrics (such as load times) to monitor and improve reliability. We do not use analytics or cookies for cross-site targeted advertising.

Cookies we set
  • Authentication cookies — Supabase session tokens to keep you signed in (httpOnly, secure)
  • Device ID cookie — a unique identifier for session security and trusted-device management (365 days, httpOnly)
  • Session ID cookie — tracks your active session for security monitoring (30 days, httpOnly)
  • MFA verification cookie — remembers successful multi-factor authentication (up to 30 days, httpOnly)
  • Client ID — a device identifier used for signup abuse prevention (365 days)
Local storage

We use browser local storage to remember your preferences (such as your timezone and UI settings) and, if you choose "remember me" at login, your email address for convenience. This data stays on your device and is not sent to our servers except as needed to operate the Service.

Essential Cookies
Required for login, session management, security, and abuse prevention
Performance Analytics
Vercel Speed Insights collects page load metrics (no cross-site tracking)
Do Not Sell/Share: We do not sell or share personal information for cross-context behavioral advertising (as defined under applicable state privacy laws). We do not use cookies or similar technologies for targeted advertising based on your activity across unaffiliated sites or apps.

You can typically control cookies through your browser settings. Blocking certain cookies may impact functionality (for example, staying signed in).

11

Children's Privacy

The Service is not directed to children, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, contact us and we will take steps to delete it.

12

International Data Transfers

DraftSpan is a U.S.-based service intended for users located in the United States. We store data primarily in the United States using our hosting and database providers.

Some of our service providers (such as hosting, email delivery, and payment processors) may process information in the United States and other locations where they maintain infrastructure. These locations may have different data protection laws than your state or country. By using the Service, you acknowledge that your information may be processed in these locations.

13

Operator Information

The Service is operated by Draft Span LLC, a Colorado limited liability company.

Contact details
Entity: Draft Span LLC
Email: support@draftspan.com
A mailing address for legal notices is available upon request by emailing support@draftspan.com.
14

Updates to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective date" at the top of this page.

How we notify you
  • Posting the updated policy on this page
  • For material changes, we may also provide additional notice (for example, in-app or by email)

Your continued use of the Service after the effective date of an updated policy means you acknowledge the updated policy.

15

Contact Us

Questions or requests? We're here to help.

Or email us directly at support@draftspan.com.
For privacy requests, include your account email and the request type (access, correction, deletion, portability).