Privacy Policy

Draftbox is a digital workspace product that helps users capture, organize, edit, store, share, and retrieve notes, drafts, documents, attachments, and AI-assisted outputs.

For privacy questions, access requests, or deletion requests, you can contact us at support@fixpro.gr.

This policy applies to personal data processed through the public Draftbox website, account registration and sign-in flows, password and passkey authentication, enterprise single sign-on, user profiles, workspaces, uploaded files, collaboration and sharing features, document indexing, search, connected third-party account integrations, subscription billing, account deletion flows, and AI-powered functionality.

This policy reflects the current Draftbox infrastructure and also describes the categories of personal data processed when you choose to connect supported third-party services such as Google Calendar, Google Drive, OneDrive, or Dropbox. If we materially change our data flows or add new third-party integrations, we will update this policy before or at the time the change becomes active.

We may collect and process the following categories of data:

• Account data, such as name, email address, password hash, account identifiers, email verification state, approval status, role, profile image, and account timestamps.
• Optional profile data, such as city, backup email, job title, website, company name, VAT number, billing address, bio, mobile number, country, skills, and usage goals, if you choose to add them.
• Authentication and security data, such as login provider, enterprise SSO domain details, session data, passkey enrollment records, verification tokens, password reset tokens, and security event metadata.
• Connected service data, if you choose to link external accounts, such as Google account identifiers, Google Calendar metadata and event content, Google Drive, OneDrive, or Dropbox account identifiers, provider display names, account email addresses, file and folder metadata, supported file content that you explicitly browse, sync, link, or import, and related connection, access-token, refresh-token, revocation, read-health, and sync metadata needed to maintain the integration.
• Workspace content, such as notes, drafts, structured editor content, chat history, document versions, calendar items, contacts, box metadata, and collaboration settings.
• File and attachment data, such as filenames, MIME types, storage keys, object URLs, previews, thumbnails, upload session records, multipart upload state, managed copies, and extracted text derived from supported files.
• Collaboration data, such as box shares, file shares, item shares, assigned permissions, accepted invitations, and activity required to manage shared access.
• Billing data, such as Stripe customer identifiers, subscription identifiers, subscription status, current billing period end, scheduled cancellation state, purchased add-on records, checkout or payment intent references, invoice-related metadata, and billing contact details you choose to provide.
• AI billing and metering data, such as usage events, overage calculations, invoice item references, and related billing metadata used to charge for AI-enabled features.
• AI interaction data, such as prompts, retrieved context, indexed text chunks, embeddings, summaries, AI outputs, usage-cost metadata, and certain audit records created when protected access controls are overridden.
• Operational data, such as error logs, request metadata, rate-limit signals, and system diagnostics required to keep the service safe and functional.

We collect personal data directly and indirectly when you:

• Create an account or sign in with email and password.
• Sign in with Google or through enterprise single sign-on.
• Use passkeys or other security features.
• Connect Google Calendar, Google Drive, OneDrive, Dropbox, or other supported external services.
• Create, edit, upload, organize, or share workspace content.
• Send or receive collaboration invitations.
• Use AI-assisted chat, indexing, summarization, or retrieval features.
• Start a paid subscription, purchase add-ons, schedule a cancellation, remove a scheduled cancellation, or delete your account.
• Contact us or respond to verification and security emails.

We use personal data to:

• Provide and maintain the Draftbox service.
• Authenticate users and secure accounts.
• Enable SSO, passkeys, sessions, and access control.
• Store, retrieve, render, version, and organize user content.
• Process uploads, generate previews, and extract searchable text.
• Enable sharing, collaboration, invitation flows, and role-based access.
• Import, sync, display, search, analyze, or organize content from connected third-party services when you explicitly request those features.
• Create and manage paid subscriptions, one-time add-ons, subscription cancellations, resumes, billing support, and account closure workflows.
• Reconcile AI usage and invoice-based charges for metered AI features, including the billing metadata needed for Stripe invoicing and subscription management.
• Run AI-assisted features, including retrieval-augmented responses, summarization, indexing, embeddings, and related safety controls.
• Send transactional emails, including email verification messages.
• Detect abuse, prevent unauthorized access, and investigate incidents.
• Comply with legal obligations and enforce our terms and security rules.

Where applicable under data protection law, Draftbox processes personal data on one or more of the following legal bases:

• Contract: when processing is necessary to create and operate your account, provide workspace functionality, and deliver the features you request.
• Legitimate interests: when processing is necessary to secure the service, prevent abuse, troubleshoot issues, improve reliability, and maintain safe collaboration and AI controls.
• Legal obligation: when we must keep or disclose certain records to comply with applicable law, lawful requests, or regulatory duties.
• Consent: where consent is legally required for a specific feature or jurisdiction-specific processing activity.

Draftbox currently supports email-and-password authentication, Google sign-in, enterprise SSO through WorkOS, and optional WebAuthn passkeys when enabled.

We use authentication and security data to verify identity, maintain sessions, enforce account roles, protect shared content, support enterprise sign-in flows, and reduce unauthorized access.

Passwords are not stored in plain text. Draftbox stores password hashes for credential-based accounts and stores passkey-related records only to support WebAuthn authentication where available.

When you upload supported files, Draftbox may store the original file, generate previews or thumbnails, extract text, create document summaries, break content into text chunks, and generate vector embeddings so that your content can be searched and used in retrieval-augmented AI features.

Draftbox currently uses Google Gemini services for certain AI generation and embedding workflows. Depending on the feature you use, data sent for AI processing may include prompts, selected workspace context, extracted text from attachments, chat history, and related metadata required to return a response.

Draftbox applies redaction and policy controls to reduce the risk of exposing sensitive strings to AI systems. These controls may detect and mask items such as email addresses, phone numbers, payment card numbers, IBANs, tokens, secrets, private URLs, and selected contact references before AI processing. In some protected workflows, audited override mechanisms may exist for authorized users.

AI outputs can be inaccurate, incomplete, or unsuitable for legal, medical, financial, or other high-risk decisions. You remain responsible for reviewing AI-generated output before relying on it.

If you choose to connect Google Calendar, Google Drive, OneDrive, or Dropbox to Draftbox, Draftbox will access only the categories of data that are necessary to provide the user-facing features you request, such as browsing connected files, importing content, reading connected calendar data, linking workspace items, or supporting related search and drafting workflows.

Google Calendar data may include calendar identifiers, event metadata, event content, attendee or organizer details, and related timestamps needed to display, sync, summarize, or organize calendar information inside Draftbox.

Connected cloud-storage data may include file and folder names, file identifiers, parent-child structure, MIME type or extension, modified timestamps, permissions-related metadata made available by the provider, supported file contents, and derived text, previews, summaries, chunked indexes, or embeddings when you import, view, index, or analyze that content using Draftbox.

Some provider-native document formats may be exported into a compatible read-only format, such as PDF, when needed for preview, managed-copy storage, text extraction, or indexing inside Draftbox.

Draftbox does not access connected Google, Microsoft, or Dropbox content unless you authorize the connection and trigger a feature that requires the data. Draftbox does not sell connected service data.

Sync, re-sync, import, and link operations are started only when you trigger them from Draftbox or when Draftbox finishes background processing for a job you already requested. Draftbox may store raw managed copies, extracted text, previews, summaries, chunked indexes, embeddings, and sync-status metadata for the items you choose to connect or import.

Draftbox will not use data obtained from Google Workspace APIs to develop, improve, or train generalized artificial intelligence or machine learning models. Google Workspace API data is used only to provide, secure, and improve user-facing features requested by the user in accordance with applicable Google API requirements.

Draftbox allows users to share boxes, files, and individual content items with other Draftbox users. Shared access may include viewer, editor, or admin-style permissions, depending on the access granted.

If you share content, the receiving user may be able to view, retrieve, copy, or further work with the shared material within the limits of the permissions you assign. You are responsible for using sharing features appropriately and only sharing content with users you intend to authorize.

Draftbox uses third-party providers that process data on our behalf or as separate service providers supporting authentication, communications, billing, storage, and AI functionality. Our current stack includes the following categories of providers:

• Google, for Google account authentication and Google Gemini AI services used in selected AI and embedding workflows, and, if enabled by the user, Google Calendar and Google Drive integration workflows.
• Microsoft, if enabled by the user, for OneDrive content access workflows involving files or folders the user has authorized Draftbox to browse or import.
• Dropbox, if enabled by the user, for Dropbox content access workflows involving files or folders the user has authorized Draftbox to browse or import.
• WorkOS, for enterprise single sign-on and related organization or domain-based authentication flows.
• Stripe, for subscription billing, one-time add-on purchases, billing portal workflows, customer records, invoice handling, and subscription lifecycle events.
• Amazon S3-compatible storage infrastructure, for text-indexable documents, generated image thumbnails/previews, and related derived assets, and Backblaze B2, where enabled, for original non-text uploads and media objects.
• Resend, for transactional email delivery such as email verification.
• Limited legacy Vercel Blob storage paths, where older or migrated assets may still be referenced by the service.

We may also use infrastructure providers for hosting, networking, and managed database operations required to run Draftbox securely and reliably.

Draftbox uses Stripe as its payment processor for paid subscriptions and one-time add-on purchases. Stripe may collect and process billing information, payment method details, transaction records, and fraud-prevention signals under Stripe's own terms and privacy practices.

Draftbox does not store your full payment card number. Draftbox may store limited billing and subscription metadata returned by Stripe, such as customer identifiers, subscription identifiers, purchased price identifiers, payment status, renewal dates, scheduled cancellation dates, and checkout or invoice references needed to operate the service and support account management.

Some service providers used by Draftbox may process data in countries other than your own. Where required, we rely on contractual, organizational, and technical safeguards intended to support lawful cross-border data transfers.

We retain personal data for as long as it is reasonably necessary to provide the service, maintain security, support collaboration, comply with legal obligations, resolve disputes, and enforce our agreements.

• Account and profile data are typically retained while your account is active and for a reasonable period afterward when needed for security, compliance, or recovery purposes.
• Workspace content, files, versions, and collaboration records are retained until deleted by you, removed through workspace actions, or deleted as part of account closure and related cleanup flows, subject to backup, legal, and system integrity constraints.
• Indexed text, summaries, embeddings, chat messages, and security audit records may persist for as long as the related feature, account, or workspace remains active, unless earlier deletion is supported and requested.
• Connected Google Calendar, Google Drive, OneDrive, and Dropbox data may be retained in synchronized, cached, imported, indexed, or derived form for as long as the related integration, imported workspace content, or user-requested feature remains active, unless earlier deletion or disconnection is supported and requested.
• Temporary upload-session records, retry state, and transient logs may be removed automatically after operational cleanup windows.
• Billing, purchase, and invoice-related records may be retained as needed for tax, accounting, fraud-prevention, charge handling, and legal compliance.

When you disconnect a connected cloud-storage account, Draftbox may offer a choice between leaving imported or preserved items in place and removing unused synchronized cache. If you choose cache cleanup, unused synced source records are removed while files still in use may be preserved as standalone managed copies so your existing workspace items keep working.

When you delete your Draftbox account through supported account controls, Draftbox attempts to cancel any active paid subscription, delete owned stored objects, and then delete the associated account records and related workspace data. If stored-file cleanup cannot be completed, account deletion may not finish until the cleanup is retried successfully.

Draftbox uses administrative, technical, and organizational measures designed to protect personal data, including authentication controls, password hashing, session management, role-based access, scoped file access checks, rate limiting, redaction controls for AI workflows, and audit records for selected sensitive overrides.

No method of transmission, storage, or processing is completely secure. You should use a strong password, protect your devices, and avoid sharing credentials.

Depending on your location and applicable law, you may have the right to request access to personal data, correction of inaccurate data, deletion, restriction, objection, portability, or withdrawal of consent where consent is the legal basis.

To make a privacy request, contact support@fixpro.gr. We may need to verify your identity before acting on a request. Some deletion actions may also be available directly inside your Draftbox account settings.

Draftbox is not intended for children under the age required by applicable law to independently use the service. If you believe a child has provided personal data to Draftbox inappropriately, please contact us so we can review the matter.

We may update this Privacy Policy from time to time to reflect product, legal, operational, or security changes. When we make material updates, we will revise the "Last updated" date on this page.

You can also review our Permissions and Data Access, Terms of Service, Payments and Cancellations Policy and Data Processing Agreement.