Privacy Policy
Important! If you do not understand any of the languages in which this document is currently available, we strongly request you not to agree and not accept this policy and, consequently, not to continue to use the Services. In case of any differences between a translation and the English version, the English version prevails. Therefore, by continuing to use our Services, you agree and acknowledge that you understood the terms of this document in one of the languages in which they are currently available.
Last version edited on: 28/April/2026
!!! If you are an individual, you must have, according to the applicable legislation, at least the minimum legal age to use the Services, but not less than 16 years old.
PRIVACY POLICY
1. Identity and contact data of the Controller and the data protection officer
1.1. Identity and contact data of the Controller: Company Code Path S.R.L., having its headquarters in Bucharest, Unirii Boulevard, no. 73, Bl. G3, Sc. 3, 4th floor, Ap. 55, District 3, registered with the Trade Registry under No. J40/10861/2016, sole registration code 36426318 (also referred to in this Privacy Policy as the “Controller” or “Code Path” or “we” or “us”). Contact: [email protected] and on the website www.draftcamp.ai.
1.2. Contact data of the data protection officer: [email protected] and on the website www.draftcamp.ai, as long as it was (necessary to be) appointed a data protection officer.
2. About Draftcamp and this Privacy Policy
2.1. Code Path operates Draftcamp (the “Platform” or the “Service”), an AI-powered SEO content optimisation service accessible at www.draftcamp.ai. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you access the Platform as an organisation administrator, team member, or other authorised user (collectively “you” or the “Customer”).
2.2. This Privacy Policy is incorporated by reference into the Draftcamp Terms of Service available at www.draftcamp.ai/tos and should be read together with that agreement. Capitalised terms not defined here have the meanings given in the Terms of Service.
2.3. Please read this document carefully. If you disagree with its terms, please discontinue use of the Service.
3. Purposes of the processing; data subjects; personal data
3.1. The Controller shall process the personal data (referred to in this Privacy Policy as the “(personal) data”) of any individual (potential) customer (referred to as the “Customer” or the “data subject” or “you”), of which data has been provided, directly and/or indirectly, in relation with: (i) any of the services provided by Code Path (referred to as the “Services” or the “Draftcamp Services”), as such Services are defined in the Terms of Service agreement that can be found at www.draftcamp.ai/tos or in any other similar agreement between the Customer and Code Path; and/or (ii) any agreement(s), as and if the case may be, for any purposes in order to perform any agreement(s) between you and Code Path and/or to take any steps in order to conclude any agreement(s) between you and Code Path and/or in any compatible, related and correlated purposes, including without limitation processing of any payment(s).
3.2. The Controller shall also process the personal data of any individual connected with any (potential) customer of Code Path (referred to as the “Authorised Person” or the “data subject” or “you”), of which data has been provided, directly and/or indirectly, in relation with any use or access of the Services and/or any agreement(s), as and if the case may be, for any purposes in order to perform any part of any agreement(s) between any customer of Code Path and Code Path (including without limitation for accessing and/or using the Services) and/or to take any steps in order to conclude any such agreement(s) and/or in any compatible, related and correlated purposes.
3.3. The Controller shall also process the personal data of any individual authorised user (referred to as the “Authorised User” or the “data subject” or “you”), of which data has been provided, directly and/or indirectly, in relation with any use or access of the Services and/or any agreement(s), mainly in connection with accessing and/or using the Services by such Authorised Users and/or in any compatible, related and correlated purposes.
3.4. Your electronic contact details provided in the context of selling a product or a service may be used for direct marketing (unsolicited communications) regarding similar products or services. You can always withdraw your consent by accessing the unsubscribe link provided in any such communication.
3.5. Without affecting the generality of the foregoing and for the sake of clarity, your (electronic contact) data may be used by the Controller in order to send you direct marketing communications (including for products or services that are not similar to those in the context of which you provided your data), as long as you gave your consent for such purpose. You can always withdraw your consent by accessing the provided link.
3.6. The Controller will also process personal data in any cases where the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3.7. The Controller will also process your personal data for any other purposes for which you have expressed unambiguous consent.
3.8. The Controller will process personal data that is, in each specific case, adequate, relevant and limited to what is necessary for the purposes for which it is processed.
3.9. The Controller will also process personal data for any compatible, related and correlated purposes with the ones mentioned above.
3.10. The personal data processed
3.10.1. Account and identity data: first name, last name, display name, email address, phone number, avatar URL, password hash (bcrypt; we never store plain-text passwords), timezone, locale, registration method (direct sign-up, email invitation, or Google OAuth), organisation name, organisation slug, and plan tier.
3.10.2. Authentication and session data: hashed session tokens and expiry timestamps, IP addresses, user-agent strings at login, Google OAuth access and refresh tokens (stored encrypted at rest) for Google Search Console integration, and two-factor authentication secrets (stored encrypted) if enabled.
3.10.3. Website and SEO data: Google Search Console (GSC) properties you authorise — site URLs, page URLs, query metrics (clicks, impressions, CTR, average position), sync history; page content fetched by the Draftcamp crawler (raw HTML, extracted Markdown, word counts, heading structure, meta tags, internal and outbound link counts, schema markup presence); content versions each time a page is re-crawled; sitemap data; and crawl status.
3.10.4. Knowledge base and brand data: uploaded file content (PDFs, text and other supported formats), file title, size, MIME type, and content hash; vector embeddings generated from your documents for semantic search; brand profile attributes you approve (target audience, tone, style, intent) generated by the AI brand analyst.
3.10.5. AI pipeline and content data: audit records and per-page audit results including funnel position, edit classification, opportunity scores and AI reasoning; rewrite pipeline state (current phase, working brief, working draft, final Markdown, pipeline status, timestamps); pipeline steps (agent type, model used, input/output data, token usage, duration, errors); draft snapshots; block-level user feedback, AI-generated proposals and accept/reject decisions; and comments or review notes added by you or your teammates.
3.10.6. Integration credentials and plugins: WordPress Application Password credentials (stored encrypted) and site URL, used solely to push content drafts; site plugin configuration (remote MCP server URL, custom headers, enabled/disabled state); and any external OAuth tokens for future integrations.
3.10.7. Usage and telemetry data: page views, feature interactions, workflow events, clicking behaviour, log-in/log-out times, log information, pages visited, time of usage, URL requested, IP address, browser, browser version, browser language, device ID, device OS, and referral URL. Telemetry data is pseudonymised where possible and associated with your organisation ID rather than your personal email.
3.10.8. Billing and financial data: last four digits of credit card number, payment method, payment status, payment preference, currency, IBAN, bank account number, VAT number, tax identification number, invoices, and refunds.
3.10.9. Communication and marketing data: electronic communications received, marketing preferences, newsletter preferences, date first seen, date signed up, date last seen, date last contacted, date last opened email, date last clicked on link in email, unsubscribe status, spam complaint status, and hard-bounce status.
4. Legal basis of the processing
4.1. The legal bases for processing are Article 6(1)(a), (b), (c) and (f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”), namely:
(a) Consent — the data subject has given consent to the processing of his or her personal data for one or more specific purposes, including optional marketing communications and any other features that require a separate opt-in. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
(b) Contract performance — processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; this covers account management, pipeline execution, content delivery, and billing.
(c) Legal obligation — processing is necessary for compliance with a legal obligation to which the Controller is subject, including obligations under Romanian and EU accounting, tax, and data-protection law.
(f) Legitimate interests — processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. This basis applies to security logging, fraud prevention, product analytics, abuse monitoring, and improving the Service.
5. How we use your data
5.1. We use collected data to: create and manage your account and Organisation; provide, operate, and improve the Platform features described in the Terms of Service; run AI content-audit and rewrite pipelines using the data you provide and authorise; generate site brand profiles and knowledge-base embeddings; authenticate you and maintain session security; send transactional emails (invitation links, password resets, pipeline-completion notifications); monitor for abuse, security incidents, and policy violations; comply with legal obligations and respond to lawful requests from public authorities; and conduct aggregate, anonymised analytics to improve product quality.
5.2. We do not use your content (articles, brand profiles, knowledge base documents) to train AI models for general use or to share insights with third parties outside your Organisation.
6. AI processing and third-party LLM providers
6.1. The Platform uses large language model (LLM) APIs to power content auditing and rewriting features. Currently we use the OpenAI API (GPT-4.1 series). Your content — including page Markdown, user briefs, and knowledge-base context — is transmitted to these providers solely to fulfil your requests. OpenAI processes data under a Data Processing Agreement and does not use API-submitted content to train its models by default. We will update this Policy if LLM providers change.
6.2. Prompt inputs, completions, and token-usage metadata are also logged via Langfuse (an LLM observability tool) for debugging, quality monitoring, and cost management. Langfuse data is stored within our infrastructure.
7. Data sharing and disclosure
7.1. We do not sell your personal data. We share data only in the circumstances described below.
7.2. Service providers (processors): We engage the following categories of sub-processors to operate the Service: cloud infrastructure — Hetzner Online GmbH (Germany) for hosting and object storage; LLM APIs — OpenAI (USA) for AI content generation; LLM observability — Langfuse for pipeline debugging and monitoring; product analytics — PostHog (pseudonymised usage events); and a transactional email provider for system notifications. All sub-processors are contractually bound to process data only on our documented instructions and to implement appropriate security measures.
7.3. Google APIs: Integration with Google Search Console uses the Google OAuth 2.0 flow. Data retrieved from Google APIs is used exclusively to provide the features you explicitly request and is not transferred to third parties or used for advertising. Our use complies with the Google API Services User Data Policy, including the Limited Use requirements.
7.4. Legal disclosures: We may disclose personal data if required to do so by law or in response to valid legal process (court order, regulatory request), or where we believe in good faith that disclosure is necessary to protect our legal rights or prevent imminent harm.
7.5. Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the successor entity subject to the same protections described in this Policy.
8. International data transfers
8.1. Our primary infrastructure is located in the European Economic Area (Hetzner, Germany). Some sub-processors — notably OpenAI (USA) — are located outside the EEA. Where we transfer personal data to third countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or adequacy decisions where applicable. You may request a copy of the applicable transfer mechanism by contacting us at [email protected].
9. Data retention
9.1. We retain personal data for as long as necessary to fulfil the purposes described in this Policy or as required by law:
(a) Account data: retained for the duration of your account and deleted within 90 days of account termination, unless a longer period is required by law.
(b) Pipeline and content data: retained for the duration of your subscription and for up to 12 months following termination, after which it is permanently deleted or anonymised.
(c) Security and audit logs: retained for up to 12 months for security investigation purposes.
(d) Billing records: retained for 10 years in accordance with Romanian accounting law.
(e) Anonymised analytics: may be retained indefinitely as they cannot be linked back to individuals.
9.2. You may request earlier deletion of your personal data subject to the exceptions described in Section 11.
10. Security measures
10.1. We implement technical and organisational measures appropriate to the risk, including: encryption in transit (TLS 1.2+) for all network communication, with infrastructure behind a VPN with no public-facing IPs except a single reverse proxy; encryption at rest for sensitive credentials (OAuth tokens, WordPress Application Passwords); PostgreSQL row-level security (RLS) ensuring each organisation can only access its own data; high-availability database cluster with automated encrypted backups; bcrypt password hashing with brute-force protection via login rate-limiting; role-based access controls with the principle of least privilege; and audit logs for all security-sensitive events.
10.2. No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly notifying affected users and the relevant supervisory authority in the event of a personal data breach, as required by GDPR Articles 33 and 34.
11. Your data-protection rights
11.1. Under the GDPR and applicable Romanian law you have the following rights regarding your personal data:
(a) Right of access (Art. 15): obtain confirmation that we process your data and receive a copy.
(b) Right to rectification (Art. 16): correct inaccurate or incomplete data.
(c) Right to erasure (Art. 17): request deletion of your data where there is no compelling reason for continued processing.
(d) Right to restriction of processing (Art. 18): limit how we use your data in certain circumstances.
(e) Right to data portability (Art. 20): receive a structured, machine-readable copy of data you have provided.
(f) Right to object (Art. 21): object to processing based on legitimate interests.
(g) Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
(h) Right to lodge a complaint: with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro, or with the supervisory authority in your EU member state of habitual residence.
11.2. To exercise any of these rights, please contact us at [email protected]. We will respond within 30 calendar days. We may need to verify your identity before fulfilling a request.
12. Cookies and tracking
12.1. The Draftcamp web application uses cookies and similar technologies to maintain authentication sessions and to collect pseudonymised usage analytics. Strictly necessary cookies (session tokens) are required for the Platform to function and cannot be disabled. Analytics cookies (PostHog) may be declined via your account preferences or browser settings.
12.2. We do not use third-party advertising cookies or sell cookie-based data to advertisers.
13. Children’s privacy
13.1. The Platform is not directed to individuals under 16 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately at [email protected] and we will promptly delete it.
14. Changes to this Policy
14.1. We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) or via a prominent notice in the Platform interface at least 14 days before the changes take effect. The “Last version edited on” date at the top of this document indicates when the current version took effect. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.
15. Contact
15.1. If you have questions, concerns, or requests regarding this Privacy Policy or our data-processing practices, please contact:
Code Path S.R.L.
Unirii Boulevard, no. 73, Bl. G3, Sc. 3, 4th floor, Ap. 55, District 3, Bucharest, Romania
Trade Registry: J40/10861/2016 | CUI: 36426318
Email: [email protected] | Website: www.draftcamp.ai
We aim to respond to all data-protection enquiries within 30 calendar days.