Privacy Policy

Account data: email address, name if provided, authentication identifiers, and account preferences.

Project data: interview answers, business-plan content, uploads, chat messages, generated documents, and usage metadata (for example which sections you edit or regenerate).

Billing data: Paddle processes payment details; we receive transaction IDs, purchase status, amounts, currency, and limited billing contact fields—not full card numbers.

Technical and analytics data (with consent): pages viewed, interactions, device and browser information, approximate location derived from IP, client-side errors, session replay (with inputs masked), heatmaps, and product milestone events—via PostHog when you accept analytics cookies.

Communications: emails we send (for example account, billing, or support messages) and messages you send to us.

Provide, maintain, and secure the service; authenticate users; generate, store, and display your business-plan outputs.

Keep your projects private to your account and enforce access controls.

Process purchases, billing, fraud prevention, and customer support.

Understand product usage, diagnose errors, and improve reliability (analytics where you have consented).

Send service-related email (for example receipts, access links, or security notices).

Comply with legal obligations and enforce our Terms.

Your projects belong to you. We treat project content as confidential: it is accessible only to your authenticated account (and our systems as needed to deliver the service). We do not make your projects searchable or visible to other customers.

We do not sell your personal data or project content. We do not use your project content to train public AI models.

If you export or share documents from your workspace, you control what leaves StartupDrafter.

Application data (accounts, projects, and generated documents) is hosted on servers located in Germany (European Union).

PostHog analytics, when enabled, uses PostHog’s EU cloud (eu.i.posthog.com).

Some subprocessors may process limited data in other countries as described below; where required, we rely on appropriate safeguards such as Standard Contractual Clauses.

Infrastructure hosting in Germany (application and database).

Paddle (Merchant of Record for payments and tax compliance).

OpenAI (AI generation and chat processing under our API agreement).

PostHog (product analytics, session replay, heatmaps, and error tracking—only with your cookie consent).

Resend or similar providers (transactional email).

We may disclose data if required by law, to protect rights and safety, or in connection with a merger or acquisition subject to this policy.

Performance of a contract (Article 6(1)(b)): providing the service you sign up for and fulfilling purchases.

Legitimate interests (Article 6(1)(f)): security, fraud prevention, and internal operations, balanced against your rights.

Consent (Article 6(1)(a)): optional analytics cookies and similar tracking; you may withdraw via Cookie settings.

Legal obligation (Article 6(1)(c)): tax, accounting, and regulatory requirements.

Primary storage is in the EU (Germany). Some subprocessors (for example OpenAI or Paddle) may process data in the United States or other countries. Where personal data is transferred outside the EEA, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms offered by our vendors.

We retain account and project data while your account is active and for a reasonable period afterward unless you request deletion, subject to legal retention requirements.

Billing records are retained as required for tax and accounting. Server logs and PostHog data are kept for limited periods for security, troubleshooting, and product improvement.

We use administrative, technical, and organizational measures appropriate to the risk, including access controls, encryption in transit, and monitoring. No method of transmission or storage is completely secure.

Where GDPR applies, you may have the right to access, rectify, erase, restrict, or port your data, object to certain processing, and withdraw consent where processing is consent-based.

Contact yca@startupdrafter.com to exercise your rights. We respond within the timelines required by applicable law.

You may lodge a complaint with a supervisory authority in your country of residence or place of work, or in Germany where our primary hosting is located.

StartupDrafter is not directed to children under 18. We do not knowingly collect personal data from children. Contact us if you believe a child has provided data.

We may update this Privacy Policy with a revised “Last updated” date. Material changes may be communicated by email or in-product notice.

Data controller: YCA YAZILIM DANIŞMANLIK VE TİCARET ANONİM ŞİRKETİ — yca@startupdrafter.com