todrawn
what we keep, and why

Privacy policy.

effective from 3 July 2026

§1. Controller and contact

This privacy policy explains how personal data is processed in the Todrawn service (the “Service”) — interactive online whiteboards for drawing, adding shapes and images, and collaborating with other users.

The controller of your personal data is Jakub Kuźnicki (the “Provider”). In matters concerning data protection the Provider can be contacted by email at support@todrawn.com.

Terms written with a capital letter and not defined here have the meaning given to them in the Terms of Service.

§2. What data we process

Depending on how you use the Service, we process:

  • account data — your email address and, for accounts created with a password, a password hash (we never store the password itself); for accounts created with Google Sign-In the password is not set,
  • content data — the boards you create, including drawings, shapes, text and uploaded images,
  • subscription data — your plan (FREE or PREMIUM), subscription status and the identifier assigned to you by our payment operator,
  • technical data — information needed to keep the Service secure and working, such as the time of certain actions and basic request metadata recorded in server logs.

We do not process special categories of data, and we do not use your data for automated decision-making or profiling.

§3. Why we process it and on what legal basis

We process your data for the following purposes:

  • to provide the Service and your account — performance of the contract (art. 6(1)(b) GDPR),
  • to handle payments for the PREMIUM plan and to meet accounting obligations — compliance with a legal obligation (art. 6(1)(c) GDPR),
  • to verify your email address and to handle password resets — performance of the contract (art. 6(1)(b) GDPR),
  • to keep the Service secure and to prevent abuse, including the per-card limit on the free trial — our legitimate interest (art. 6(1)(f) GDPR),
  • to handle complaints and respond to your requests — our legitimate interest (art. 6(1)(f) GDPR).

§4. Cookies and browser storage

The Service does not use advertising, analytics or tracking cookies. We do not profile you and we do not load third-party tracking scripts.

To keep you signed in, the Service stores two authentication tokens in your browser’s local storage. If you tick “Remember me on this device” at login, the tokens are kept in persistent storage (localStorage) so your session survives a browser restart; otherwise they are kept in session storage and cleared when you close the tab or browser. These tokens are strictly necessary for the Service to work and are removed when you log out.

Besides these tokens, the Service keeps a few small preferences in your browser’s local storage — for example your light or dark theme choice, your toolbar settings, and a note that you have dismissed the cookie notice. These remember your choices on this device only; they contain no tracking identifiers and are not shared with anyone.

If you choose to sign in with Google, Google Sign-In is loaded from Google’s servers and may set its own cookies on the accounts.google.com domain, in line with Google’s privacy policy. This happens only when you actively use that option.

§5. Who we share data with

We share data only with service providers that help us run the Service, and only to the extent necessary:

  • Stripe — our payment operator, which processes subscription payments. The Provider does not store payment card data — it is processed exclusively by Stripe,
  • Google — when you choose to sign in with Google, the Google identity token is verified to confirm your identity.

Verification codes and password-reset messages are handled within the Service and are not shared with any third-party email provider. We do not sell your personal data and we do not share it for marketing purposes.

§6. How long we keep data

We keep account and content data for as long as you hold an Account. You may stop using the Service at any time and request deletion of the Account by contacting the Provider; on deletion your boards and images are removed.

Data connected with payments is kept for the period required by accounting and tax law. Data processed on the basis of our legitimate interest is kept until that purpose is fulfilled or you successfully object, whichever comes first.

In practice, this means the following retention periods:

  • account data (your email, and a password hash where applicable) — kept until you delete your Account,
  • whiteboards and images — kept until deleted by the owner, or until the Account is deleted; uploaded images are served over unguessable links and copies may remain in browser or intermediary caches for up to 7 days after deletion,
  • email-verification and password-reset codes — kept for 15 minutes, then automatically discarded,
  • the card fingerprint used to enforce one free trial per payment card — kept for 24 months from the trial, to keep that anti-fraud check meaningful,
  • records of administrative actions on Accounts (our audit trail) — kept for 24 months from the action,
  • delivery records for marketing emails — the message content and counts are kept for reporting, but the recipient’s email address on each record is anonymized 30 days after the message was sent, failed, or was skipped,
  • identifiers of processed payment events (used to avoid handling the same payment notification twice) — kept for 90 days,
  • server logs — kept for up to 90 days, for security and troubleshooting purposes,
  • payment data itself is not stored by the Provider — it is held by Stripe under its own retention policy.

§7. International transfers

Some of our providers (in particular Stripe and Google) may process data outside the European Economic Area. In such cases the transfer takes place on the basis of appropriate safeguards, in particular the European Commission’s Standard Contractual Clauses.

§8. Your rights

You have the right to access your data, rectify it, delete it, restrict its processing, port it, and object to its processing. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out beforehand.

To exercise your rights, contact the Provider at the email address given in §1. You also have the right to lodge a complaint with the supervisory authority — the President of the Polish Personal Data Protection Office (UODO).

§9. Children

The Service is intended for persons who are at least 16 years old. Minors use the Service with the consent of a legal guardian. We do not knowingly process the data of children below this age.

§10. Changes to this policy

We may update this privacy policy, for example when the law or the way we provide the Service changes. The current version is always available in the Service, with the effective date shown below. Where a change requires it, we will notify Users by email.

This privacy policy is effective from 3 July 2026.