Privacy Policy
1. Who we are
This policy describes how Brian McCallum Draughting Ltd ("we", "us") collects and uses personal data when you use our website at mccallumdraughting.com or the DraughtAI service. We are the data controller for the purposes of the UK GDPR and the Data Protection Act 2018.
2. What we collect
2.1 Account & billing data
- Name, business email, company / practice name
- Country, billing address, VAT number (where provided)
- Subscription, plan and invoice history (held by Stripe on our behalf)
- Authentication identifiers (encrypted password hash, session tokens)
2.2 Service-use data
- Files you upload to be processed ("Customer Content"), and the drawings produced from them ("Output")
- Job metadata: timestamps, file sizes, generation parameters, error logs
- Audit log of who in your team generated, reviewed or exported each drawing
2.3 Technical data
- IP address, user agent, approximate location (country / city)
- Pages visited, anonymised analytics events (Plausible, EU-hosted, no cookies set without consent)
2.4 Communications
- Support tickets, contact-form submissions, demo bookings and email correspondence
3. Why we use it & the legal basis
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Provide and operate the service | Performance of contract |
| Bill you and recover unpaid invoices | Performance of contract / legitimate interests |
| Service announcements & security alerts | Legitimate interests |
| Marketing email to existing customers (opt-out at any time) | Legitimate interests / soft opt-in (PECR) |
| Analytics & product improvement (anonymised) | Legitimate interests |
| Legal & tax record-keeping | Legal obligation (HMRC, Companies Act 2006) |
4. We do not use your drawings to train AI
Customer Content uploaded to DraughtAI is never used to train, fine-tune, evaluate or improve any AI model — ours or a subprocessor's. Our subprocessor agreements explicitly prohibit such use, and we audit them annually.
5. Subprocessors
We use a small number of trusted suppliers ("subprocessors") to operate the service. These are:
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services UK | Application hosting, file storage, database | UK (London, eu-west-2) |
| Stripe Payments UK Ltd. | Payments, billing, tax | UK / EEA / US (under SCC + IDTA) |
| OpenAI Ireland Ltd. | Large language model API for natural-language understanding | EU / US (Zero data retention enabled) |
| Anthropic, PBC | Large language model API (failover) | US (under SCC + IDTA, no training) |
| Google Workspace | Business email, support inbox | UK / EEA |
| Plausible Analytics | Privacy-respecting site analytics (no cookies) | EU (Germany) |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | Global (under SCC + IDTA) |
Where data is transferred outside the UK, transfers are protected by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus appropriate technical safeguards.
6. How long we keep data
- Customer Content (uploads & outputs): 30 days from upload, deletable on demand.
- Account data: for the life of the account, then 6 years for tax records (UK Finance Act).
- Invoices & tax records: 6 years.
- Support correspondence: up to 24 months.
- Server & security logs: 18 months.
7. Cookies
Essential cookies are used for sign-in and security. We use Plausible Analytics, which does not set tracking cookies and does not require consent under UK PECR; we still surface a banner so you can opt out of analytics altogether. We do not use advertising cookies, social-media trackers or fingerprinting.
8. Your rights (UK GDPR)
You have the right to:
- access your personal data (Art. 15);
- correct inaccurate data (Art. 16);
- have your data erased where applicable (Art. 17);
- restrict or object to processing (Art. 18, 21);
- data portability (Art. 20);
- not be subject to solely automated decisions producing legal effects (Art. 22) — we do not make such decisions;
- withdraw consent where processing is based on consent;
- complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
To exercise any right, email privacy@mccallumdraughting.com. We will respond within one month.
9. Children
DraughtAI is a B2B engineering tool and is not directed at children under 18. We do not knowingly collect personal data from children.
10. Security
We protect data in transit with TLS 1.3 and at rest with AES-256. Access to production systems is limited to named personnel and protected by hardware-key two-factor authentication. We carry out internal access audits quarterly and engage independent penetration testing annually.
11. Marketing & opt-out
We send transactional and security email to all customers. Marketing email is sent only where you have opted in (or under PECR's "soft opt-in" for existing customers); every marketing email contains a one-click unsubscribe link.
12. Changes to this policy
We will publish material updates on this page at least 30 days before they take effect, and notify customers by email.
13. Contact
Questions or rights requests: privacy@mccallumdraughting.com · Brian McCallum Draughting Ltd, 9 Mount Annan Court, Bishopbriggs, Glasgow G64 2FA, Scotland.