Back to Draw.

Privacy Policy

Last updated: 10 June 2026

Who we are

Draw. is operated by Draw LLC, a company registered in the Sharjah Media City Free Zone (SHAMS), UAE ("we", "us", "Draw."). We are the data controller responsible for the personal data you provide when using this Service.

This Privacy Policy covers personal data only — information relating to an identified or identifiable living individual (for example a name, email address, phone number, online identifier, or location). It does not govern the business and company datayou enter into Draw. — such as company names, trade licence numbers, company Tax Registration Numbers (TRNs), IBANs, logos, and company addresses. That information is your confidential business data and is handled under our Terms of Service, not this Privacy Policy.

Contact for privacy matters: [email protected]

What we collect

Personal data about you (the account holder)

  • Account info: name, email address, hashed password, subscription tier
  • Payment data: subscription billing is handled by Stripe. We receive only a tokenised reference plus billing name, email and amount — we never see or store full card numbers.
  • Usage data: server logs, IP addresses, error reports, and product analytics events (page views, feature interactions via Mixpanel). IP addresses and similar online identifiers are treated as personal data.
  • Support data: messages you send to our support team

Personal data about others, which you provide

When you enter the contact details of the individuals you invoice or deal with — their names, emails and phone numbers — that is personal data belonging to those people. For this data you are the controller and Draw. acts as your processor, handling it only to provide the Service to you. You are responsible for having a lawful basis to provide it to us.

Business data (not personal data)

The following is your confidential business and transaction data, governed by our Terms of Service rather than this Privacy Policy:

  • Business identifiers: business names, trade licence numbers, company Tax Registration Numbers (TRNs), IBANs, logos, company addresses
  • Transaction data: invoice and credit note line items, amounts, dates, payment records, generated PDFs and XML files (including PINT AE e-invoice XML)
  • Expense data: vendor names, amounts, receipts you upload for OCR scanning

Where you operate as a sole establishment, some business identifiers may also relate to you as an individual; to that extent they are treated as your personal data.

Legal basis for processing

We process your personal data on the lawful bases set out in UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the PDPL):

  • Contract performance: processing necessary to provide the Service you signed up for (generating invoices, sending emails, storing records, billing your subscription)
  • Legal obligation: retaining tax and financial records as required by UAE VAT law (Federal Decree-Law No. 8 of 2017) and FTA e-invoicing regulations
  • Protecting our interests as the establishment: security monitoring, fraud prevention, and safeguarding the integrity of the Service, to the extent permitted under the PDPL and where this does not prejudice your rights and freedoms
  • Consent: where we rely on your consent — for example product analytics and any marketing communications — you may withdraw it at any time without affecting processing already carried out

How we use it

  • To run the Service — generate invoices, send emails, store documents, process e-invoices
  • To provide support when you contact us
  • To bill you correctly for your subscription
  • To improve product reliability and security
  • To comply with legal obligations including UAE VAT record retention
  • To submit e-invoices to the UAE Federal Tax Authority via our accredited e-invoicing service provider, where you have enabled this feature

We do not sell your data, share it with advertisers, or use it to market to your customers.

Where your data is stored

Your data is stored on infrastructure hosted in AWS ap-northeast-1 (Tokyo) via Supabase. Application servers run on Vercel (Singapore region). All connections use TLS encryption in transit. Data at rest is encrypted.

When you use the e-invoicing feature, your invoice XML is transmitted to our e-invoicing service provider (Complyance.io) for relay to the UAE Federal Tax Authority GETS platform. This transmission is required by law.

Sub-processors

We use the following third-party sub-processors. Each receives only the minimum data necessary for their function.

ProviderPurposeData sharedLocation
SupabaseDatabase, authentication, file storageAll app dataAWS Tokyo (ap-northeast-1)
VercelApplication hosting and deliveryRequest logs, IP addressesSingapore (sin1)
StripeSubscription billing and payment processingName, email, billing amountUnited States
ResendOutbound transactional email (invoices, reminders, notifications)Recipient email address, email contentUnited States
Complyance.ioUAE FTA e-invoicing relay (GETS/PINT AE) — only when e-invoicing feature is enabledInvoice XML including seller TRN, buyer TRN, line items, amountsUAE
MixpanelProduct analytics (feature usage, error tracking)Anonymised user ID, page/feature events — no invoice contentUnited States
Tesseract.jsOCR for expense receipt scanningRuns entirely in your browser. No image data is sent to us or any third party during scanning.Your device only

Each provider has its own privacy policy and data processing terms. We maintain Data Processing Agreements with providers where required.

Public share links

When you generate a share link for an invoice or credit note, that document becomes accessible to anyone with the URL — without requiring login. The link contains a 48-character cryptographically random token. You can revoke any share link at any time from the document detail page, after which the link immediately stops working.

How long we keep it

  • Account and business data: retained while your account is active, then deleted within 30 days of account deletion
  • Tax records (invoices, credit notes, expenses, audit log): retained for 7 years from the end of the relevant tax period, as required by UAE Federal Decree-Law No. 8 of 2017 on VAT and FTA administrative requirements — even if you delete your account
  • Support tickets: retained for 2 years
  • Analytics data: retained per Mixpanel's retention settings (typically 5 years)

Your rights

Under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the PDPL), you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data — you can edit most data directly in the app
  • Export your data (ledger CSV, individual PDFs and XMLs)
  • Delete your account and associated data (subject to tax retention obligations above)
  • Object to processing in the cases permitted under the PDPL
  • Withdraw consent where processing is consent-based

To exercise any right, email [email protected]. We will respond within 30 days.

Cookies

We use essential cookies for authentication and session management only. No tracking cookies, no advertising cookies. The beta access cookie (draw_beta_access) is used solely to verify invite-code access during the beta period.

Children

The Service is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

International data transfers

Your data is processed outside the UAE: our primary database and application infrastructure are hosted in the Asia-Pacific region (see Where your data is stored), and some sub-processors (Stripe, Resend, Mixpanel) are based in the United States. Under Articles 22–23 of the PDPL, we make these transfers on the basis of binding contractual safeguards (Data Processing Agreements) that require each provider to protect your data to PDPL-equivalent standards, together with necessity for performance of the Service and, where applicable, your consent. We maintain a Data Processing Agreement with each provider that processes personal data on our behalf.

Changes to this policy

We may update this policy from time to time. Material changes will be notified by email at least 14 days before they take effect. The date at the top of this page shows when it was last updated.

Contact

Privacy questions or requests: [email protected]

Draw LLC, Sharjah Media City Free Zone (SHAMS), Sharjah, UAE