CorriDraw CorriDraw
Legal Last updated · April 1, 2026

Privacy Policy

This policy explains what information CorriDraw collects when you sign in, draw, and collaborate, why we collect it, and the choices you have over it. We tried to write it in plain English instead of legalese — if anything is still unclear, write to us at privacy@corridraw.com and a real human will reply.

TL;DR
  • · We collect the minimum needed to run the product: your account, your diagrams, and basic usage telemetry.
  • · We do not sell your data, and we do not train AI models on the contents of your private boards.
  • · Diagrams marked end-to-end encrypted are decrypted only inside your browser — we cannot read them on the server.
  • · You can export, transfer, or delete your data at any time from Account → Privacy.

1. Who we are

“CorriDraw,” “we,” “us,” and “our” refer to the team operating the CorriDraw service at corridraw.com, headquartered in Bangkok, Thailand. We are the data controller for personal information collected through the service. You can always reach us at privacy@corridraw.com.

2. Information we collect

2.1 Information you give us directly

  • Account information. Email address, display name, password hash (we never see the plaintext password), and — if you sign in with Google or GitHub — the unique identifier the provider returns plus any avatar URL you have made public there.
  • Workspace and billing data. Workspace name, member list, plan tier, and, for paid plans, the billing details our payment processor needs (we never store full card numbers ourselves).
  • Diagram content. The shapes, text, comments, and attachments you create inside boards, plus the metadata we need to render them (titles, last-modified timestamps, version history).
  • Communications. If you email support, file feedback, or fill in the contact form, we keep that thread so we can answer you.

2.2 Information we collect automatically

  • Authentication and session data. A cryptographically signed session cookie, the IP address the request came from, and a fingerprint of your browser’s user agent — used to detect and stop session hijacking.
  • Service telemetry. Pages visited, features used, error reports (with stack traces but never the diagram contents), and anonymised performance timings. We aggregate this to find bugs and decide what to build next.
  • Cookies and similar technologies. Described in detail in our Cookie Policy.

3. How we use your information

We use what we collect to:

  • Operate the service: sign you in, save your diagrams, deliver real-time edits, send invitation emails, and handle billing.
  • Keep the service safe: detect spam, brute-force attempts, abuse, and breaches of our Terms of Service.
  • Improve the product: investigate crashes, prioritise features, and run small A/B experiments on UI changes.
  • Communicate with you: confirm sign-ups, answer support, and (if you opt in) send a monthly “what shipped” email. Marketing email always has a one-click unsubscribe.

We do not sell or rent your personal information, and we do not use the contents of your private diagrams to train machine-learning models. AI features (such as “clean up this sketch” or text-to-diagram) only run on the specific selection you trigger them on, and the inputs are not retained by our model providers beyond the request itself.

4. Legal bases (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:

  • Performance of a contract — for everything required to deliver the service you signed up for.
  • Legitimate interests — for security monitoring, fraud prevention, and product analytics, balanced against your rights and freedoms.
  • Consent — for optional analytics and marketing email; you can withdraw consent at any time.
  • Legal obligation — for tax, accounting, and responding to lawful requests from authorities.

5. Sharing and sub-processors

We share information only with vendors that help us run the service, and only what each one needs:

  • Cloud hosting. Compute, database, and object storage providers in Singapore and Frankfurt regions.
  • Email delivery. Transactional email (sign-up confirmations, invitations, password resets) is sent through a third-party email provider.
  • Payments. Card processing for paid plans is handled by an external PCI-DSS Level 1 provider; we receive only the last four digits and the country of issue.
  • Analytics. Aggregated usage analytics through privacy-respecting providers (Simple Analytics by default; Google Analytics only if you opt in).
  • Customer support tooling. A third-party helpdesk that stores the email threads you send us.

A current sub-processor list is available at privacy@corridraw.com on request, and Enterprise customers receive 30 days’ notice of any new sub-processor before it is added.

6. International transfers

Our infrastructure runs in Singapore and Frankfurt. If you access the service from elsewhere, your data will travel to one of those regions. For transfers out of the EEA, the UK, or Switzerland we use the European Commission’s Standard Contractual Clauses (and the UK addendum where required) and, where appropriate, additional technical measures such as encryption in transit and at rest.

7. How long we keep things

  • Account data: for the lifetime of the account, plus 30 days after deletion to allow recovery from accidental deletion.
  • Diagrams and version history: as long as the workspace exists; permanently deleted boards are purged within 30 days.
  • Backups: rolling 35-day window, after which they are overwritten.
  • Security and access logs: 90 days.
  • Billing records: 7 years to satisfy tax law.

8. Your rights

Depending on where you live, you have the right to:

  • Access a copy of the personal information we hold about you.
  • Correct anything that is inaccurate.
  • Delete your account and the personal data tied to it.
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw any consent you previously gave.

Most of these you can exercise yourself from Account → Privacy. For anything that needs a human in the loop, email privacy@corridraw.com — we respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.

9. Security

We take security seriously and back it up with: encryption in transit (TLS 1.2+) and at rest, hashed passwords with a modern KDF, hardware-backed key storage for our signing keys, mandatory two-factor authentication for all CorriDraw staff, least-privilege access controls, automated dependency scanning, and an annual third-party penetration test. End-to-end encrypted boards add a second layer: the contents are encrypted in your browser before they ever reach our servers, and we cannot read them.

Found a vulnerability? Please disclose it responsibly to security@corridraw.com. We acknowledge within one business day and credit researchers in our hall-of-fame.

10. Children

CorriDraw is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has signed up, contact us and we will delete the account.

11. Changes to this policy

When we make material changes, we email account holders at least 14 days before the change takes effect and post a banner in the app. The previous version stays available so you can see what changed.

12. Contact

Privacy questions: privacy@corridraw.com
Security disclosures: security@corridraw.com
Postal: CorriDraw, Bangkok, Thailand — full address available on request.