1. Who We Are
DrewUI ("we", "us", "our") operates the website at drewui.com and the DrewUI Prism desktop application for Windows. We are the data controller for personal data collected through these services.
If you have questions about this policy or wish to exercise your data rights, contact us using the details in Section 10.
2. Data We Collect
2.1 Account Data
When you create an account we collect:
- Email address
- Password (stored as a salted hash by Supabase — we never see it in plain text)
- Account creation timestamp
2.2 Alpha Application Data
If you apply for alpha access we additionally collect:
- First name and last name
- Discord username
- Content creation experience level
- Games you create content for (selected from a list)
- Optional social media profile URLs (TikTok, Instagram, YouTube, Twitch, other)
- A free-text description of why you want to join the alpha
2.3 Pricing Survey Data
Alpha testers are invited to complete a pricing survey. Responses include:
- Pricing expectations (numeric ranges in USD)
- Preferred pricing model (subscription vs. one-time)
- Free-text opinions about product capabilities and missing features
Survey responses are linked to your account via an internal user ID.
2.4 Discord Identity
If you choose to link your Discord account, we receive your Discord user ID via OAuth and store it in your profile to verify server membership and assign community roles.
2.5 Payment Data
Payment processing is handled entirely by Stripe. We do not store full card numbers or CVVs. We receive and store:
- Your plan type (monthly / lifetime)
- Subscription status and expiry date
- Stripe customer ID and subscription/charge ID (for managing your billing)
2.6 App Usage Data
Important — desktop application monitoring: The DrewUI Prism desktop application communicates with our servers to validate your license. This involves:
- Checking your subscription or alpha status when the application starts
- Verifying your session token
We do not log exact timestamps of every open/close event for analytics purposes beyond what is necessary for license validation and support.
2.7 Technical Data
Like all web services, our servers and Supabase automatically receive standard HTTP request data including your IP address and browser user-agent. This data is used for security and abuse prevention and is not used for behavioural advertising.
3. Why We Collect It
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email & password | Authentication and account management | Contract performance |
| Alpha application details | Evaluating and processing your application | Legitimate interest / Contract performance |
| Pricing survey responses | Informing product and pricing decisions | Legitimate interest (product research with your participation) |
| Discord ID | Community role assignment and server verification | Contract performance (community access benefit) |
| Payment & subscription data | Granting and managing software access | Contract performance |
| App license checks | Preventing unauthorised use | Legitimate interest |
| IP address / user-agent | Security, abuse prevention | Legitimate interest |
4. Third-Party Services
We share data with the following sub-processors. Each has their own privacy policy and applicable data processing agreements:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database & authentication | All account, profile, application, and survey data | United States (AWS) |
| Stripe | Payment processing | Email, payment details, subscription status | United States |
| Discord | OAuth & community roles | Discord OAuth token, Discord ID | United States |
| Resend | Transactional email delivery | Email address, email content | United States |
| Google Fonts | Web typography (Inter font) | IP address (sent to Google servers on page load) | United States / Global |
We do not sell your personal data to third parties. We do not use your data for behavioural advertising.
Cookies & Local Storage
We use browser localStorage (not traditional HTTP cookies) to store your authentication session and your privacy consent choice. These are strictly necessary for the service to function and do not track you across other websites.
Stripe and Google may set their own cookies when their resources are loaded. Refer to their respective privacy policies for details.
5. Data Retention
- Account data — retained for as long as your account exists. Deleted within 30 days of a verified erasure request.
- Alpha application data — retained for the duration of the alpha programme and up to 1 year thereafter for internal records.
- Pricing survey data — retained indefinitely in anonymised/aggregated form. Identifiable responses deleted upon account erasure request.
- Payment records — retained for 7 years to comply with financial record-keeping obligations.
- Technical logs — typically retained for 30–90 days by our infrastructure providers.
6. International Transfers
DrewUI is operated from the United States. All third-party sub-processors listed above are also based in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, your data is transferred to the US under applicable transfer mechanisms (Standard Contractual Clauses or equivalent frameworks) maintained by each sub-processor.
7. Your Rights (GDPR / CCPA)
Depending on your location, you have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your account and personal data ("right to be forgotten").
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests (e.g. research use).
Right to Withdraw Consent
Withdraw consent for any processing based on consent at any time.
To exercise any of these rights, email us at privacy@drewui.com. We will respond within 30 days. We may need to verify your identity before acting on a request.
If you believe we have handled your data unlawfully, you have the right to lodge a complaint with your local data protection authority (for EEA residents) or the UK Information Commissioner's Office (for UK residents).
CCPA (California Residents)
California residents have additional rights under the California Consumer Privacy Act, including the right to know, delete, and opt out of sale of personal information. We do not sell personal information. To exercise CCPA rights, contact us at privacy@drewui.com.
8. Children's Privacy
DrewUI Prism is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact us and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continued use of our services after changes constitutes acceptance of the updated policy.
10. Contact Us
Use the form below to submit a data rights request. You'll receive an automatic confirmation email, and we'll respond within 30 days.