Privacy Policy
Last updated: March 18, 2026
This Privacy Policy explains how Drawn ("the Service"), operated by TUMULT Marek Nalikowski, collects, uses, and protects your data when you use drawn.dev.
1. Who I Am
Data Controller: TUMULT Marek Nalikowski 📧 mnalikowski89@gmail.com
If you have any questions about this policy or wish to exercise your rights, please contact me at the email above.
2. What Data I Collect
a) Data you submit
When you use Drawn to generate a diagram, you may submit text, files, or images. I do not store this content. It is transmitted directly to OpenAI's API to generate your result and is not retained on my servers. OpenAI retains API inputs for a maximum of 30 days for safety purposes, after which they are deleted. OpenAI does not use API inputs to train its models.
b) Analytics and session recording
With your consent, I use PostHog to collect anonymised analytics data and session recordings. This may include:
- Pages visited and interactions within the app
- Browser type, device type, and approximate location (country/region level)
- A session recording of your on-screen activity within drawn.dev
This data helps me understand how people use Drawn and improve the experience.
c) Technical data
My hosting infrastructure (bunny.net) may process your IP address and standard HTTP request data as a technical necessity of serving the application. This is not used for profiling or marketing.
3. Cookies
I use cookies and similar tracking technologies solely for analytics purposes (PostHog). I do not use advertising cookies or share data with ad networks.
When you first visit drawn.dev, you will be asked for your consent to analytics cookies. You can withdraw consent at any time by clicking the "Cookie Settings" link in the footer.
| Cookie | Purpose | Provider | Duration |
|---|---|---|---|
ph_* | Analytics & session replay | PostHog | 1 year |
4. Legal Basis for Processing
| Data | Legal Basis |
|---|---|
| Submitted inputs (text, files, images) | Contractual necessity — required to deliver the diagram generation service you requested |
| Analytics & session recording | Consent — only collected if you accept cookies |
| Technical/infrastructure data | Legitimate interests — necessary to securely serve the application |
5. Data Processors (Sub-processors)
I share data with the following trusted third parties, each bound by a Data Processing Agreement:
| Processor | Role | Location | Privacy Info |
|---|---|---|---|
| OpenAI | AI diagram generation | USA (SCCs apply) | openai.com/policies/privacy |
| PostHog | Analytics & session replay | EU / USA | posthog.com/privacy |
| bunny.net | Hosting & content delivery | EU | bunny.net/privacy |
I do not sell your data to any third party.
6. International Transfers
OpenAI is based in the United States. Data transferred to OpenAI is protected by Standard Contractual Clauses (SCCs) as provided under OpenAI's DPA, ensuring an adequate level of data protection in line with GDPR requirements.
7. Data Retention
- Submitted inputs: Not stored by me. Retained by OpenAI for up to 30 days per their API data policy.
- Analytics data: Retained by PostHog for up to 1 year, or until you withdraw consent.
- Infrastructure logs: Retained by bunny.net per their standard data retention policy.
8. Your Rights
Under the GDPR, you have the following rights:
- Access — request a copy of the data I hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — request that I limit how I process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — at any time, for cookie-based processing
To exercise any of these rights, contact me at mnalikowski89@gmail.com. I'll respond within 30 days.
You also have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warsaw uodo.gov.pl
9. Security
I take reasonable technical and organisational measures to protect your data. Inputs submitted to Drawn are transmitted over encrypted HTTPS connections. I don't store sensitive user content on my infrastructure.
10. Children
Drawn is not directed at children under the age of 16. I don't knowingly collect data from children. If you believe a child has submitted data through the Service, please contact me and I will take appropriate action.
11. Changes to This Policy
I may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. For significant changes, I'll make reasonable efforts to notify users.
Drawn is a product by TUMULT Marek Nalikowski, operated independently and hosted on bunny.net infrastructure.