How Diagraff collects, uses, and protects your information.
Last updated: May 19, 2026
Note: This policy is a working draft for the hosted service at diagraff.com. It describes our current data practices but has not been reviewed by counsel. If you have specific compliance requirements (GDPR, CCPA, HIPAA), reach out at support@diagraff.com before relying on it.
Diagram content: the source text and metadata of diagrams you create, including folder structure and team membership.
AI prompts and outputs: the natural-language requests you submit to the AI diagram wizard and the generated diagrams, along with token-usage counts for tier enforcement.
API keys you store: if you bring your own AI model key (Anthropic, OpenAI, OpenRouter), it is stored encrypted with Fernet symmetric encryption. We never log or transmit your key in plaintext.
Payment metadata: if you subscribe to Pro, Stripe stores your card details; we receive only a customer ID, subscription status, and billing events.
Server logs: IP address, user agent, request paths, and response codes for security, abuse prevention, and debugging. Logs are rotated and retained for up to 30 days.
Audit log: create / read / update / delete / export actions on diagrams, with timestamps and IP, retained for the lifetime of your account.
How We Use It
To provide the diagram workspace itself (storage, rendering, sharing, export).
To enforce tier limits and prevent abuse (rate limits, usage caps).
To send transactional email (password resets, billing notifications, account changes). We do not send marketing email without opt-in.
To respond to support requests.
To improve reliability and security through aggregated, non-identifying log analysis.
Who We Share With
We share data only with these third parties, and only for the purposes listed:
Stripe — payment processing for Pro subscriptions. Stripe receives your card details directly; we never see them. See Stripe's privacy policy.
Your selected AI provider — when you use the AI wizard, your prompt is sent to the provider you have configured (Anthropic, OpenAI, or OpenRouter). If you bring your own key, the call is made on your behalf; if you use the server fallback, our key is used. See each provider's own privacy policy for how they handle prompts.
Hosting infrastructure — the service runs on a single Linux VPS; standard hosting providers operate the underlying hardware.
We do not sell your data. We do not share data with advertisers, brokers, or any third party other than those listed above.
Cookies and Tracking
Diagraff uses a small number of first-party cookies and similar storage. You can manage your preferences through the cookie banner shown on your first visit.
Essential (always on): authentication session cookie (Flask-Login), CSRF token, and your saved cookie-consent preferences. Without these, the site cannot keep you logged in.
Functional (opt-in): theme preference, panel sizes, and your last-open diagram path, stored in localStorage under diagraff_* keys. Disabling these means the UI resets to defaults on every visit.
Analytics (opt-in): we currently run no analytics integrations. If we add any later (Plausible, etc.), they will be gated behind this consent category.
Marketing (opt-in): we currently run no advertising integrations. This category is reserved.
We do not use third-party tracking cookies. We do not participate in any cross-site advertising network.
Data Retention
We keep your account and diagrams as long as the account is active. Inactive accounts may be archived after extended periods of inactivity with prior notice. When you delete your account, we delete your diagrams, settings, and stored API keys within 30 days. Audit log entries tied to your account may be retained longer for security and accounting purposes, in line with applicable law.
You can export all of your diagrams as SVG, PNG, or raw source at any time via the dashboard.
Your Rights
Subject to your jurisdiction, you have the right to:
Access and download your diagram content (the dashboard export covers this).
Correct your account information (display name, email, password) from the Settings page.
Delete your account, which removes your diagrams, settings, and BYOM keys within 30 days.
Request a copy of audit-log entries that reference your account.
Withdraw cookie consent at any time from the cookie preferences panel.
To exercise any right not covered by an in-app control, email support@diagraff.com.
Security
We apply standard hardening practices: passwords are bcrypt-hashed, BYOM keys are encrypted at rest with Fernet, sessions are HTTPS-only with HttpOnly and SameSite flags, the API requires Bearer tokens that are also bcrypt-hashed at rest, and rate limiting protects against brute force. We are a small operation; no security program is perfect. If you find a vulnerability, contact us before disclosure.
Children's Privacy
Diagraff is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If we learn we have, we delete the account.
International Users
The service is hosted in the United States. By using Diagraff, you consent to the transfer and processing of your information in the US. If you are in the EU/EEA or UK and have GDPR rights to exercise, contact support@diagraff.com.
Changes to This Policy
We may update this policy as the service evolves. Material changes will be communicated through the service and where possible by email. The "Last updated" date at the top reflects the most recent revision.
We use cookies.
Essential cookies keep you signed in and protect against CSRF. Other categories are off by default and won't be used unless you opt in. See our Privacy Policy for details.
Cookie preferences
Choose which cookie categories Diagraff may use. Your selection is saved and can be changed anytime from this page.