JGraph Privacy Policy

1.	  Privacy Statement: Introduction

    1.1	  JGraph Limited is a controller within the meaning of the Data Protection Act 2018 and the UK GDPR. Further details about us and how to contact us appear below.

    1.2	  This notice describes how we collect, store, transfer and use personal data. It tells you about your privacy rights and how the law protects you.

    1.3	  This Privacy Statement applies to personal data from you when you contact us and provide us with your personal data when you use:

        a.	our website at drawio.com;
        b.	our services made available by our online application named, “draw.io”, or our services made available through the Atlassian Confluence and Jira integrated applications named, “draw.io” (“the Application”);

    1.4	  Except as set out below, we do not share, or sell, or disclose to a third party, any information collected through our website or the Application.


2	  How we process your Personal Data

    2.1	  Personal data is information that identifies you, either directly or indirectly. This includes your contact details and any information about you that you provide us.

    2.2   We do not process any personal data, with the exception of personal data that you enter into a diagram. If enter personal information into a diagram and perform an action we requires us to send that diagram to a server for process, your personal data is likely processed on that server.

    2.3	  When we process your personal data, we:
		a.	lawfully, fairly and in a transparent manner
		b.	collect it for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
		c.	limit our collection to what is adequate and relevant to what is necessary in relation to the purposes for which they are processed
		d.	take reasonable steps to keep it accurate and up to date having regard to the purposes for which they are processed
		e.	kept in a form where we can identify you for no longer than is necessary, for the purposes for which it is processed 
		f.	process it in a manner that ensures appropriate security of the personal data. this includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. We use appropriate technical or organisational measures to do so.


3	  Personal Data Collected

    3.1	  The types of personal data we may collect from you when you visit our website or contact us is limited to the information you provide us. 

    3.2	  When you login and use the Application the following no personal data is collected.


4.	  Special Categories of Personal Data

    4.1	  The special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

    4.2	  We do not deliberately collect any special categories of personal data from you. 

    4.3	  We would prefer that you do not send it to us or make it known to us. 

    4.4	  Should we choose to do so, we may delete the entire communication and ask you to send it again absent the special categories of personal data. If for some reason we are not able to do so, we do not store it in any structured way and process it only:
		a.	where we have your explicit consent 
		b.	for employment purposes, including for job applications;
		c.	where the processing relates to personal data which you made public;
		d.	processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.


5.	  Not providing Personal Data

    5.1	  We need to know who we are communicating with. Should you choose not to provide us with your name, contact details or other details we may need, we will not be able to communicate with you.

    5.2	  This means that if:
		a.	you have something to ask us, we will not be able to respond to you;
		b.	you are enquiring about job roles we might have available, we will not be able to assess you for suitability;
		c.	if you have a contract with us, we will not be able to perform the contract, and we may need to terminate it. 


6.	  Keeping Personal Data up to Date

    6.1	  Please help us keep your personal data up to date and let us know when it changes.

    6.2	  At any time, you may contact us to request that we provide you with the personal data we hold about you.

    6.3	  At any time you may review or update personally identifiable information that we hold about you, by signing in to your account on our website.

    6.4	  To obtain a copy of any information that is not provided on our website you should contact us to make that request.


7.	  Sources of Personal Data

    7.1	  We primarily obtain personal data about you from you.

    7.2	  We may also obtain information about you from publicly available sources, such as websites where you have made the information public, Companies House, background check agencies, our business partners, and business directories and tax authorities.

    7.3	  We may also confirm information you provide to us directly using data from other sources. We also add to the information we hold about you, sometimes to remove the need for you to provide it to us and sometimes in order to be able to assess the quality of the services we supply you or you offer. The additional information we collect may be categorised as follows:
		a.	information that confirms your identity; 
		b.	business information, including your business trading name and address, your company number (if incorporated), and your VAT number (if registered); 
		c.	information which confirms your contact information; 
		d.	reviews and feedback about your business on other websites through which you sell your services; and
		e.	unsolicited complaints by our clientele.

    7.4	  We store information you provide us, and we reserve a right to use it in the future in any way we decide.


8.	  How we use your personal data

    8.1	  We process your personal data for the following purposes, where we have a legal basis to do so:
		a.	to provide our services to you; 
		b.	receive payment for our services;
		c.	pay others for services they supplied to you; 
		d.	improve our services; and
		e.	assist others deliver their services to you.

    8.2	  Payment information: Payment information is never taken by us or transferred to us either through our website or otherwise. Our employees and contractors never have access to it.  At the point of payment, you are transferred to a secure page on the website of Stripe or some other reputable payment service provider. That page may be branded to look like a page on our website, but it is not controlled by us.

    8.3	  We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms: 
		a.	you are able to opt out at any time;
		b.	depersonalise advertising on our site which is presented to you;

    8.4	  We may use your Contact Details, Technical and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). 

  
    8.5	You will not receive marketing communications from us.

    8.6	We will not share your personal data with any company for marketing purposes.

    8.7	Should we ever change this policy so that we may send you marketing communication, you will be able to ask us to stop sending you marketing messages at any time by emailing us AND/OR logging into our website checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time.
    
    8.8	  Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.

    8.9	  We use your personal data for the following reasons:
		a.	You have given us your consent in writing for the purposes for which you provided your personal data; 
		b.	We need to take steps to form a contract with you and perform a contract with you;  
		c.	We need to comply with a legal obligation other than with you; and/or
		d.	we or someone else has a legitimate interest other than where your interests or fundamental rights and freedoms would be overridden.

    8.10   We believe we have legitimate interests to process your personal data to:
		a.	improve our services;
		b.	process data of which you are the controller at your request using the Application;
		c.	record-keeping for the proper and necessary administration of our business;
		d.	responding to unsolicited communications from you to which we believe you would expect a response;
		e.	insuring against or obtaining professional advice that is required to manage legal, business and/or organisational risk; 
		f.	protecting your interests where we believe we have a duty to do so;
		g.	meet our legal and statutory obligations to you and others;
		h.	prevent, detect and investigate fraud, corruption and misconduct by you and/or others;
		i.	conduct and operate our business in the digital age in an online environment;
		j.	understand the needs, requirements and preferences of potential customers, and those that use our services; 
		k.	conduct marketing activities, including sending email correspondence; 
		l.	comply with health and safety obligations and monitor our performance against equal opportunities legislation; and
		m.	ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

    8.11   We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

    8.12   Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.


9.	  Data Sharing

    9.1	  We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

    9.2	  We limit access to your personal information to those employees, agents, contractors and other third parties who need to know. They will only process your personal information on our instructions. They are subject to a duty of confidentiality.

    9.3	  We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

    9.4	  We may have cause to share your personal information with our service providers, such as:
		a.	telecommunications providers, including telephone, instant messaging, post and couriers;
		b.	accountants; 
		c.	computer systems service providers, including IT security personnel;
		d.	solicitors; 
		e.	advertisers;
		f.	regulatory authorities, such as the Information Commissioner and taxation authorities.

    9.5	  We only permit them to process your personal data for specified purposes and in accordance with our instructions, where we have a legitimate interest in doing so.


10.	  Data Storage 

    10.1  We do not store or transmit your personal data outside of UK. Bear in mind that controllers which use our services (where we are their processor), may choose to do so. Please consult their Privacy Statements for more information.


11.	   Data Security

    11.1   We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. As stated at paragraph 9, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

    11.2   We store all information that you provide to us on secure servers.

    11.3   We train employees regarding our data privacy policies and procedures, and permit authorised employees and staff to access information on a need to know basis, as required for their role. We use firewalls designed to protect against intruders, test for network vulnerabilities and use encryption for data at rest and data in transmission. However, no method of transmission over the internet or method of electronic storage is completely secure.

    11.4   Where you have a password which enables you to use our services, you are responsible for keeping this password complex, secure, and confidential.

    11.5 All our software is designed and reviewed, through code reviews, to check that personal information, other than that contained within diagrams, is never sent to our servers. Where diagram data is sent to servers for temporary processing, that will be documented publicly.



12.	   Retention of your Data

    12.1   We will only retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

    12.2   To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

    12.3   By law we have to keep basic information about our customers (including your contact, identity, financial and transaction data) for six years after they cease being customers for tax purposes.

    12.4   We keep your personal data only for as long as required by us:
		a.	to provide you with the services you have requested;
		b.	to comply with other law, including for the period demanded by our tax authorities; and/or
		c.	to support a claim or defence in court.

    12.5   In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. We will retain and securely destroy your personal information in accordance with applicable laws and regulations. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with our data retention policy.


13.	   Rights of access, correction, erasure, and restriction

    13.1   You have a series of rights under the UK GDPR.

    13.2   Not all apply in all circumstances. Under certain circumstances, you have the right to:

		a.	Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it; 
		b.	Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected; 
		c.	Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below); 
		d.	Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes; 
		e.	Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it; and
		f.	Request the transfer of your personal information to another party.
		
    13.3   If you would like to exercise any of these rights, please contact us using the details below. We will need to verify your identity before we are able to release any personal data to you. This is important to safeguard your information.

    13.4   Please be aware that we are not obliged by law to provide you with all personal data we hold about you, and that if we do provide you with information, the law allows us to charge for such provision if doing so incurs costs for us. After receiving your request, we will tell you when we expect to provide you with the information, and whether we require any fee for providing it to you.

    13.5   If you wish us to remove personally identifiable information from our website, you should contact us to make your request.

    13.6   We remind you that we are not obliged by law to delete your personal data or to stop processing it simply because you do not consent to us doing so. While having your consent is an important consideration as to whether to process it, if there is another legitimate basis on which we may process it, we may do so on that basis.


14.	   Complaints 

    14.1   If you are dissatisfied with the way we process your personal data, you have the right to complain to the Information Commissioner’s Office.

    14.2   The Information Commissioner may be contacted at:

		a.	https://ico.org.uk/; 
		b.	T: 0303 123 1113;
		c.	Live Chat: https://ico.org.uk/global/contact-us/live-chat.

    14.3   We would prefer to try and resolve any difficulties between us and make them right before you approach the ICO. Please consider contacting us in the first instance.


15.	   Withdrawal of Consent

    15.1   Where you may have provided your consent for us to process your personal data and/or transfer your personal data for a specific purpose, you can withdraw it at any time.

    15.2   To withdraw your consent, please contact us using the details below. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. Please see above.


16.	   Changes to this Privacy Statement

    16.1   We may need to change this Privacy Statement from time to time. You are able to identify when this Privacy Statement was changed by the date which appears at the bottom of it.

    16.2   Amendments are updated on this page, to the email address stated in your account and/or through a notice on our home page. Your continued use of this site and the resources enabled by our services signifies your consent to such processing and of the conditions set out in the Privacy Statement.

17.	   About Us

    17.1   JGraph Limited is a company formed in England and Wales with registered company number 0405 1179 and registered offices at Artisans' House, 7 Queensbridge, Northampton, Northamptonshire, NN4 7BF.

    17.2   diagrams.net is a trademark and draw.io is a registered trademark of JGraph Limited. JGraph Limited develops and owns the software, runs the diagrams.net and draw.io sites and owns the diagrams.net and draw.io brands.

    17.3   We have appointed a data protection officer who is responsible for ensuring that our Privacy Statement is followed. If you have any questions about how we process your personal data, including any requests to exercise your legal rights, please contact us at [email protected].

v2.1 2023.08.30