Privacy Policy
Introduction
Tsumugiya Inc. ("Company", "we", "us", or "our") operates DrillSpark ("Service"). This Privacy Policy explains how we collect, use, and protect your personal information.
This Policy applies to all users worldwide. Additional provisions for users in specific regions (EU/UK, California) are provided in dedicated sections below.
Information We Collect
We collect the following categories of information:
Account Information
Email address, name (via Google account), user ID
Usage Information
Flowcharts created, project data, AI prompts and generated content, feature usage patterns
Payment Information
Payment history, subscription status (credit card details are processed by Stripe, not stored by us)
Technical Information
IP address, browser type, device information, operating system, access timestamps
Location Information
Approximate location from IP address (country/region level only)
How We Use Your Information
We use collected information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the Service | Contract |
| User authentication and account management | Contract |
| Billing and subscription management | Contract |
| AI credit management and fraud prevention | Legitimate interest |
| Customer support | Contract / Legitimate interest |
| Usage analysis and service improvement | Legitimate interest |
| Security monitoring | Legitimate interest |
| Service announcements | Contract |
| Marketing (optional) | Consent |
AI Features and Your Data
We do NOT use your content to train AI models. Your diagrams and data remain private and are not shared with AI providers for training purposes.
How AI Features Work
- Your prompts are sent to AI providers to generate responses in real-time
- We do not store AI conversation history beyond the current session
- AI-generated content becomes part of your project and receives the same protections
AI Providers
- Google Gemini: Data not used for training under API terms
- OpenAI: Data not used for training by default under API terms
Third-Party Services
We use the following services to provide the Service:
Supabase
Database and authentication infrastructure
Stripe
Payment processing (PCI-DSS compliant). Credit card details are stored only by Stripe.
Google Analytics
Usage analytics and conversion tracking
Microsoft Clarity
Session recording and heatmaps for UX improvement
Cloudflare
Security, CDN, and AI API gateway
Vercel
Web application hosting
International Data Transfers
Your data may be transferred to and processed in countries outside your residence, including the United States and Japan. We ensure appropriate safeguards:
For EU/UK/Switzerland
- Standard Contractual Clauses (SCCs)
- EU-US Data Privacy Framework (where applicable)
- UK International Data Transfer Agreement (where required)
Security Measures
All data is encrypted in transit (TLS) and at rest.
Cookies
We use cookies and similar technologies:
- Essential: Authentication, session management, security (cannot be disabled)
- Analytics: Google Analytics and Microsoft Clarity (can be opted out)
- Preferences: Your settings and preferences
Manage cookie preferences through your browser settings. Disabling essential cookies may prevent Service use.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account Information | Until deletion (immediate) |
| Project Data | Until deletion (immediate) |
| Payment History | Up to 7 years (legal requirement) |
| Access Logs | 90 days |
| AI Usage Logs | 90 days |
Your Rights
Depending on your location, you may have these rights:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion (subject to legal requirements)
- Portability: Receive your data in a structured format
- Restrict Processing: Limit processing in certain circumstances
- Object: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent at any time
To Exercise Your Rights: Contact smart.lab.heaven@gmail.com. We respond within 30 days.
For EU/UK/Switzerland Users (GDPR)
Data Controller
Tsumugiya Inc. is the data controller. Contact: smart.lab.heaven@gmail.com
Legal Basis
We process data based on: contract performance, legitimate interests, legal obligations, or your consent.
Right to Complain
You may lodge a complaint with your local Data Protection Authority.
Automated Decisions
We do not use automated decision-making that produces legal effects.
For California Residents (CCPA/CPRA)
We Do Not Sell or Share Your Data
DrillSpark does not "sell" or "share" your personal information as defined under CCPA/CPRA.
Your California Rights
- Know: What personal information we collect and how it's used
- Delete: Request deletion of your data
- Correct: Fix inaccurate information
- Non-Discrimination: No penalty for exercising rights
Categories Collected
- Identifiers (email, name, user ID, IP address)
- Commercial information (payment history)
- Internet activity (usage data)
- Geolocation (approximate, from IP)
Security
We implement appropriate measures to protect your data:
- Encryption in transit (TLS/SSL) and at rest
- Access controls and authentication
- Security monitoring and logging
- Secure development practices
- Incident response procedures
No system is 100% secure. We commit to promptly addressing any security incidents.
Children's Privacy
The Service is not for children under 16. We do not knowingly collect information from children. If you believe we have, please contact us immediately.
Changes to This Policy
We may update this Policy from time to time. For significant changes, we will generally notify you in advance through the Service or email. However, in urgent circumstances (such as security issues or legal requirements), changes may take effect immediately without prior notice.
Contact Us
For privacy inquiries or to exercise your rights:
Tsumugiya Inc.
Email: smart.lab.heaven@gmail.com
Response time: Within 30 days
Effective Date: February 7, 2026
Last Updated: February 7, 2026