Privacy Policy

Last updated: February 2026

1. Introduction

ValidDraft ("Service") is a product of Sotolis ("Company", "we", "our", or "us"). This Privacy Policy describes how we collect, use, process, share, retain, and protect your personal information and biometric data when you use our behavioral biometrics verification service at validdraft.com and app.validdraft.com.

This Privacy Policy applies to all users of the Service worldwide and is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Illinois Biometric Information Privacy Act (BIPA), the Digital Personal Data Protection Act, 2023 (India) (DPDPA), and other applicable data protection laws. Where specific regulations grant you additional rights, those are detailed in dedicated sections below.

By using ValidDraft, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, you must not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account (via email and password registration or Google OAuth), we collect and store:

  • Email address (provided by you or from your Google account)
  • Display name (provided by you or from your Google account)
  • Profile avatar URL (from your Google account, if applicable)
  • Password (stored only as a securely hashed value; we never store plaintext passwords)
  • Social links (optionally added by you: Twitter, LinkedIn, GitHub, website)

For Google OAuth users, we do not receive or store your Google account password. Authentication is handled entirely by Google's OAuth 2.0 protocol. For email/password users, your password is hashed using bcrypt before storage and cannot be retrieved or viewed by anyone, including our staff.

2.2 Biometric Data

Biometric Data Notice

ValidDraft collects behavioral biometric data as defined under applicable biometric privacy laws, including BIPA (740 ILCS 14), Texas Business & Commerce Code §503.001, and Washington RCW 19.375. By using the Service, you provide informed, written consent to the collection, storage, and processing of this data as described below.

Silver Mode (Keystroke Biometrics)

During every writing session, we collect the following behavioral data:

  • Key press timing: Duration each key is held down (dwell time)
  • Inter-key intervals: Time between consecutive keystrokes (flight time)
  • Typing rhythm: Overall cadence, velocity, and flow patterns
  • Revision behavior: Backspace frequency, deletion patterns, and rewrite sequences
  • Pause analysis: Duration, frequency, and positioning of pauses during writing
  • Cursor entropy: Mouse/trackpad movement patterns, velocity, and click behavior
  • Paste detection: External paste events, paste ratios, and content origin tracking

This data is transmitted to our servers as compressed event logs. Raw event data is retained as part of the verification record for the duration specified by your subscription plan. Derived scores and analysis results are stored separately.

Gold Mode (Video Biometrics — Optional)

Gold mode requires your separate, explicit consent at the beginning of each session. With consent, we collect:

  • Facial presence: Verification that a human is physically present during writing
  • Eye gaze tracking: Direction of visual attention relative to the screen
  • Expression analysis: Natural facial movements indicating cognitive engagement
  • Liveness detection: Verification that the video feed is live and not pre-recorded

Video samples are transmitted to our servers for AI-based analysis. Video samples are permanently deleted after analysis is complete. Only the resulting numerical scores are retained. We do not perform facial recognition, identification, or create facial geometry templates that persist beyond the analysis session.

2.3 Content Data

Text content you write in the editor is submitted as part of the verification process. Your content is stored alongside the verification certificate for the retention period of your plan. Content may be made publicly accessible if you choose "public" visibility for your verification.

2.4 Technical & Usage Data

We automatically collect:

  • IP address (for security, rate limiting, and fraud prevention)
  • Browser type and version
  • Device type and operating system
  • Pages visited, features used, and timestamps
  • Referrer URL
  • Error logs and performance data

2.5 Payment Data

Payment processing is handled entirely by Dodo Payments. We do not receive, process, or store your credit card numbers, bank account details, or other financial instruments. We receive only: transaction confirmation, subscription status, invoice identifiers, and billing period dates.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data under the following legal bases:

Processing ActivityLegal Basis
Account creation and managementPerformance of contract (Art. 6(1)(b))
Keystroke biometric analysisExplicit consent (Art. 9(2)(a))
Video biometric analysisExplicit consent (Art. 9(2)(a))
Payment processingPerformance of contract (Art. 6(1)(b))
Service improvement & analyticsLegitimate interest (Art. 6(1)(f))
Security & fraud preventionLegitimate interest (Art. 6(1)(f))
Legal complianceLegal obligation (Art. 6(1)(c))

4. How We Use Your Information

We use collected information for the following purposes:

  • Verification: Generate humanity scores, verification reports, and certificates
  • Service delivery: Manage your account, process subscriptions, allocate credits
  • Communication: Send transactional emails (verification results, billing confirmations, security alerts)
  • Improvement: Analyze aggregated, anonymized usage patterns to improve our algorithms and user experience
  • Security: Detect and prevent fraud, abuse, and unauthorized access
  • Legal: Comply with applicable laws, respond to legal requests, and enforce our Terms

We do not:

  • Use your content or biometric data for advertising or marketing purposes
  • Sell, rent, or trade your personal data to third parties
  • Use your content to train general-purpose AI or machine learning models
  • Create persistent biometric identity profiles for tracking across sessions
  • Share individual verification results publicly without your explicit visibility choice

5. Data Retention

Data TypeRetention Period
Video/webcam samplesDeleted immediately after analysis (not stored)
Keystroke event logsBy plan: Free 7 days, Pro 90 days, Premium 2 years
Verification reports & scoresBy plan: Free 7 days, Pro 90 days, Premium 2 years
Written contentBy plan: Free 7 days, Pro 90 days, Premium 2 years
Account informationUntil account deletion + 30-day backup window
Payment records & invoices7 years (legal/tax compliance requirement)
Server access logs90 days
Anonymized analyticsIndefinitely (cannot be linked to individuals)

Premium plan data is retained for 2 years (730 days) from the date of verification. After this period, data is automatically purged. See our Terms of Service (Section 12) for our service discontinuation policy, including 90 days' advance notice and data export capabilities.

Automatic Deletion: Verification data past its retention period is automatically purged from our systems via scheduled processes. Purging includes deletion of content, event logs, scores, and certificates. You may request early deletion at any time through your account settings or by contacting us.

Backup Systems: Data may persist in encrypted backup systems for up to 30 days after deletion from production systems. Backups are automatically rotated and are not used for any purpose other than disaster recovery.

6. Data Sharing & Third-Party Processors

We do not sell your personal data. We share data only in the following limited circumstances:

6.1 Service Providers (Sub-Processors)

We use the following third-party service providers who process data on our behalf:

ProviderPurposeData Shared
Google (OAuth)AuthenticationOAuth tokens (we receive name, email, avatar)
Google (Gemini API)AI-assisted behavioral analysisWritten content, behavioral event logs, and video samples (Gold mode) for verification scoring. Data is processed per Google's API data usage policies and is not used by Google for model training.
Dodo PaymentsPayment processingEmail, subscription plan, payment method (handled by Dodo)
DigitalOceanCloud infrastructure & hostingAll data stored on encrypted servers (DigitalOcean Droplets & Spaces, data center regions: US/EU)
ip-api.comIP geolocation lookupIP address (used to determine country/region for regulatory compliance such as BIPA geo-restrictions). No personal data beyond IP is shared.

All sub-processors are contractually bound to process data only as instructed, maintain appropriate security measures, and delete data when no longer needed.

6.2 Legal Requirements

We may disclose your data if required to do so by law, or if we reasonably believe that disclosure is necessary to: (a) comply with a legal obligation, court order, or governmental request; (b) protect the rights, property, or safety of Sotolis, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues.

6.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your data may be transferred as part of the transaction. We will notify you via email and/or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy. See our Terms of Service (Section 12) for our service discontinuation commitments.

7. International Data Transfers

ValidDraft is operated from India. If you are accessing the Service from outside India, please be aware that your data may be transferred to, stored, and processed in India or other countries where our service providers operate.

For users in the EEA, UK, or Switzerland: where we transfer personal data outside of your jurisdiction, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms. You may request a copy of the applicable safeguards by contacting us.

8. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

8.1 Rights for All Users

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your account and associated data
  • Export: Download your verification data in machine-readable format (JSON/PDF)
  • Opt-out of Gold mode: You are never required to use video biometrics; Silver mode is always available
  • Withdraw consent: Withdraw your consent for biometric data processing by ceasing use and deleting your account

8.2 Additional Rights for EEA/UK Users (GDPR)

  • Right to restrict processing: Request that we limit how we process your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to lodge a complaint: File a complaint with your local data protection authority (e.g., the ICO in the UK, CNIL in France, or BfDI in Germany)
  • Right not to be subject to automated decision-making: Our verification scores are generated algorithmically. You may request human review of any verification result by contacting us

8.3 Additional Rights for California Residents (CCPA/CPRA)

  • Right to know: Request disclosure of the categories and specific pieces of personal information collected, the purposes of collection, and third parties with whom data is shared
  • Right to delete: Request deletion of personal information, subject to legal exceptions
  • Right to opt-out of sale: We do not sell personal information. If this changes, we will provide a "Do Not Sell My Personal Information" mechanism
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights
  • Right to correct: Request correction of inaccurate personal information
  • Right to limit use of sensitive personal information: Our use of biometric data is limited to providing the verification service

CCPA Categories Collected: Identifiers (email, name); biometric information (keystroke dynamics, video data); internet/electronic activity (usage logs); professional information (if provided). We collect these directly from you or your device when you use the Service.

8.4 Illinois Residents (BIPA)

Under the Illinois Biometric Information Privacy Act (740 ILCS 14):

  • We inform you in writing that biometric data is being collected and the purpose of collection (verification of human authorship)
  • We obtain your informed, written consent before collection (by accepting these terms and using the Service)
  • We publish this data retention policy, and biometric data is retained as specified in Section 5
  • We do not sell, lease, trade, or profit from your biometric data
  • We store, transmit, and protect biometric data using a standard of care no less than that used for other confidential information, including encryption at rest and in transit
  • We permanently destroy biometric data when the initial purpose for collecting it has been satisfied, or according to the plan-based retention schedule in Section 5 (Free: 7 days, Pro: 90 days, Premium: 2 years), or within 3 years of your last interaction with the Service, whichever comes first

8.5 Indian Users (DPDPA 2023)

Digital Personal Data Protection Act, 2023 (India)

Sotolis is a Data Fiduciary under the DPDPA 2023. As a Data Principal, you have the following rights with respect to your personal data processed by ValidDraft.

Under the Digital Personal Data Protection Act, 2023 (India):

  • Right to access (S.11(1)): You may request a summary of your personal data being processed and the processing activities undertaken
  • Right to correction and erasure (S.12): You may request correction of inaccurate or misleading data, completion of incomplete data, updating of outdated data, and erasure of data no longer necessary for the stated purpose
  • Right to grievance redressal (S.13): You may raise a grievance with our Grievance Officer (see Section 15 below). If unsatisfied with our response, you may file a complaint with the Data Protection Board of India
  • Right to nominate (S.14): You may nominate another individual to exercise your data rights in the event of your death or incapacity
  • Consent withdrawal (S.6(6)): You may withdraw your consent at any time via your account settings or by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal

Purpose of processing: Your personal data is processed solely for the purpose of providing the ValidDraft verification service, as described in Section 4 above. We will not process your data for any purpose beyond what has been communicated to you in this notice.

Cross-border transfers (S.16): Your data may be processed in India and in countries where our service providers operate. We will comply with any restrictions on cross-border data transfers that may be notified by the Central Government under Section 16 of the DPDPA.

Data Protection Board of India: If you are unsatisfied with our response to your grievance, you may file a complaint with the Data Protection Board of India as constituted under the DPDPA 2023.

8.6 How to Exercise Your Rights

To exercise any of these rights, you may:

  • Use the self-service options in your account settings (delete account, export data, manage visibility)
  • Email us at hello@sotolis.com

We will respond to verifiable requests within 30 days (or 45 days for complex requests, with notice). We may need to verify your identity before processing a request. We will not charge a fee for reasonable requests unless they are manifestly unfounded or excessive.

9. Data Security

We implement comprehensive technical and organizational measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher
  • Encryption at rest: All data stored in our databases is encrypted at rest
  • Access controls: Strict role-based access controls limit employee access to personal data on a need-to-know basis
  • API authentication: All API endpoints require authentication via secure tokens (Laravel Sanctum)
  • Webhook verification: All incoming payment webhooks are cryptographically verified before processing
  • Rate limiting: API rate limits protect against abuse and brute-force attacks
  • Secure infrastructure: Our servers are hosted in secure data centers with physical and network security controls

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly notifying affected users and relevant authorities in the event of a data breach in accordance with applicable law (within 72 hours for GDPR-covered breaches).

10. Automated Decision-Making

ValidDraft uses automated algorithms to generate humanity scores and verification results. These scores are produced by analyzing behavioral biometric patterns against our models and do not involve human reviewers by default.

Significance: Verification scores may be used by you or third parties (e.g., editors, educators, employers) to make decisions about content authenticity. We strongly recommend that verification scores are used as one factor among many and that important decisions include human review.

Your right to contest: Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. If you believe a verification score has led to such a decision, you may contact us at hello@sotolis.com to request human review of the verification.

11. Cookies & Tracking Technologies

We use cookies and similar technologies to provide and improve our Service:

Essential Cookies

Required for the Service to function. These include authentication tokens (stored in localStorage), session identifiers, and CSRF protection tokens. You cannot opt out of essential cookies while using the Service.

Analytics Cookies

Help us understand how visitors interact with our website. Analytics data is aggregated and anonymized. You can opt out of analytics cookies through your browser settings or the cookie consent banner.

Managing Cookies

You can manage your cookie preferences at any time by:

  • Adjusting your browser settings to block or delete cookies
  • Using our cookie consent banner when you first visit
  • Clearing browser storage to remove authentication tokens

Do Not Track: We currently do not respond to "Do Not Track" (DNT) browser signals, as there is no industry-standard protocol for DNT compliance. We will update this policy if a standard is adopted.

12. Children's Privacy

ValidDraft is not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at hello@sotolis.com. If we discover that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information within 30 days.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR)
  • We will notify the Data Protection Board of India and each affected Data Principal as required under Section 8(6) of the DPDPA 2023
  • We will notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Notification will include: the nature of the breach, the data affected, potential consequences, and measures taken or proposed to address the breach
  • We will also comply with any additional breach notification requirements under applicable state or national laws (e.g., CCPA, BIPA, IT Act 2000 S.43A)

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes that affect your rights or how we process your data, we will provide at least 15 days' advance notice via email or a prominent notice within the Service. Non-material changes will be reflected by updating the "Last updated" date.

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using the Service and may request deletion of your data.

15. Contact Us

For privacy-related inquiries, data subject requests, or concerns about our data practices:

15.1 Company Information

Sotolis

Sole Proprietorship, India

Email: hello@sotolis.com

15.2 Grievance Officer (IT Rules 2021 / DPDPA 2023)

Grievance Officer

Email: deepika@sotolis.com

Response time: Acknowledgment within 24 hours, resolution within 15 days

Designated under Rule 4 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Section 8(10) of the Digital Personal Data Protection Act, 2023.

15.3 Contact Channels

Privacy inquiries: hello@sotolis.com

General support: hello@sotolis.com

Security issues: hello@sotolis.com

Legal: hello@sotolis.com

If you are in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. If you are in India, you may file a complaint with the Data Protection Board of India.