Privacy Policy
Last updated: June 2026
1. Introduction
At Drall, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. By using Drall, you agree to the collection and use of information in accordance with this policy.
The controller responsible for data processing is:
TNT Ventures GmbH
Venloer Str. 240, 50823 Köln, Deutschland
Email: hello@tntventures.de
2. Data We Collect
2.1 Account Data
When you create an account, we collect your email address and firm information. This data is necessary for contract performance (Art. 6(1)(b) GDPR).
2.2 Engagement Data
Data you provide during consulting engagements — business descriptions, documents, feedback, and chat messages — is processed to deliver our services. This data is stored in our database hosted in the EU (Frankfurt).
2.3 AI Processing
Your engagement data is processed by AI language models (OpenAI, Anthropic, and Google) to generate analysis, deliverables, images, and recommendations. These providers have Data Processing Agreements (DPAs) in place and do not use your data for training purposes via API access.
2.4 Usage Data
We automatically collect information about your interaction with the Service: engagement progress, document uploads, agent invocations, and timestamps of activities.
2.5 Connected Microsoft 365 Data (SharePoint & OneDrive)
If your organization connects Drall to Microsoft 365, an administrator grants Drall consent to access your tenant via the Microsoft Graph API. Within the scope of that consent, and limited to the sites, folders, and files you choose to import, we process:
- File content — document text is read to generate searchable AI embeddings (see Section 11).
- File metadata — names, types, sizes, timestamps, and web URLs.
- Permissions / access control lists (ACLs) — to mirror and enforce your native SharePoint/OneDrive access rights inside Drall.
- Directory data — user and group identifiers used to match those permissions to Drall users.
- Connection credentials — OAuth tokens and the app client secret, stored encrypted (AES-256-GCM).
Imported items are stored by reference: we keep metadata, ACLs, and derived embeddings, but we do not store copies of the original file bytes — these are fetched on demand from Microsoft Graph when needed and are not retained. Document text is sent to our embedding sub-processor (OpenAI) solely to create vector embeddings. This processing is necessary to perform our contract with your organization (Art. 6(1)(b) GDPR); your organization is the controller of the imported source data and Drall acts as its processor.
3. How We Use Your Information
3.1 Performance of Contract
- To provide and maintain the consulting workbench
- To process your documents and generate deliverables
- To track engagement progress and phase executions
- To provide AI-powered analysis and recommendations
3.2 Legitimate Interests
- To improve our service and develop new features
- To analyze usage patterns and optimize the experience
- To prevent fraud and ensure platform security
4. Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Vercel | Application hosting | EU / US |
| Microsoft | Microsoft 365 / Graph integration — access to connected SharePoint & OneDrive (only when enabled by your firm) | EU / customer tenant region |
| OpenAI | AI language model, image processing, and document embeddings | US (DPA in place) |
| Anthropic | AI language model processing | US (DPA in place) |
| AI language model processing (Gemini); Google Analytics website/usage statistics (only with your consent) | US (DPA / SCCs and EU–US Data Privacy Framework in place) | |
| Tavily | Web search for research workflows | US (DPA in place) |
| LangSmith | AI observability and debugging | US (DPA in place) |
| Resend | Transactional and invitation emails | US (DPA in place) |
Business customers acting as controllers can review and download our Data Processing Agreement (DPA), which includes the current sub-processor list (Annex III) and our technical and organizational measures (Annex II).
5. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers are located. When we transfer personal data from the EEA to other countries, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all service providers
- Technical and organizational security measures
6. Data Security
We implement appropriate technical and organizational security measures:
- Encryption in transit (HTTPS/TLS) and at rest
- Secure authentication via Supabase Auth with password hashing
- Row-level security policies in our database
- Role-based access control (firm roles and client roles)
- Rate limiting to prevent abuse
- Input validation and sanitization
7. Your Rights (GDPR)
If you are a resident of the EEA, UK, or Switzerland, you have the following rights:
- Access — request copies of your personal data (Art. 15 GDPR)
- Rectification — request correction of inaccurate data (Art. 16 GDPR)
- Erasure — "right to be forgotten" (Art. 17 GDPR)
- Restrict processing — limit how we use your data (Art. 18 GDPR)
- Data portability — receive your data in a structured format (Art. 20 GDPR)
- Object — object to processing for certain purposes (Art. 21 GDPR)
- Withdraw consent — where we rely on consent, withdraw at any time
- Lodge a complaint — file a complaint with your local data protection authority
To exercise these rights, use the account settings in the application or email hello@drall.ai. We will respond within 30 days as required by GDPR.
8. Data Export and Deletion
You can export all your data at any time via Settings → Export Data. You can delete your account and all associated data via Settings → Delete Account. Deletion is cascading and permanent.
9. Cookies and Analytics
We use strictly necessary cookies for authentication and session management (Supabase auth cookies), which are required for the Service to function and are exempt from consent under ePrivacy rules.
Subject to your consent, we also use Google Analytics 4 to understand how visitors and users interact with the Service. IP addresses are anonymized, and no advertising or personalization features are enabled. Analytics cookies are set only after you accept them via our cookie consent banner (Art. 6(1)(a) GDPR); if you decline or have not yet made a choice, no analytics cookies are set and no data is sent to Google. You can withdraw consent at any time by clearing your browser's local storage. We use no advertising cookies.
10. Data Retention
- Account Data — retained while your account is active
- Engagement Data — retained while your account is active
- Documents — retained until deleted by the user or upon account deletion
- Audit Logs — retained while your account is active and deleted together with your account
When you delete your account, your data is erased immediately and permanently from our production database in a single cascading operation; there is no grace period. Residual copies in routine encrypted backups are overwritten on the normal backup-rotation cycle. You may request earlier deletion of specific data by contacting us, subject to any mandatory legal retention requirements.
11. AI Processing Disclosure
We use artificial intelligence to power the consulting workflows. This includes:
- Document analysis and embedding generation, including text from connected Microsoft 365 sources
- Structured deliverable creation across engagement phases
- Quality review gate evaluation
- Web research and knowledge base matching
These automated processes are designed to augment professional consulting work. All AI-generated outputs should be reviewed by qualified professionals before use in business decisions.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and, for significant changes, sending an email notification. Changes are effective when posted on this page.
13. Contact
For privacy-related inquiries:
Email: hello@drall.ai
Company Information: View Imprint