When you use draw.io standalone (i.e. without an integrated cloud account), no personal information is requested, so there's nothing to send to us.
When you use draw.io integrated with Google Drive or Dropbox no information available from the account(s) you log into is sent to us at any point. If you install draw.io on a Google for Work account, Google do make the fact that you have installed draw.io on your account domain available to us via a programmatic API. At the time of writing we don't call this API to obtain this information, but if we ever did, the only information this would provide us is just that domain and this information would never be shared outside of JGraph Ltd. When installing draw.io on a personal Google or Dropbox account we are provided with no information regarding who has completed the installation.
When your client browser communicates with our servers each request is logged as is the case by default with most web servers. The log contains details like the date/time of the request, the IP address of the sender, the user agent of the requesting browser, etc. This information is stored in a cyclical log where the oldest data is overwritten by current data continuously. The date difference between the oldest and newest entries at the time of writing is around 4 days. It is envisioned that this duration will be kept in this ballpark figure by enlarging the log size as the web site traffic increases. Once logged data is deleted it is permanently deleted.
Only engineering staff are permitted access to server logs to assist in resolving issues. No non-technical staff are permitted access, either directly or indirectly.
draw.io is as fully a client-side application as is technically possible. In the cases of a storage selection of local filesystem, localStorage on browser, Google Drive or Dropbox, the data does not travel through our servers when saving and loading.
When creating raster and PDF exports the diagram data is sent, securely, to our image export servers and the result returned. All data is only ever held in memory, never written to disk. The data is cleared from memory after the export is completed and returned securely.
If an error condition occurs whilst using the application, the application may send an error report back to the servers. This report contains the program line and condition that occurred. Such reports contain no personal information or parts of your diagram data, nor do they contain any substantial information regarding your usage of the application.
We use Google analytics because it draws us pretty pictures and tells us how many users we have. There is a URL parameter analytics=0, i.e. https://www.draw.io/?analytics=0, that disables Google Analytics.
Disconnect is a useful browser plugin for blocking third-party sites on a page. If you decide to use draw.io with Google or Dropbox integration, you must allow Disconnect to access those services specifically for the draw.io domain.