This privacy policy describes how we treat personal information and data when you use the draw.io online web application.

Personal Information

When you use draw.io standalone (i.e. without an integrated cloud account), no personal information is requested, so there's nothing to send to us.

When you use draw.io integrated with Google Drive or Dropbox no information available from the account(s) you log into is sent to us at any point. If you install draw.io on a Google for Work account, Google do make the fact that you have installed draw.io on your account domain available to us via a programmatic API. At the time of writing we don't call this API to obtain this information, but if we ever did, the only information this would provide us is just that domain and this information would never be shared outside of JGraph Ltd. When installing draw.io on a personal Google or Dropbox account we are provided with no information regarding who has completed the installation.

This privacy policy contains no section on sharing of personal information, because we have none to share.

Server Logs

When your client browser communicates with our servers each request is logged as is the case by default with most web servers. The log contains details like the date/time of the request, the IP address of the sender, the user agent of the requesting browser, etc. This information is stored in a cyclical log where the oldest data is overwritten by current data continuously. The date difference between the oldest and newest entries at the time of writing is around 4 days. It is envisioned that this duration will be kept in this ballpark figure by enlarging the log size as the web site traffic increases. Once logged data is deleted it is permanently deleted.

Only engineering staff are permitted access to server logs to assist in resolving issues. No non-technical staff are permitted access, either directly or indirectly.

Data

draw.io is as fully a client-side application as is technically possible. In the cases of a storage selection of local filesystem, localStorage on browser, Google Drive or Dropbox, the data does not travel through our servers when saving and loading.

Of the remote storage options, only Google Drive provides an interface to change the permissions of a file from within the draw.io application. The sharing dialog provided is provided by and served from Google entirely. It's operation is subject to Google's privacy policy. We do not perform any calls programmatically to change sharing permissions on any of the remote storage options.

When creating raster and PDF exports the diagram data is sent, securely, to our image export servers and the result returned. All data is only ever held in memory, never written to disk. The data is cleared from memory after the export is completed and returned securely.

Application Errors

If an error condition occurs whilst using the application, the application may send an error report back to the servers. This report contains the program line and condition that occurred. Such reports contain no personal information or parts of your diagram data, nor do they contain any substantial information regarding your usage of the application.

Google Analytics

We use Google analytics because it draws us pretty pictures and tells us how many users we have. There is a URL parameter analytics=0, i.e. https://www.draw.io/?analytics=0, that disables Google Analytics.

You would be advised to refer to the privacy policy of Google to see what they do with the hits they receive from you to their domains. Rather than remove all external domains, if you are very concerned with privacy you would do better to install appropriate browser plugins that deal with tracking third-parties.

Disconnect is a useful browser plugin for blocking third-party sites on a page. If you decide to use draw.io with Google or Dropbox integration, you must allow Disconnect to access those services specifically for the draw.io domain.

Changes to Privacy Policy

JGraph Ltd may make changes to this privacy policy by giving 30 days notice of the changes on the www.jgraph.com website and on major social media accounts.

  • No labels