This Privacy Notice explains how Super Nova Research Inc., operating under the brand Draft&Goal (“Draft&Goal,” “we,” “us,” or “our”), accesses, collects, stores, uses, discloses, transfers, and otherwise processes personal information. Draft&Goal is a business-to-business software-as-a-service platform that enables organizations to design, deploy, and orchestrate AI agents and AI-powered workflows for content, marketing, SEO, search intelligence, data analysis, and business automation.
Scope
This Notice applies to our website at https://dng.ai and related websites that link to this Notice; our software-as-a-service platform, applications, integrations, APIs, and related products (the “Platform”); and our sales, marketing, events, support, and other related business activities. Together, these are referred to as the “Services.”
If you do not agree with this Notice, please do not use the Services. For privacy questions or requests, contact us at . A French-language version of this Notice is available at https://dng.ai/fr/legal/privacy-policy/. For Quebec residents, the French and English versions are equally authoritative; outside Quebec, the English version prevails unless applicable law requires otherwise.
Our roles: controller and processor
When we act as a controller, we determine the purposes and means of processing personal information for activities such as operating our website, managing accounts, administering billing, communicating with prospects and customers, running marketing and events, providing support, securing the Services, and managing our business. This Notice governs that processing.
When we act as a processor or service provider, enterprise customers use the Platform to process personal information of their own users, employees, contacts, customers, or other third parties (“Customer Data”), generally under the customer’s documented instructions. That processing is governed by the applicable customer agreement and any data processing agreement (“DPA”). If you are an end user of a customer deployment, please contact the customer directly.
Summary of key points
1. Information we collect
1.1 Information you provide directly
We may collect information you provide when you register, use the Platform, request information, book a demo, communicate with us, attend events, or otherwise interact with us, including: identifiers (name, username, email, phone, postal/billing address); account data (credentials, authentication data, user role, contact preferences); professional data (company, job title, employer, business contact information); billing data; communications data (support tickets, feedback, emails, call notes, surveys); event data; and Customer Data, prompts, instructions, workflow configurations, uploaded files, datasets, source materials, and generated outputs.
1.2 Information collected automatically
When you visit our website or use the Services, we may automatically collect IP address; device identifiers; browser type and version; operating system; language settings; approximate location derived from IP; referring and exit pages; pages viewed; features used; timestamps; workflow activity; error reports; diagnostic logs; and cookie and similar technology data.
1.3 Information from third parties
We may receive limited information from identity providers and single sign-on partners (such as Google and Microsoft); customers and workspace administrators; business partners and referral sources; public sources; B2B data enrichment and lead generation providers; analytics and advertising partners; SEO, search intelligence, marketing data, and enrichment providers such as SEMrush, DataForSEO, and similar services; and third-party integrations connected to the Services by you or your organization.
1.4 Customer Data
“Customer Data” means data, content, prompts, files, instructions, outputs, workflow configurations, datasets, and related materials submitted to, connected to, generated by, or processed through the Platform by or on behalf of a customer. Customer Data may include personal, confidential, regulated, or sensitive information depending on what customers and users choose to submit or connect. Customers are responsible for ensuring they have the required rights, permissions, notices, consents, and lawful basis.
1.5 Sensitive personal information
We do not intentionally request or require sensitive personal information for our own controller purposes. Because the Platform allows customers to process flexible workflows and connected data, Customer Data may contain sensitive information if customers choose to submit or connect it. Customers must not use the Platform to process sensitive or regulated information unless authorized, with appropriate safeguards, and as permitted by the applicable agreement and DPA.
1.6 Payment data
Draft&Goal primarily provides services through business contracts and invoicing. We may also use Stripe or other payment processors. Where Stripe is used, payment card details and security codes are collected and stored by Stripe, not by Draft&Goal. We receive limited payment and transaction information to manage billing, subscriptions, invoices, and accounting.
2. How we use personal information
To provide and operate the Services — create and manage accounts, authenticate users, configure workspaces, provide access, operate AI agents and workflows, connect integrations, process inputs and outputs, provide support, process billing, and deliver requested features.
To provide AI-powered features — using prompts, instructions, uploaded files, connected data, workflow configurations, Customer Data, generated outputs, and related metadata for workflow automation, content generation, retrieval-augmented generation, classification, routing, extraction, summarization, enrichment, image generation, and AI-powered insights.
To provide SEO, search intelligence, and marketing workflow features — processing domains, URLs, keywords, search queries and performance data, ranking data, page metadata, campaign and competitor data, and related workflow data.
To communicate with you, to improve, maintain, and secure the Services, for marketing, analytics, and advertising (including Google Analytics advertising features, Google Ads remarketing, Meta Pixel, LinkedIn Insight Tag, Mixpanel, HubSpot, Microsoft Clarity, where permitted by law and subject to consent), and for legal and business purposes including corporate transactions.
3. Legal bases for processing
Where applicable law requires a legal basis (including under the GDPR, UK GDPR, and Swiss FADP), we rely on one or more of the following:
| Purpose | Legal basis |
|---|---|
| Account creation and administration | Performance of a contract; legitimate interests |
| Providing the Services and requested features | Performance of a contract; legitimate interests |
| Processing Customer Data on behalf of customers | Customer instructions; performance of a contract; processor obligations |
| AI-powered features | Performance of a contract; legitimate interests; consent where required |
| Billing and payments | Performance of a contract; legal obligations |
| Security, fraud prevention, abuse monitoring | Legitimate interests; legal obligations |
| Product improvement and analytics | Legitimate interests; consent where required |
| Marketing communications | Consent or legitimate interests, depending on context |
| Cookies and targeted advertising | Consent where required; legitimate interests where permitted |
| Legal compliance and claims | Legal obligations; legitimate interests |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by the rights and freedoms of affected individuals. If we rely on consent, you may withdraw it at any time without affecting prior processing. For Canada and Quebec, we process based on express or implied consent, or where applicable law permits processing without consent.
5. Subprocessors
We engage subprocessors to help provide the Services. Subprocessors may process personal information only as necessary to provide services to us and subject to contractual data protection commitments. Where applicable, customers may receive notice of new subprocessors and may object in accordance with the applicable DPA or customer agreement. Our current subprocessor list is available at https://trustcenter.dng.ai or upon request.
6. International data transfers
We are based in Canada and may process personal information in Canada, the United States, the EEA, the United Kingdom, Switzerland, and other jurisdictions where we, our affiliates, service providers, or subprocessors operate. Where personal information is transferred to a jurisdiction without an adequate level of protection, we use appropriate safeguards where required, including data processing agreements, standard contractual clauses, the UK International Data Transfer Addendum, adequacy decisions, transfer impact assessments, and supplementary measures. Where Quebec privacy law applies, we assess privacy-related factors before communicating personal information outside Quebec.
8. AI products and AI service providers
The Platform enables customers to design, deploy, and operate AI agents and AI-powered workflows, which may involve processing inputs, prompts, instructions, uploaded files, connected data, Customer Data, workflow configurations, and generated outputs through AI models and infrastructure.
Depending on configuration and feature, inputs and outputs may be processed by AI service providers such as Anthropic; OpenAI; Google Cloud AI (Gemini, Vertex AI); Microsoft Azure AI (Azure OpenAI Service); Amazon Web Services (Bedrock); Mistral AI; and other AI infrastructure, model, or orchestration providers.
AI training commitments. We do not use Customer Data to train public or general-purpose AI models, and we require our AI service providers not to use Customer inputs and outputs to train their public or general-purpose foundation models unless expressly authorized. Where available, we use enterprise-tier API configurations, contractual data protection terms, and zero- or limited-retention settings.
AI output limitations. AI-generated outputs may be inaccurate, incomplete, biased, outdated, or misleading, and should not be relied upon as a substitute for professional advice. Customers and users are responsible for reviewing and validating outputs. We operate an AI Management System aligned with ISO/IEC 42001:2023, and conduct Data Protection Impact Assessments where processing is likely to result in high risk. Concerns about an AI output may be reported to .
9. Google API user data and limited use disclosure
If you or your organization authorize Draft&Goal to access Google APIs, we use Google user data only to provide, maintain, secure, and troubleshoot the Google-connected features you request. Our use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.
| Google service | Data accessed | Purpose |
|---|---|---|
| Google Drive | File metadata, selected files, folders, document content, permissions | Retrieve, analyze, transform, generate, or manage content and workflows. |
| Gmail | Message metadata and content, recipients, senders, labels, attachments (where authorized) | Provide user-requested email features such as drafting, summarizing, classifying, routing. |
| Google Calendar | Event titles, descriptions, times, attendees, locations, metadata | Support scheduling, reminders, and calendar-based features. |
| Google Contacts | Names, emails, organizations, phone numbers, contact metadata | Help users select contacts and automate contact-related workflows. |
| Google Search Console | Site properties, search queries, pages, impressions, clicks, CTR, position | Analyze search performance and support SEO and reporting features. |
| BigQuery | Datasets, tables, schemas, metadata, query results | Analyze customer-authorized data and support reporting and automation. |
Google user data will not be sold; will not be used to serve advertisements; will not be used for marketing; will not be used to determine creditworthiness; will not be used to train public or general-purpose AI models; and will not be transferred except as necessary to provide user-facing features or as required by law. We do not allow human access to Google user data except with explicit authorization, for security/abuse investigation, to comply with law, to provide requested support, or where data is aggregated/anonymized. You may revoke access via https://myaccount.google.com/permissions or request deletion at .
10. Third-party authentication
The Services may allow users to register or log in using Google or Microsoft authentication. We may receive your name, email, profile information, and authentication tokens, subject to your settings and the permissions granted. We use this to authenticate users, secure accounts, provide the Services, and administer workspaces. We do not control how identity providers process your information.
11. Data retention
We retain personal information only as long as reasonably necessary to provide the Services, fulfill the purposes described, comply with legal, tax, accounting, security, and contractual obligations, resolve disputes, and maintain business records.
| Data category | Retention period |
|---|---|
| Account and workspace data | Duration of the account, plus 90 days after deletion (extendable for legal hold) |
| Customer Data | Deleted within 30 days of customer instruction or contract termination, subject to backup lifecycle |
| Authentication tokens | Until revoked by the user or the integration is disconnected |
| Billing, invoicing, and tax records | 7 years from the date of the transaction |
| Support tickets and correspondence | 3 years from last interaction |
| Marketing contact information | Until consent is withdrawn or 24 months of inactivity, whichever is earlier |
| Website analytics and cookie data | Up to 14 months, or as set in the cookie banner |
| Security, audit, and access logs | 12 months (longer where required for incident investigation or legal obligation) |
12. Security & incidents
We maintain technical and organizational measures designed to protect personal information, which may include encryption in transit and at rest, role-based access controls, multi-factor authentication, least-privilege access, logging and monitoring, vulnerability management, secure development practices, vendor security review, confidentiality obligations, training, incident response, and logical separation of customer environments. No method of transmission or storage is completely secure.
If we become aware of a security incident affecting personal information, we will investigate, mitigate, document, and notify affected customers, individuals, regulators, or other parties where required by law or contract. Where we process Customer Data as a processor, we will notify affected customers in accordance with the applicable DPA.
13. Children’s privacy
The Services are intended for business and professional users and are not directed to individuals under 18. We do not knowingly collect personal information from individuals under 18, and in particular not from children under 13 within the meaning of COPPA. If we learn we have collected such information, we will take reasonable steps to delete it. Contact with concerns.
14. Privacy rights
Depending on your location and applicable law, you may have rights to access, receive a copy of, correct, delete, restrict or object to processing of, withdraw consent for, and port your personal information, as well as to opt out of marketing, opt out of certain targeted advertising/sale/sharing/profiling, limit certain uses of sensitive information, appeal a refusal, and lodge a complaint with a regulator. To exercise rights, contact ; we may need to verify your identity.
EEA, UK, and Switzerland — rights to access, rectify, erase, restrict, object, withdraw consent, and request data portability, and to lodge a complaint with your local authority. Our EU representative under Article 27 GDPR is identified in the contact section.
Quebec residents — rights to be informed of purposes, access, correct, withdraw consent, request de-indexing, receive data in a structured format, and be informed of automated decisions. Our Person in Charge of the Protection of Personal Information is Vincent Terrasi (). You may complain to the Commission d’accès à l’information du Québec.
United States — depending on your state, rights to know/confirm, access, correct, delete, obtain a portable copy, opt out of targeted advertising, sale, or sharing, opt out of certain profiling, limit certain uses of sensitive information, and appeal. We do not sell or share personal information for monetary or other valuable consideration, and do not engage in “targeted advertising” or “cross-context behavioral advertising” as defined under U.S. state privacy laws.
15. Marketing communications and CASL
We send marketing communications only where permitted by applicable law, including Canada’s Anti-Spam Legislation, the GDPR and ePrivacy rules, and the CAN-SPAM Act. Marketing emails include our identity, contact information, and a functional unsubscribe mechanism. Unsubscribing from marketing does not stop service-related, transactional, billing, security, legal, or administrative communications.
16. Changes & deidentified information
We may create aggregated, anonymized, or deidentified information and use it for analytics, security, research, reporting, and product improvement, provided it does not reasonably identify an individual or customer. We do not use Google user data or Customer Data to train public or general-purpose AI models.
We may update this Notice from time to time. The updated version is indicated by an updated “Last updated” date. If we make material changes, we may notify you by posting a notice, sending a direct notification, or requesting renewed consent where required.
17. How to contact us
Super Nova Research Inc., doing business as Draft&Goal — 6795 rue Marconi, bureau 200, Montreal, Quebec H2S 3J9, Canada. Privacy Contact / Person in Charge of the Protection of Personal Information: Vincent Terrasi — .
EU Representative (Article 27 GDPR): Super Nova Research Inc. — EU Representative, Station F, 5 Parvis Alan Turing, 75013 Paris, France.
- Subprocessor list: https://trustcenter.dng.ai
- Data Processing Agreement: https://dng.ai/dpa
- Cookie Notice: https://dng.ai/cookie-policy/
- Terms of Service: https://dng.ai/terms-conditions/
- French version: https://dng.ai/fr/legal/privacy-policy/