Detector Privacy Policy
Super Nova Research Inc., operating as Draft&Goal
Version 1.0 - Last updated July 16, 2026
This Privacy Policy explains how Super Nova Research Inc., doing business as Draft&Goal (“Draft&Goal,” “we,” “us,” or “our”), collects, uses, discloses, stores, transfers, and otherwise processes Personal Information in connection with Detector.
It applies to detector.dng.ai; related Detector applications, APIs, accounts, analysis and reporting features; and Detector sales, billing, marketing, support, and security activities (collectively, the “Services”). It should be read with our Cookie Policy and Terms of Service.
Scope and our roles
Our role depends on the context.
When we act as controller. We determine why and how Personal Information is processed when we operate the Detector website; manage accounts, subscriptions, payments, support, security, marketing, and business relationships; perform service analytics; and retrieve publicly accessible website information to provide requested analysis where we determine essential processing means.
When we act as processor or service provider. When an enterprise Customer submits content or instructs Detector to process Personal Information for the Customer’s purposes, we generally process that information on the Customer’s behalf under the customer agreement and DPA. The Customer is then the controller or business and should provide the relevant privacy notice. Individuals whose information was submitted by a Customer should normally direct requests to that Customer; we will assist as required.
If the role differs for a specific enterprise deployment, the Order Form or DPA will describe it.
Summary
| Topic | Summary |
|---|---|
| What we collect | Account, contact, billing, device, log, cookie, usage, support, Analysis Input, Public Website Data, and Output information. |
| Why we use it | To provide website and content analysis, generate reports, manage subscriptions, secure and improve Detector, communicate, and comply with law. |
| AI processing | Detector may use machine learning and AI to classify content and generate explanations or recommendations. |
| AI training | We do not use Customer Data to train public or general-purpose foundation models unless the Customer expressly authorizes it. |
| Public websites | At a user’s direction, Detector may retrieve content and technical signals available without authentication from submitted URLs or domains. |
| Sharing | We use service providers for hosting, payments, authentication, communications, analytics, security, and AI or analysis infrastructure. |
| Retention | Retention depends on the data and plan; Customer Data is deleted within 30 days after valid instruction or contract termination, subject to backups, legal holds, and stated exceptions. |
| Rights | Depending on location, individuals may have rights to access, correct, delete, port, restrict, object, withdraw consent, or complain to a regulator. |
| Contact | Vincent Terrasi, Privacy Contact / Person in Charge of the Protection of Personal Information - privacy@dng.ai. |
1. Personal Information We Collect
1.1 Information you provide
We may collect:
- name, username, email address, phone number, organization, job title, and business contact information;
- account credentials, authentication information, user role, language, region, and preferences;
- billing address, tax information, transaction history, invoice details, subscription, and credit usage; payment-card details are generally collected directly by our payment processor rather than stored by us;
- support requests, feedback, survey responses, complaints, and other communications;
- Analysis Inputs, including submitted or pasted text, uploaded documents or files, URLs, domains, sitemaps, instructions, and configurations;
- Output, including AI-detection scores, classifications, highlighted passages, explanations, recommendations, website-analysis findings, reports, edits, exports, and scan history; and
- information you provide when requesting a demo, attending an event, or otherwise interacting with us.
Please do not submit sensitive Personal Information, credentials, confidential third-party information, or regulated records unless you are authorized and the relevant Detector feature and agreement expressly support that processing.
1.2 Public Website Data
When a URL, domain, or sitemap is submitted, Detector may retrieve publicly accessible information such as:
- page text, titles, headings, links, images, and other content;
- metadata, structured data, canonical tags, sitemaps, and robots directives;
- accessibility, discoverability, performance, rendering, and technical indicators;
- search-related or AI-search-readiness signals; and
- publicly displayed names, roles, contact details, author information, or other Personal Information embedded in the website.
Detector is designed not to intentionally access password-protected resources or bypass authentication or technical access controls. Because public pages may contain Personal Information, users must have a lawful basis for requesting analysis and must not use Detector for unlawful profiling, surveillance, or data harvesting.
1.3 Information collected automatically
When you use the Services, we may automatically collect IP address, approximate location derived from IP, device and browser type, operating system, language, referring and exit pages, page views, timestamps, session and account identifiers, feature activity, scan and credit usage, error reports, performance data, security events, and cookie or similar-technology information.
The Cookie Policy identifies the categories and providers used on Detector.
1.4 Information from others
We may receive information from:
- your organization, workspace administrators, or other Authorized Users;
- authentication providers, such as Google or Microsoft, if you choose that sign-in method;
- payment processors and fraud-prevention providers;
- service, analytics, advertising, and referral partners, subject to consent and law;
- public sources and submitted public websites; and
- corporate partners, advisers, or counterparties in a business transaction.
2. How We Use Personal Information
We use Personal Information to:
- Provide Detector: create accounts; authenticate users; accept and process Analysis Inputs; retrieve submitted public webpages; run content, AI-authorship, website, accessibility, search, and technical checks; generate, store, display, and export Output; and provide requested editing or reporting features.
- Administer subscriptions: process purchases, trials, recurring billing, credits, taxes, invoices, cancellations, and account entitlements.
- Support users: respond to questions, troubleshoot, restore access, handle complaints, and provide service, policy, and security notices.
- Secure the Services: prevent fraud and abuse; enforce limits and policies; detect malicious or anomalous activity; investigate incidents; protect accounts, infrastructure, users, and third parties; and maintain audit records.
- Operate and improve Detector: measure performance and reliability, debug errors, conduct quality evaluation, improve user experience, and develop features. We may use aggregated or deidentified information for these purposes.
- Communicate and market: send requested information and service messages; manage events and business relationships; and, where permitted, send marketing or measure campaigns. You may opt out of marketing at any time.
- Comply and protect: meet legal, tax, accounting, regulatory, contractual, and audit obligations; respond to lawful requests; establish or defend claims; and support mergers, financings, reorganizations, or asset sales.
We do not sell Personal Information for money. Any use of advertising technologies that applicable U.S. law defines as “sharing” or “targeted advertising” is subject to consent and opt-out rights described in the Cookie Policy.
3. Legal Bases
Where the GDPR, UK GDPR, or similar law requires a legal basis, we rely on:
| Purpose | Legal basis |
|---|---|
| Create and administer accounts; provide requested analysis and reports | Contract; legitimate interests |
| Process Customer Data for an enterprise Customer | Customer’s documented instructions; contract; processor obligations |
| Billing, taxation, and recordkeeping | Contract; legal obligation |
| Security, fraud prevention, and abuse monitoring | Legitimate interests; legal obligation |
| Support and service communications | Contract; legitimate interests |
| Product analytics and improvement | Legitimate interests; consent where required |
| Retrieve and analyze submitted public webpages | Contract; legitimate interests; Customer instructions; consent where required |
| Optional cookies, advertising, and similar technologies | Consent where required |
| Direct marketing | Consent or legitimate interests, depending on context and law |
| Legal claims, compliance, and corporate transactions | Legal obligation; legitimate interests |
Our legitimate interests include operating and securing a commercial analysis service, preventing misuse, improving quality, understanding business use, and communicating with customers and prospects. We consider reasonable expectations, data sensitivity, impact, and safeguards. You may object to processing based on legitimate interests by contacting privacy@dng.ai.
Where we rely on consent, you may withdraw it at any time without affecting earlier lawful processing. In Canada and Québec, we rely on express or implied consent or another basis permitted by applicable law.
4. How We Disclose Personal Information
We may disclose Personal Information to:
- Hosting and infrastructure providers that store data, deliver applications, provide content delivery, observability, backups, and technical operations;
- AI and analysis providers used to perform classification, extraction, summarization, recommendations, website analysis, or related features;
- Payment and fraud providers, including payment processors used for subscriptions and credits;
- Authentication, communication, and support providers used for sign-in, email, ticketing, and customer communications;
- Analytics and advertising providers identified in the Cookie Policy, subject to consent and opt-out requirements;
- Enterprise Customers and workspace administrators that manage the account under which an Authorized User accesses Detector;
- Integrations selected by Customer, where Customer directs data to or from another service;
- Professional advisers, auditors, insurers, banks, and corporate counterparties under appropriate confidentiality arrangements;
- Courts, regulators, law enforcement, and other authorities where disclosure is required or reasonably necessary to protect rights, safety, security, or legal interests; and
- Other recipients with your consent or at your direction.
Our current subprocessor list and relevant processing information are available at https://trustcenter.dng.ai or on request. We require service providers to process Personal Information only for contracted purposes and with appropriate protections.
5. AI and Automated Analysis
5.1 How AI is used
Detector may use statistical models, machine learning, deterministic rules, and generative AI to:
- assess whether submitted text displays patterns associated with AI-generated content;
- identify passages or signals that contribute to a classification;
- analyze content, metadata, search, discoverability, accessibility, and technical website indicators;
- generate summaries, explanations, recommendations, and report language; and
- support optional editing or rewriting features.
Inputs and Output may be processed by AI infrastructure providers where a feature requires it. The current providers and locations are identified in our subprocessor information.
5.2 Training commitment
We do not use Customer Data, Analysis Inputs, or Output to train, fine-tune, or improve public or general-purpose foundation models unless Customer expressly authorizes that use. We contractually require AI service providers not to use Customer inputs or Output to train their public or general-purpose foundation models, subject to the configurations and terms disclosed in our DPA and subprocessor list. Where appropriate, we use enterprise configurations and limited-retention settings.
5.3 Limitations and human review
AI and automated Output may be inaccurate, incomplete, biased, outdated, or misleading. An AI-detection result is not proof of authorship or misconduct. We do not use Detector Output, acting as controller, to make solely automated decisions that produce legal or similarly significant effects on users.
Customers must not use Detector Output as the sole basis for a significant decision about another person. They are responsible for notices, lawful bases, impact assessments, contextual review, human oversight, and contestation rights required by the GDPR, Québec Law 25, the EU AI Act, or other law. See the AI & Analysis Disclaimer.
5.4 AI governance
We maintain AI governance practices aligned with our ISO/IEC 42001:2023 management-system commitments, including roles, risk and impact assessment, supplier oversight, documentation, monitoring, and AI incident response. Alignment or certification status and scope, where applicable, are described in our Trust Center. Concerns about bias, unsafe Output, or AI misuse may be reported to security@dng.ai or privacy@dng.ai.
6. International Transfers
We are based in Canada and may use providers in Canada, the United States, the European Economic Area, and other jurisdictions. Personal Information may therefore be processed outside your province, state, or country, where laws may differ.
For restricted transfers from the EEA, UK, or Switzerland, we use recognized safeguards where required, such as adequacy decisions, the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum or Agreement, and Swiss adaptations. You may request information about applicable safeguards from privacy@dng.ai.
Before communicating Personal Information outside Québec where Québec law applies, we assess relevant privacy factors, including sensitivity, purpose, safeguards, contractual measures, and the destination legal framework, and enter a written agreement where required.
7. Retention
We retain Personal Information only as long as reasonably necessary for the purposes described, the applicable plan and contract, and legal, security, tax, accounting, dispute, and enforcement requirements.
| Data category | General retention |
|---|---|
| Account and workspace data | Life of the account, then up to 90 days after deletion, unless a legal hold applies |
| Analysis Inputs and Output in an account | Available for the history period stated in the plan or Order Form; deleted within 30 days after valid Customer instruction or contract termination, subject to backup lifecycle and legal hold |
| Guest or temporary Analysis Inputs and Output | Only as long as needed to deliver the session or feature, generally no more than 30 days unless the user saves it to an account or law requires longer |
| Public Website Data cached for a requested report | The same period as the related Analysis Input or Output, or a shorter operational cache period |
| Payment, invoice, and tax records | 7 years from the transaction, or longer if required by law |
| Support and business correspondence | 3 years after the last interaction |
| Marketing contact data | Until opt-out or 24 months of inactivity, whichever occurs first, unless another lawful basis applies |
| Website analytics and cookie data | Up to 14 months or the shorter period in the Cookie Policy or consent tool |
| Security, audit, and access logs | Generally 12 months; longer for an active investigation, legal obligation, or agreed enterprise requirement |
Deleted data may remain in encrypted backups for a limited lifecycle before secure overwrite. During that period it is isolated from ordinary use. We may retain aggregated or deidentified information that no longer reasonably identifies a person or Customer.
8. Security and Incidents
We maintain reasonable administrative, technical, and organizational safeguards designed to protect Personal Information, including, as appropriate, encryption in transit, encryption at rest, access controls, least privilege, multi-factor authentication for internal access, logging and monitoring, vulnerability management, secure development, vendor review, training, confidentiality obligations, incident response, and logical separation.
Our information-security program is aligned with our ISO/IEC 27001:2022 management-system commitments. Any certification status and scope are stated in the Trust Center. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
If we become aware of an incident affecting Personal Information, we will investigate, mitigate, document, and notify Customers, individuals, regulators, or others as required by law and contract. Customers acting as controllers remain responsible for their own notification decisions, with our assistance as required by the DPA.
See the Security & Responsible Disclosure Policy to report a vulnerability.
9. Cookies, Analytics, and Advertising
Detector uses cookies and similar technologies for authentication, security, consent management, preferences, payments, analytics, and - subject to consent - advertising measurement. Providers may include CookieYes, Cloudflare, Stripe, Google Analytics, Google Ads, Meta, LinkedIn, Microsoft Clarity, and Google Tag Manager, as described in the Cookie Policy.
Where required, non-essential technologies are disabled until consent. You can change choices through “Cookie Settings,” use browser controls, or send a legally recognized preference signal such as Global Privacy Control where applicable.
10. Marketing Communications
We send marketing messages only where permitted by applicable law, including Canada’s Anti-Spam Legislation, GDPR/ePrivacy rules, and CAN-SPAM. Marketing emails identify us and include an unsubscribe mechanism. Opting out does not stop transactional, billing, security, policy, or service messages.
11. Children’s Privacy
The public self-serve Services are not directed to children, and individuals must be at least 18 or the age of majority to create an account. We do not knowingly collect Personal Information through a child’s self-created account. If a school, organization, parent, or guardian authorizes a managed use involving a minor, that party is responsible for all notices, consents, contractual authority, and safeguards required by law.
If you believe a child provided Personal Information without appropriate authorization, contact privacy@dng.ai. We will investigate and delete or restrict the information where required.
12. Your Privacy Rights
Depending on your location and applicable law, you may have rights to:
- know whether and how we process your Personal Information;
- access and receive a copy of it;
- correct inaccurate or incomplete information;
- request deletion;
- restrict or object to processing;
- withdraw consent;
- receive portable information in a structured, commonly used, machine-readable format;
- opt out of direct marketing and certain targeted advertising, sale, sharing, or profiling;
- request information about automated decision-making and, where applicable, human review;
- appeal a refusal to act on a request; and
- lodge a complaint with a privacy regulator.
To exercise a right, email privacy@dng.ai. We may verify identity and authority, and authorized agents may be required to provide proof. We will respond within the period required by law. If we process information only for an enterprise Customer, we may direct the request to that Customer and assist it.
You may complain to the Commission d’accès à l’information du Québec, the Office of the Privacy Commissioner of Canada, the UK Information Commissioner’s Office, or your EEA supervisory authority listed by the European Data Protection Board.
We will not discriminate against you for exercising a privacy right.
13. Québec Disclosures
Super Nova Research Inc. is responsible for Personal Information it holds. Vincent Terrasi is designated as Privacy Contact and Person in Charge of the Protection of Personal Information. Québec residents may contact privacy@dng.ai regarding access, rectification, deletion where applicable, withdrawal of consent, data portability where in force, automated decisions, complaints, or our privacy governance.
Where technology identifies, locates, or profiles an individual, we provide required notice and obtain express consent where Québec law requires it. Such optional functions are disabled by default where required. We conduct privacy impact assessments for projects, systems, electronic service delivery, and cross-border disclosures where required by Québec Law 25.
14. United States State Disclosures
Depending on state law, the categories we may collect include identifiers; customer records; commercial information; internet or network activity; approximate geolocation; professional information; user content and documents; inferences from analysis or usage; and account credentials or other sensitive information if submitted.
We disclose these categories for business purposes to the service-provider categories in Section 4. We do not sell Personal Information for money. Detector may use advertising measurement technologies that some state laws define as “sharing” or “targeted advertising.” Where applicable, you may opt out through Cookie Settings, a “Do Not Sell or Share My Personal Information” link if displayed, Global Privacy Control, or privacy@dng.ai. We do not knowingly sell or share Personal Information of individuals under 18 for targeted advertising.
15. Changes to This Policy
We may update this Policy to reflect changes in law, technology, features, or practices. We will post the revised version and update the date above. For material changes, we will provide additional notice or request consent where required. Prior versions may be made available on request.
16. Contact Us
Super Nova Research Inc. (d/b/a Draft&Goal)
6795 rue Marconi, Bureau 200
Montréal (Québec) H2S 3J9
Canada
Privacy Contact / Person in Charge of the Protection of Personal Information:
Vincent Terrasi - privacy@dng.ai
EU Representative (Article 27 GDPR):
Super Nova Research Inc. - EU Representative
Station F, 5 Parvis Alan Turing
75013 Paris, France
privacy@dng.ai
Other contacts:
- Detector support: detector@dng.ai
- Legal matters: legal@dng.ai
- Security: security@dng.ai
- Subprocessor and assurance information: https://trustcenter.dng.ai
- Data Processing Addendum: https://dng.ai/dpa