Privacy Policy
Last Updated: 28/04/2026.
How Drast collects, uses, stores, and protects personal data โ for the customers who use Drast and for the website visitors who chat with the agent.
1. Who we are
Drast is a service operated by CALK SAS, a French simplified joint-stock company (sociรฉtรฉ par actions simplifiรฉe).
Data controller
CALK SAS
60 Rue Franรงois 1er, 75008 Paris, France
SIRET: 941 032 187 00010
Contact: quentin@drast.ai
In this policy, "Drast", "we", "us" and "our" refer to CALK SAS operating the Drast service at drast.ai.
2. Scope of this policy
Drast is a B2B SaaS product. We process personal data in two distinct roles, each with different obligations under the GDPR:
As a data controller โ for our customers (the people who sign up for a Drast account), and for visitors to the marketing site at drast.ai.
As a data processor โ for personal data that flows through the Drast agent on a customer's website. In that case, our customer is the data controller and Drast acts on their instructions under a Data Processing Agreement.
This policy describes both roles. If you visited a website that uses Drast and want to exercise a right over your data, contact the website owner first; we will assist them in honoring your request.
3. Data we collect from customers
When you create or use a Drast account, we collect:
Account data Name, business email, password hash (or Google account identifier if you sign in with Google), company name, role.
Billing data Plan, subscription status, billing address, VAT number. Card details are handled by our payment processor โ we never store full card numbers.
Configuration data Product description, ICP, knowledge base content, brand voice settings, opening sentences per language, calendar and CRM connections.
Integration tokens OAuth tokens for Google Calendar, HubSpot, Pipedrive, Slack, and other services you choose to connect.
Usage data Login times, dashboard activity, conversation volumes, feature usage. Used to operate the service and bill correctly.
Support dataMessages you send us by email, Slack, or in-app chat.
4. Data we collect from visitors to a customer's website
When a person visits a website where Drast is installed and interacts with the agent, the following data may be collected โ on behalf of, and at the instruction of, our customer:
Session data Pages visited, time on site, traffic source, UTM parameters, referrer, browser language, timezone, anonymized IP.
Company-level enrichment Company derived from IP-to-domain lookup, company size, industry, funding stage, technology stack. This is company data, not personal data.
Conversation content Messages exchanged with the agent, including any information the visitor chooses to share.
Identity data (only when shared) Email address, name, phone, company role โ collected only at the moment of booking a meeting or when the visitor explicitly provides them.
We never request, collect, or store sensitive categories of personal data (health, religion, political opinions, etc.) from visitors. The agent is configured to refuse such inputs.
5. Google account data
If you sign in to Drast with Google or connect Google Calendar, we request only the scopes strictly necessary to operate the service.
What we request
Sign in with Google โ your name, email address, and Google account ID, used solely to authenticate you and create or link your Drast account.
Google Calendar (when you connect it) โ read availability and create events on the calendar you select. Used only to check free/busy slots and to book meetings the Drast agent has confirmed with a website visitor.
What we do NOT do with Google data
We do not use Google user data to train, fine-tune, or improve any AI or machine learning model โ generalized or otherwise.
We do not sell, rent, or transfer Google user data to third parties for advertising.
We do not access calendar events, contents, or attendees beyond what is required to schedule the meetings booked through Drast.
We do not use Google data for any purpose other than operating the features you explicitly enabled.
You can revoke Drast's access to your Google account at any time at myaccount.google.com/permissions. Drast's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
6. How we use data
We use personal data to:
Operate the Drast service โ running the AI agent, qualifying visitors, booking meetings, syncing CRM and calendar data, sending recap emails.
Bill customers and process payments.
Provide customer support and respond to inquiries.
Detect fraud, abuse, and security incidents.
Improve the service โ by analyzing aggregated, non-identifying usage patterns.
Comply with legal obligations.
We do not train AI models on customer or visitor conversation content. The large language models used by the Drast agent are operated by our AI sub-processors and process inputs in real time without retaining or training on them, in accordance with their respective enterprise data policies.
7. Legal basis for processing (GDPR)
Where the GDPR applies, we rely on the following legal bases:
Contract โ to provide the service to customers under our Terms of Service.
Legitimate interest โ to operate, secure, and improve the service, and to communicate with customers about their account.
Consent โ for non-essential cookies on drast.ai, and for any visitor data processed where consent is the appropriate basis.
Legal obligation โ to comply with French and European law (e.g., billing records, tax).
8. Sharing & sub-processors
We do not sell personal data. We share it only with sub-processors that help us run the service, under contracts that require them to protect it.
An up-to-date sub-processor list is available on request from quentin@drast.ai. We will give customers reasonable notice of changes to material sub-processors.
We may also share data when legally required (court order, regulatory request) or to protect the rights, property, or safety of Drast, our customers, or others.
9. International transfers
Drast operates a multi-region infrastructure on Microsoft Azure across the European Union and the United States. Customer and visitor data may be transferred to and processed in either region depending on the customer's configuration.
For transfers from the EU/EEA to the United States, we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EUโUS Data Privacy Framework. EU-resident customers can request EU-only hosting by contacting quentin@drast.ai.
10. Retention
We retain personal data only for as long as necessary:
Customer account data โ for the life of the account, plus 12 months after closure for legal and accounting purposes.
Billing records โ 10 years, as required by French commercial law.
Conversation logs (visitors) โ 24 months by default, unless the customer configures a shorter window. Customers can delete individual conversations on request.
Enrichment data โ refreshed periodically; stale records are deleted.
Support emails โ 36 months.
You can request earlier deletion at any time โ see your rights below.
11. Security
We protect personal data with industry-standard measures:
Encryption in transit (TLS 1.2+) and at rest (AES-256).
Role-based access control. Production data is accessed by named personnel only, with audit logging.
Hosted on Microsoft Azure, which holds ISO 27001, SOC 2, and other major certifications.
OAuth tokens stored encrypted; we never store third-party passwords.
Regular security reviews and dependency monitoring.
Drast's SOC 2 Type II report is in progress, with a Q1 2027 target. We will provide our current security overview on request to enterprise customers.
No system is perfectly secure. If you discover a security issue, email quentin@drast.ai and we will investigate promptly.
12. Your rights
If you are in the EU/EEA, the United Kingdom, or a jurisdiction with comparable rules, you have the right to:
Access โ request a copy of the personal data we hold about you.
Rectification โ request correction of inaccurate data.
Erasure โ request deletion ("right to be forgotten") where applicable.
Restriction โ request that we limit how we use your data.
Portability โ receive your data in a structured, machine-readable format.
Objection โ object to processing based on legitimate interest.
Withdraw consent โ at any time, where processing is based on consent.
Lodge a complaint โ with the French data protection authority (CNIL) at cnil.fr, or your local supervisory authority.
To exercise any of these rights, email quentin@drast.ai. We respond within 30 days.
If you interacted with the Drast agent on a customer's website, please contact that website's owner first โ we will assist them in honoring your request.
13. Cookies & tracking
The Drast marketing site at drast.ai uses a small number of cookies:
Strictly necessary โ for authentication, session management, and security. These cannot be disabled.
Analytics โ to understand how visitors use the site, in aggregate. Loaded only with consent.
The Drast agent embedded on customer websites uses a single first-party cookie or local storage entry to maintain conversation continuity across page loads. It does not track visitors across other websites.
14. Children
Drast is a B2B service. It is not intended for, and we do not knowingly collect data from, anyone under 16. If you believe a child has shared personal data with us, contact quentin@drast.ai and we will delete it.
15. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes affecting how we use personal data, we will notify customers by email at least 30 days before the change takes effect.
16. Contact
Privacy & data requests
Email: quentin@drast.ai
Mail: CALK SAS โ Privacy, 60 Rue Franรงois 1er, 75008 Paris, France
For all other inquiries, see drast.ai or contact us at the same address.
