How DrawSight handles inspection data today.

Effective May 15, 2026

At a glance

The four commitments worth reading the rest for.

A plain-English summary. The full sections below are the binding text.

Local-first by default. Inspection records, photos, and reports stay on the device, not in a DrawSight cloud account.

Sanitized photos for AI. The working copy used by AI has EXIF and GPS stripped; the byte-identical original stays on your device.

Encrypted backups you control. Exportable, restorable .dsbk files protected by a key only you hold.

Industry insights are opt-in. If you turn it on, only an anonymized digest leaves the device. Never photos or addresses.

This summary is not the policy. Sections 1–14 below are the binding text.

This policy is written around the current DrawSight app as it exists now: a local-first mobile inspection reporting product provided by DrawSight LLC, with managed AI requests in release builds, a managed address-lookup proxy, encrypted local records, optional hosted diagnostics, and inspector-controlled exports.

1. Overview

This Privacy Policy describes how DrawSight LLC, doing business as DrawSight, handles information in the current DrawSight app. DrawSight is currently a local-first inspection reporting app. In normal use, inspection records, findings, review history, photos, PDFs, and recovery data are stored on the inspector's device rather than in a DrawSight-hosted sync account.

Current builds do not provide a first-party always-on customer account platform, cloud sync, or client portal. Some optional features do send limited information to third parties when the user chooses to use them, which is described below.

2. Information handled by the app

Information you enter or create

property addresses, inspection identifiers, client names, and report content
inspection photos, annotations, findings, comments, and review edits
voice-note transcripts and dictated note content when the user chooses microphone / speech features
interrupted Photo-First recovery state used to resume large AI photo batches
inspector profile details such as company name, license number, and signature image
report snapshots, finding audit history, PDF reports, and backup files created by the user

Locally stored technical data

workflow preferences and app settings stored on the device
locally cached subscription, product-ownership, trial, or entitlement state when that build is configured to use it
a device-specific installation identity used to look up managed beta-access or entitlement records in supported builds
local crash logs and local telemetry events kept on-device
backup-encryption key material stored through secure device storage
when managed AI or managed geocoder routes are used, the DrawSight-managed Worker or hosting layer may temporarily process and store request metadata such as IP address, route, installation identity, and entitlement / rate-limit counters to prevent abuse and enforce access limits

3. How DrawSight stores data

inspection records are primarily stored on the user's device in encrypted local storage
the working copy of each inspection photo is re-encoded so the copy used in the AI pipeline and in exported reports does not retain EXIF or GPS metadata
DrawSight also preserves a byte-identical original of each inspection photo on the device so the inspector retains an unaltered evidentiary record; that original file retains whatever EXIF and GPS metadata the camera or source image included, and it stays on-device unless the inspector exports or shares it
current builds do not automatically upload inspection records to a DrawSight sync service
encrypted backup export is available when the user chooses to create one

Because the app is local-first, the device owner typically controls most retention, deletion, export, and restore decisions directly.

4. Third-party services

Managed AI processing

When the user enables and uses AI features in managed builds, relevant inspection photos, prompts, notes, inspection type, selected operating-state context, and related request content are sent through DrawSight-managed Worker infrastructure to approved subprocessors, which may include Anthropic, for processing.

Before some AI requests are sent, DrawSight may also run local on-device photo-quality screening to reject unreadable, too-dark, too-small, document-like, or selfie-like images before they are uploaded for AI processing. That local screening is intended to reduce bad AI calls and does not itself require sending the photo to a third-party provider.

Anthropic privacy information is available at anthropic.com/privacy.

Template import from PDF

When the user taps "Import from PDF" in My Templates and selects an existing inspection report, DrawSight uploads the entire PDF — including any embedded photos, client names, property addresses, signatures, or finding notes inside it — through the DrawSight-managed AI proxy to Anthropic so the report structure can be extracted into a reusable template. The bytes are processed in memory and discarded after extraction. The user-chosen filename is replaced with a constant placeholder before the multipart upload leaves the device, so inspector-chosen names like a property address or a client’s name do not reach the proxy log. The template that is stored on-device after extraction contains only structural metadata (section titles, codes, optional theme colors and header / footer text); no photos or finding text from the source PDF are persisted. The app shows an explicit consent dialog identifying the picked file before any bytes leave the device.

Signal training (My Signals narrated video)

When the user records or picks a narrated training video in My Signals, DrawSight extracts the audio track and a small number of sampled frames on the device before any upload. The raw video file never leaves the device. The extracted audio and frames are uploaded together to the DrawSight-managed Worker, which forwards the audio to Cloudflare Workers AI for transcription (developers.cloudflare.com/workers-ai) using OpenAI’s Whisper model and forwards the sampled frames together with the Whisper transcript text to Anthropic so the on-device signal dictionary can be built. Audio bytes, frames, and transcript text are processed in-memory during the request; standard per-request usage metadata (model, token counts, cost, day, inspection identifier) lands in the same pricing telemetry surface described below. The photo-only training path (the default CTA in My Signals) does not upload any media at all — on-device MediaPipe extracts hand landmarks and the inspector types the meaning. The app shows an explicit confirmation dialog before any narrated-video bytes leave the device so the inspector can pick the photo-only path instead if the disclosure isn’t acceptable.

Managed access identity and rate limiting

Supported managed builds use a device-specific installation identity plus DrawSight-managed credentials to look up beta-access or entitlement records and, where configured, issue short-lived AI access tokens. The Worker or hosting layer may also store per-route request counters, entitlement-usage counters, and temporary request metadata such as IP address and route timing so it can rate-limit abuse, diagnose failures, and enforce access policies.

Address lookup

When address autocomplete is used, typed property-address queries are sent to the DrawSight-managed geocoder proxy and then to the configured provider for that deployment. In the current managed path, that provider is Mapbox.

Scheduling reminder emails

When the user sets a "scheduled for" date / time on an inspection, DrawSight pushes a small reminder row to the managed Worker so the cron can send the inspector + the client + the referring agent reminder emails 24 hours and 1 hour before the scheduled time. The row carries the inspector’s subscriber identifier, the inspection id, the scheduled timestamp, the inspector’s email, and the optional client and agent emails (only those the user has saved on the inspection), plus the inspector’s name, the client’s name, and a short inspection-label string that becomes the email subject. The Worker’s D1 database stores the row until the inspector clears the scheduled time or finishes / cancels the inspection, or 30 days past the scheduled time — whichever comes first. The actual email send is handled by Resend (resend.com/legal/privacy-policy), which receives the rendered email and the recipient email address only at send time. The 24h / 1h reminders can each be disabled per-inspector in Settings → Scheduling Reminders; both default ON.

Voice note transcription

When microphone / speech features are used, the app relies on operating-system speech-recognition services made available on the device platform to turn dictated notes into transcript text. On Apple platforms this may involve Apple speech / dictation services, and on Android this may involve Google or the device vendor's speech-recognition stack. The resulting transcript becomes part of the note content the user can edit, save, export, or later send through AI-assisted drafting flows.

Cloudflare Web Analytics (public website only)

The public marketing + support pages at https://drawsight.app/ (this page, the Terms of Service, the Delete-Account help page, and the magic-link Claim page) are hosted on Cloudflare Pages. Cloudflare Pages automatically injects the Cloudflare Web Analytics beacon (static.cloudflareinsights.com/beacon.min.js) on those pages. The beacon may transmit the requested page URL, the HTTP referrer, the user-agent string, and IP-address-derived approximate region / browser metadata to Cloudflare so the operator can see aggregate page-view counts. Cloudflare states the beacon does not use cookies and does not fingerprint individual visitors; their privacy and retention terms are at cloudflare.com/web-analytics and the broader Cloudflare privacy policy is at cloudflare.com/privacypolicy. The DrawSight mobile app itself does not load the Cloudflare Web Analytics beacon — this disclosure covers the public site only.

Optional hosted diagnostics and analytics

Some builds may be configured to send redacted crash events to a hosted crash reporting service such as Sentry, and redacted product telemetry events to a configured analytics endpoint. These integrations are optional and deployment-specific. Hosted payloads exclude full inspection photos, full report bodies, raw file-system paths, direct contact data, and persistent record identifiers; redaction is enforced at both the DrawSight client (before the payload is sent) and at the Worker route (before the payload is persisted) so a single bypassed call site cannot leak raw identifiers under hosted retention.

Google Sign-In and Google Calendar (optional)

Connecting Google Sign-In and / or Google Calendar is optional. When the inspector taps "Sign in with Google" or "Connect Google Calendar," DrawSight runs the standard OAuth flow against Google’s identity provider; Google receives the OAuth client identifier, the requested scopes, and the inspector’s consent decision. On success Google returns the inspector’s account email plus, for Calendar, a token DrawSight uses to sync inspection events with a single inspector-chosen DrawSight calendar.

Two-way Calendar sync (opt-in). When the inspector enables "Two-way sync with DrawSight calendar" in Settings, DrawSight (a) reads upcoming events from the inspector-chosen DrawSight calendar to surface them as draft inspections, (b) writes inspection edits back to those events, and (c) when an inspection is cancelled, moves the bound event to a sibling calendar named "DrawSight Inspections — Cancelled" (auto-created on first cancellation). DrawSight commits to ONLY reading and writing events on the inspector-picked DrawSight calendar (and its Cancelled sibling) and NEVER touches events on the inspector’s other calendars. Two-way sync is gated behind an explicit Settings opt-in; the default is one-way push of events DrawSight creates. The granted OAuth scope is https://www.googleapis.com/auth/calendar, which Google requires for calendar list, non-owned event reads, and calendar creation; the behavioral boundary above is enforced by DrawSight, not by the scope.

DrawSight stores the account email, the chosen DrawSight calendar id, the last-pull cursor, and the per-event Calendar event IDs locally on the device (used to update or delete the matching event when the inspection is rescheduled or cancelled). DrawSight does NOT store the OAuth refresh / access tokens on the managed Worker; the tokens stay in device-local secure storage. The inspector can disconnect at any time from Settings → Google Calendar → Disconnect (which also wipes local sync state); revocation in their Google Account also stops sync. Use of Google services is also governed by the Google privacy policy (policies.google.com/privacy).

System share destinations

When the user exports a report, backup, or log file, the content is sent only to the destination selected by the user through the device's share sheet or file picker.

5. How information is used

DrawSight uses handled information to:

create and edit inspection reports
generate optional AI-assisted draft text and photo classifications
support report audit history, export, backup, and restore flows
support local recovery, diagnostics, product-quality work, and optional hosted diagnostics if configured

6. Backups, exports, logs, and restore behavior

backup files can contain sensitive inspection data, including photos, names, addresses, and notes
PDF reports and logs are exported only when the user chooses to export them
once a file is shared or saved outside the app, its retention and security depend on the user and chosen destination
some states currently allow only watermarked draft export in the app, not final export

7. Retention and deletion

inspection data remains on-device until edited, deleted, or removed with the app
backups and exports remain wherever the user saves or shares them
local logs remain local unless the user shares them or hosted diagnostics are configured for that build
current builds do not provide a DrawSight-hosted always-on sync account or client portal
deployment-specific managed access records and optional hosted diagnostic records may still exist outside the device

In managed builds, the DrawSight Worker stores limited server-side records tied to managed-access, billing, and abuse-prevention. Those records expire on fixed schedules:

per-AI-call usage records (model, photo count, token totals, cost, day — no subscriber, installation, or content identifier): retained for 12 months rolling, then purged automatically on every write
in-app behavior records (welcome screen shown / dismissed, entitlement gate fired, deep-link claim attempted / succeeded — the onboarding-funnel surface): retained for 12 months rolling, purged automatically on every write
store-purchase verification events used to link a purchase to an entitlement: retained for 45 days
admin-audit events tied to administrative or support access (may include IP address, user-agent, and subscriber identity, including subscriber-purge actions): retained for 90 days

Entitlement records themselves persist for the lifetime of the active managed-access subscription plus a short reconciliation window after it ends. Rate-limit counters are short-lived and roll over on their own windows; they are not a long-term retention surface.

8. Your choices and privacy requests

You generally control DrawSight data by:

editing or deleting inspections inside the app
deleting exported reports or backup files you created
removing the app or clearing app data from your device
choosing whether to use AI-assisted features at all

If you are a homeowner, resident, or client seeking access to inspection information, you should generally contact the inspection business that collected the data.

If you believe DrawSight itself controls personal information about you and you want to request access, correction, deletion, or a copy of that information, email support@drawsight.app. Because DrawSight is local-first, inspection businesses and device owners usually control most record content directly.

9. Security

DrawSight uses measures intended to reduce risk, including:

encrypted local storage for inspection records
secure device storage for local secrets and backup key material
encrypted backup export support
HTTPS requests for managed AI, geocoder, and optional hosted services
redaction of sensitive values in crash and telemetry payloads

No device, network, or software environment can guarantee absolute security. Users remain responsible for securing their devices, external storage locations, exported files, and any third-party accounts they control.

10. Children's privacy

DrawSight is intended for adult inspectors and inspection businesses. It is not directed to children.

DrawSight is designed for local-first storage on the inspector's device. If you are a client, tenant, prospective buyer, or resident seeking access, correction, deletion, or disclosure of inspection data, contact the inspection business that collected that information; they are the data controller for the inspection they performed. DrawSight LLC is a processor on their behalf to the extent any data leaves the device.

Data retention depends on the device owner's exports, backups, deletions, managed-access records, and any deployment-specific hosted diagnostics that were enabled for that build. When AI features are used, approved providers process the submitted request solely to generate the requested result.

California residents: DrawSight LLC does not sell personal information. You may request access to or deletion of personal information DrawSight LLC holds about you by emailing support@drawsight.app.

12. Industry insights

DrawSight offers an optional Industry Insights data-sharing toggle in Settings → Privacy. The toggle is opt-in for everyone — paid or not — and disabled by default. Inspectors have to flip it on explicitly before any aggregate row leaves the device, and the toggle can be flipped back off at any time without affecting any other DrawSight feature.

When enabled, DrawSight transmits a small anonymized summary after each finalized inspection. The summary contains only the property's age band (e.g. "1980-2000"), the property's state, the subsection codes that had at least one finding, and a count of findings by severity. The summary is aggregated into industry-wide running totals on DrawSight's managed backend; no per-inspection record is retained beyond the running tally.

The summary never includes street addresses, ZIP codes, GPS coordinates, client names, agent names, inspector names, photos, finding text, or any free-form fields. The aggregated numbers are used to power the in-app "Compare to industry" overlay; they are not sold or shared with third parties.

13. Policy changes

This Privacy Policy may be updated as DrawSight's features, providers, and release setup change. The latest version is reflected by the effective date at the top of this page.

14. Contact

If you have privacy questions about DrawSight, contact DrawSight LLC at support@drawsight.app.

Do not send private inspection photos, client names, property addresses, or full report text unless DrawSight support asks you to use a specific secure path.