Please post requests for more information as comments, not answers.
draw.io uses 1 external domain:
We use google analytics because it draws us pretty pictures and tell us how many users we have.
Ghostery is a useful Firefox plugin for blocking well known third-party sites tracking activity. I use that and RequestPolicy on Firefox, personally. Request Policy forces you to authorise all third-party domain access, but makes all such accesses explicit.
If you use a modern browser with FileAPI (Chrome, Opera, Firefox), then we load your XML locally, without using the server. We still have to go to the server for Visio imports, that code isn't in the client. The latest versions of all major browsers support FileAPI, you can check support using this table.
When saving XML, this is echoed from the server and nothing is stored on our servers, unless you enable Flash support for direct saving (see below). When exporting images or PDF, the XML model is translated to the export format, the export created, the export is transmitted insecurely to your computer and the export format and model deleted from our servers. SVG is generated client-side, but still requires a round-trip to save it.
In short, we do not retain any of your data nor do we pass it onto anyone else. We use Google App Engine, which offers no shell access, you cannot log into it, at all. 2 developer accounts at JGraph have access to write to the draw.io application on Google App Engine and both use 2 factor authentication on the account for security.
In order to avoid any use of our server (after the initial load of the page):