/ legal · privacy

PRIVACY POLICY.

Last updated: 3 June 2026

This Privacy Policy explains how Drafting Limited (“Drafting”, “we”, “us”) collects, uses, and protects your personal data when you use the Drafting marketing website at drafting-app.com (the “Site”) or the Drafting mobile application (the “App”) when it becomes available.

We are the data controller for personal data processed through the Site and the App. Our registered office is 8 Esther Anne Place, Flat 115, N1 1WL, London, United Kingdom. You can reach our privacy contact at hello@drafting-app.com.

1. What we collect

Waitlist signups

When you join our waitlist we collect:

  • Email address — required, so we can let you know when Drafting launches.
  • Country and city — optional, so we can let you know when the App launches near you.
  • Run frequency — optional (e.g. once a week, two times a week, three or more), so we can shape the matching experience.
  • Submission timestamp, browser user-agent string, and referring URL — to operate the waitlist, prevent abuse, and understand how people are finding us.

Site visit analytics

For each visit to the Site we record a small set of anonymous-by-design analytics so we can understand reach:

  • A truncated SHA-256 hash of your IP address — never the raw IP. The hash lets us deduplicate visitors without identifying them.
  • Your country, derived from the IP at the edge by our hosting provider (Vercel).
  • Your browser user-agent string and referring URL.
  • A timestamp of when we first saw the visitor.

Admin access

Our admin dashboard is restricted to a single account (the founder). When that account signs in, Firebase Authentication issues a session token. We do not collect end-user logins on the Site — only the founder authenticates today.

Data deletion requests

When you ask us to delete your data, we record the request itself: your email address, any reason you provide, the timestamp, and whether (and when) we’ve fulfilled it. We’re required to keep this record so we can prove we honoured the request — see “How long we keep it”.

The App (when launched)

When the Drafting App launches we’ll process additional data needed to make the App work — an account profile, location, run preferences, and (only with your explicit consent) health and fitness data via Apple HealthKit. See Health & fitness data for the HealthKit specifics. The App will surface its own in-app privacy notice and consent flows before any of that data is collected.

2. Why we collect it (lawful basis)

Under UK GDPR / EU GDPR we have to tell you the lawful basis we rely on for each kind of processing:

  • Waitlist signups — your consent (Article 6(1)(a)). You can withdraw at any time using the data deletion form.
  • Site visit analytics — our legitimate interest (Article 6(1)(f)) in understanding the reach of our marketing site. Because the IP is hashed before storage and the data is not used to profile individuals, we’ve assessed this as low-risk to your rights.
  • Admin authentication — necessary to operate the Site (Article 6(1)(b) / 6(1)(f)).
  • Data deletion request records — legal obligation (Article 6(1)(c)) and our legitimate interest in demonstrating compliance.
  • HealthKit data (the App) — your explicit consent (Article 9(2)(a)). Health data is a special category of personal data and we will only process it after you grant in-app permission.

3. How long we keep it

  • Waitlist signups — until you withdraw consent (via the data deletion form) or, if you become an App user, until you delete your App account. If we don’t launch the App in your city we’ll delete waitlist signups within 24 months.
  • Site visit analytics — up to 13 months from the first-seen timestamp, then deleted.
  • Deletion request audit records — up to 6 years, to comply with UK GDPR record-keeping rules (Article 5(2) accountability).

4. Who we share it with

We do not sell your personal data. We share it only with the processors and platforms we need to run Drafting:

  • Google (Firebase) — hosts our Firestore database and Firebase Authentication for admin login. Data is stored in the EU (europe-west2, London).
  • Vercel Inc. — hosts the Site and edge functions; provides country-level IP geolocation at the edge.
  • Twilio SendGrid — sends transactional email such as your data-deletion confirmation. Receives only the email address(es) needed to deliver the message and the message contents.
  • Apple Inc. — when the App launches, Apple HealthKit may be used as a data source on iOS devices. HealthKit data is stored locally on your device and is only read by us with your explicit per-permission consent. We comply with Apple’s HealthKit privacy requirements and do not share HealthKit data with third parties for advertising or data brokerage.
  • Meta Platforms Ireland Ltd. — we intend to offer Facebook / Instagram login and social sharing in the App. Where you choose to use those features, relevant data will be shared with Meta in line with its platform terms. We will surface specific in-app notice before any Meta integration is used.

We may also disclose data to law enforcement or regulators where we’re legally required to do so (for example, valid UK court order or ICO information notice).

5. Where data is processed

Most processing happens in the United Kingdom and the European Economic Area (Firebase europe-west2 region, London). Where data is transferred to processors based outside the UK/EEA — principally Twilio SendGrid (US), Vercel (global edge with US-based control plane), Apple and Meta — we rely on:

  • The UK International Data Transfer Addendumand / or the EU Standard Contractual Clauses(Module Two, controller-to-processor) with each US-based recipient; and
  • where applicable, the recipient’s certification under the EU-US Data Privacy Framework.

6. Your rights

Under UK GDPR and EU GDPR you have the right to:

  • Access the personal data we hold about you;
  • Rectify data that’s inaccurate or incomplete;
  • Erase your data (“the right to be forgotten”);
  • Restrict or object to processing of your data;
  • Receive a copy of your data in a portable format (data portability);
  • Withdraw consent at any time, where processing is based on consent;
  • Complain to a supervisory authority — in the UK that’s the Information Commissioner’s Office (ico.org.uk).

7. How to exercise your rights

The fastest way is the data deletion form for erasure, or email hello@drafting-app.com for any other right. We’ll respond within 30 days, in line with Article 12(3) of UK GDPR. There’s no fee for a normal request.

8. If you’re in California (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA: to know what categories of personal information we collect, to delete personal information we hold about you, to correct inaccurate information, and to opt out of sale or sharing of personal information. We do not sell or share personal information in the CCPA sense.

To exercise any of these rights, use the data deletion form or email hello@drafting-app.com. We won’t discriminate against you for exercising your rights.

9. If you’re in Argentina (PDPA)

Residents of Argentina have rights under the Argentine Personal Data Protection Act (Law 25.326) of access, rectification, and erasure (“derecho de acceso, rectificación y supresión”). Argentina is recognised by the European Commission as providing an adequate level of data protection, so transfers of your data into Argentina are permitted without additional safeguards. To exercise your rights, contact us at hello@drafting-app.com.

10. Health & fitness data (in the App)

When the Drafting App becomes available on iOS, we plan to offer integration with Apple HealthKit so the App can see relevant run history (pace, distance, cadence) and surface better matches.

Per Apple’s HealthKit terms and our own approach to sensitive data:

  • HealthKit access is opt-in and requested per data type via Apple’s native permission prompts. The App will work without HealthKit, with a reduced matching quality.
  • We will not sell HealthKit data, share it with advertising platforms, or use it for marketing.
  • We will not transfer HealthKit data into our backend except where strictly necessary to operate the App (for example, to compute a pace match between two consenting users), and we will not store HealthKit data beyond the period needed to provide the service.
  • You can revoke HealthKit access at any time in iOS Settings, and you can delete your Drafting App account using the deletion controls inside the App or via the data deletion form.

11. Cookies and similar tech

The Site uses a strictly necessary set of cookies and similar technologies:

  • sessionStorage on your browser to remember that you’ve already submitted the waitlist form and to deduplicate the site-visit ping per session.
  • localStorage to keep your “you’re in” confirmation screen visible if you refresh the page.
  • Firebase Authentication session tokens for the admin login flow only.

We don’t use third-party advertising cookies or cross-site tracking cookies on the Site.

12. Children

Drafting is not intended for people under the age of 16. We don’t knowingly collect personal data from children. If you believe a child has provided us with data, please contact hello@drafting-app.com and we’ll delete it.

13. Security

We use industry-standard measures to protect your data: Firebase Security Rules to restrict who can read what, TLS-in-transit on every request, hashed IPs for analytics, and access-restricted admin tooling. No system is perfect; please don’t share data with us that you wouldn’t want a determined attacker to potentially access.

14. Changes to this policy

We may update this policy from time to time. If we make a material change — for example, introducing a new third-party processor that handles a new category of data — we’ll post a notice on the Site at least 30 days before it takes effect. The “Last updated” date at the top of this page reflects the most recent change.

15. Contact & complaints

For any privacy question, request, or complaint:

  • Email: hello@drafting-app.com
  • Post: Drafting Limited, 8 Esther Anne Place, Flat 115, N1 1WL, London, United Kingdom

If you’re in the UK and unhappy with how we’ve handled your request, you have the right to complain to the Information Commissioner’s Office: phone 0303 123 1113 or visit ico.org.uk/make-a-complaint. If you’re in another EU/EEA country, you can complain to your local supervisory authority.