Draft

Legal

Privacy Policy

This policy explains what personal data Draft collects, why we collect it, who we share it with, and the choices and rights you have. It applies to the Draft mobile app (iOS and Android), the draftapp.io website, and our waitlist / TestFlight / Early Rider beta program.

Last updated: 23 June 2026

1. Who we are

Draft is operated by Rutger Bakker, a sole proprietorship (eenmanszaak) trading as Draft, registered in the Netherlands under Chamber of Commerce (KvK) number 62586564 (“Draft”, “we”, “us”). We are the data controller responsible for your personal data. For any privacy question or request, contact us at privacy@draftapp.io.

2. Data we collect

We collect the data below to run Draft. We do not collect more than we need, and we never sell your personal data.

Account and authentication

  • Your email address.
  • A unique account identifier and session/authentication tokens used to keep you signed in.
  • One-time sign-in codes sent to your email (we use passwordless email sign-in).
  • The date your account was created.

Profile

  • Your display name and, optionally, your full name.
  • Your home location — both the place name you choose and its coordinates — which we store to show you rides near you.

Location

  • Your device location when you tap “Use current location” to set a home location or a ride start point.
  • Addresses you search for inside the app.
  • The start location of rides you create or join.
  • Route coordinates contained in GPX files you upload (see below).

To be clear: Draft stores your home location, ride start locations, and GPX route coordinates. We do not track your location continuously in the background.

Rides

  • Ride details you provide: title, description, ride type, start time, start location, distance, pace range, and number of spots.
  • Who hosts and who joins each ride, and the ride’s status.

Routes (GPX)

  • GPX route files you upload, including the file name, the parsed route coordinates, distance, elevation gain, and derived route metadata.

Notifications

  • Whether you have granted notification permission.
  • Your push notification token, device platform, and, where available, your device model or identifier — used only to deliver notifications you have enabled.

Waitlist, TestFlight, and Early Rider

  • Your email address and whether you want beta/TestFlight access.
  • How you reached us (source), your browser’s user agent, and referral information (your referral code and who referred you).
  • Your preferred language and platform, your Founder / Early Rider tier, and invite or conversion timestamps.
  • Country or city, if you provide it.

Website usage

  • Aggregated, privacy-friendly usage statistics for draftapp.io via Vercel Analytics (for example, page views and general device/browser type). This helps us understand how the site is used.

3. How we use your data and our legal bases

Under the GDPR, we rely on the following legal bases:

  • To provide the service (performance of a contract). Creating and securing your account, hosting and joining rides, matching you with nearby rides, handling GPX routes, and delivering the notifications you enable.
  • Your consent. Accessing your device location when you ask us to, sending push notifications you opt in to, and adding you to our waitlist and sending you launch/beta emails. You can withdraw consent at any time.
  • Our legitimate interests. Keeping Draft secure, preventing abuse, understanding and improving the product, running basic website analytics, and operating our beta program.
  • Legal obligations. Complying with applicable law and responding to valid legal requests.

4. Who we share data with

We share data only with service providers (processors) that help us run Draft, under agreements that require them to protect it. We do not sell your data and we do not use it for cross-app advertising.

  • Supabase — database, authentication, and file storage.
  • Expo — delivery of push notifications.
  • Apple and Google — app distribution (App Store, Google Play, TestFlight) and the underlying push notification transport.
  • Vercel — hosting and analytics for our website.
  • Resend — sending transactional and beta-program emails.

We may also disclose data where required by law, or to protect the rights, safety, and security of Draft and our users.

5. Content visible to other riders

Draft is a social product, so some information is shared with other riders by design. When you host or join a ride, your display name and the rides you host or join are visible to other riders so they can find and join rides. Ride titles and descriptions you write are visible to riders who can see that ride — please don’t include sensitive personal information in them. We do not show your email address to other users.

6. How long we keep data

We keep your account and the data linked to it for as long as your account exists. When you delete your account (see below), we delete or anonymize your personal data, except where we must keep limited records to meet legal obligations or to protect the integrity of shared rides. Waitlist and beta-program data is kept until the program ends or you ask us to remove it. Encrypted backups are rotated on a routine schedule.

7. Your rights

If you are in the EU/EEA, you have the right to access, correct, delete, or export your personal data, to restrict or object to certain processing, and to withdraw any consent you have given. To exercise these rights, email us at privacy@draftapp.io. You also have the right to lodge a complaint with your local data protection authority — in the Netherlands, the Autoriteit Persoonsgegevens.

8. Deleting your account and data

To delete your account or request a copy of your data, email us at privacy@draftapp.io. We will delete your profile, remove you from rides, remove your notification tokens, and delete the data connected to your account where possible.

9. Permissions and your choices

  • Location. Draft only reads your location when you ask it to (for example, when setting a home location). You can change location permission at any time in your device settings.
  • Notifications. Push notifications are opt-in. You can turn them off in the app or in your device settings.
  • Emails. You can unsubscribe from beta and launch emails using the link in any message we send.

10. Security

We protect your data with encryption in transit, database access controls, and private storage for uploaded route files, and we limit who can access personal data. No method of transmission or storage is completely secure, but we work to protect your data and to keep improving how it is safeguarded.

11. International transfers

Some of our providers process data outside the European Economic Area, including in the United States. Where that happens, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an adequacy decision.

12. Children

Draft is not directed to children. You must be at least 16 years old to use Draft. We do not knowingly collect personal data from children under this age; if you believe a child has provided us data, contact us and we will remove it.

13. Changes to this policy

We may update this policy from time to time. When we do, we will change the “Last updated” date above, and we will tell you about material changes where appropriate.

14. Contact

Questions about this policy or your data? Email us at privacy@draftapp.io.

← Back to Draft