§ 01Who we are
DRFT Ltd ("DRFT", "we", "us") is a company registered in England & Wales. Registered office: London, UK. Data controller registration: ICO #ZA000000.
You can reach our data protection team any time at privacy@drft.life, or our founders at hello@drft.life.
§ 02What we collect
Only what DRFT needs to read the patterns. We split everything into three categories:
| CATEGORY | WHAT | WHERE | SOLD? |
|---|---|---|---|
| Account | Email, name (optional), timezone | EU-West (AWS Frankfurt), encrypted at rest | NEVER |
| Integrations | OAuth tokens for the services you connect. Read-only scopes only. | EU-West, encrypted with per-user keys | NEVER |
| Signals | Sleep, HRV, workouts, calendar metadata, transaction metadata, app usage timestamps. | Device + EU-West. E2E-encrypted in transit and at rest. | NEVER |
| Patterns | The outputs DRFT computes from your signals. | Computed on-device where feasible. Otherwise E2E-encrypted. | NEVER |
| Diagnostics | Crash logs, app version, coarse country (for outage triage). No user-ID, no IP storage beyond 24h. | Sentry (self-hosted, EU) | NEVER |
What we explicitly don't collect: content of messages, content of emails, content of transactions (the "Starbucks" line-item — only amount, category, and timestamp), photos, videos, microphone audio, precise GPS location, or biometrics beyond what your HRV watch already exposes.
§ 03How we use it
What we do
- Compute patterns across your domains — the only product purpose.
- Train your model, not ours. Each user gets an isolated model; we don't pool data to train a shared system.
- Operate the service — auth, backups, billing, legal compliance.
- Security monitoring — detect account takeover, abuse.
What we never do
- Sell, rent, license, or barter your data. Including de-identified or aggregated data.
- Use your data to train shared AI models or sell inference APIs.
- Run behavioural advertising, ad-tech pixels, or affiliate tracking.
- Share with insurers, employers, advertisers, data brokers, or law enforcement without a valid warrant.
- Read the content of your communications, photos, or transactions.
§ 04Your integrations
DRFT connects via OAuth to services you already use. Every integration is requested in read-only scope. We cannot — by design — post, charge, or modify anything on your connected accounts.
You can revoke any integration from Settings → Integrations inside DRFT, or at source (e.g., Google, Apple, Plaid, Whoop). Revocation is immediate; historical signals pulled from that source are deleted within 24h unless you ask us to keep the local computations (you can).
§ 05Where patterns are computed
DRFT is architected as "local first":
- Cross-domain correlations, rolling averages, and your personal baseline live on your device.
- Heavy computation (e.g., LLM-assisted narrative, long-window statistics) runs server-side, on signals that are E2E-encrypted with keys your device holds.
- We cannot read your raw signals on our servers. Our engineers cannot "look you up".
§ 06Retention
Signals and patterns are retained as long as your account is active, plus 30 days for accidental-deletion recovery.
On account deletion, everything is purged from live systems within 24h and from encrypted backups within 30 days. We don't keep "tombstone" copies. Exports are available at any time in JSON + CSV from Settings → Export.
§ 07Your rights
Under UK GDPR and EU GDPR you have the right to:
- Access — download everything we hold, in machine-readable format.
- Rectify — correct anything inaccurate.
- Delete — remove your account and all derived patterns.
- Object — to any processing. (Since we only process to deliver the product, objecting means deleting.)
- Portability — export to another service in an open format.
- Complain — to the UK ICO or your local EU DPA.
All of these are one-click inside the app, or you can email privacy@drft.life. We respond within 72 hours.
§ 08Children
DRFT is not for anyone under 18. If you believe a minor has an account, email privacy@drft.life and we'll delete it immediately.
§ 09Security
- TLS 1.3 in transit.
- AES-256 at rest, with per-user encryption keys.
- SOC 2 Type II audit scheduled Q4 2026.
- Bug bounty open to researchers — security@drft.life.
- Breach notification within 72 hours, to you and to the ICO.
§ 10Changes
When we change this policy, we email every user at least 30 days before the change takes effect. Material changes — ever adding a use we've said we won't — are an opt-in, not a mere notice. If you'd ever rather leave than accept a change, export and delete — no cliff.
§ 11Contact
Privacy questions — privacy@drft.life
Security disclosure — security@drft.life
Everything else — hello@drft.life
© 2026 DRFT LTD · LONDON · PRIVACY V1.0 · LAST UPDATED 01 APR 2026