Privacy Policy
Effective date: 22 March 2026
This Privacy Policy explains how Mind Athletic BV ("we", "us", "our") collects, uses, and protects personal data when you use Drafted ("the Service"), a design preview and collaboration platform available at drafted.live.
We are committed to protecting your privacy. We collect the minimum data necessary to operate the Service and do not sell, rent, or trade your personal data to third parties.
1. Controller
The data controller for the Service is:
Mind Athletic BV
KVK: 83693602
Registered in the Netherlands
Contact: 
2. What data we collect
2.1 Account data
When you sign up, we collect:
- Email address — used as your login identifier and to send you transactional emails (sign-in links, team invitations).
- Username (optional) — a display name you may choose to set.
2.2 Organisation data
When you create or join an organisation, we store the organisation name, your membership role (owner or member), and the date you joined.
2.3 Content you upload
The Service stores design files, HTML content, and binary assets (images, fonts, stylesheets) that you upload to your projects. This content is scoped to your organisation and is not accessible to other organisations.
2.4 Usage data
We collect anonymous, aggregate usage analytics (page views, referrer, browser type, country) using a self-hosted instance of Umami, a privacy-focused analytics tool. Umami does not use cookies, does not collect personal data, and does not track individual users. IP addresses are not stored. This data is processed on our own servers within the EU.
2.5 Error reports
We collect anonymous error reports (stack traces, browser and OS information) using a self-hosted instance of GlitchTip. This data helps us identify and fix bugs. Error data is processed on our own servers within the EU.
2.6 Session data
When you sign in, we create a session record that includes your user ID, organisation ID, and an expiration timestamp. Sessions expire after 30 days of inactivity.
2.7 Data we do not collect
We do not collect passwords (authentication is passwordless), payment information, IP addresses, precise location data, or any special categories of personal data.
3. How we use your data
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Authenticate you and maintain your session | Email, session cookie | Contract (Art. 6(1)(b)) |
| Send sign-in links and team invitations | Contract (Art. 6(1)(b)) | |
| Store and serve your design content | Uploaded files, design data | Contract (Art. 6(1)(b)) |
| Enable real-time collaboration within your organisation | Username, session, presence data | Contract (Art. 6(1)(b)) |
| Analyse aggregate usage to improve the Service | Anonymous page views (no PII) | Legitimate interest (Art. 6(1)(f)) |
| Detect and fix errors | Anonymous error reports (no PII) | Legitimate interest (Art. 6(1)(f)) |
4. Cookies
We use a single, strictly necessary cookie:
| Name | Purpose | Type | Duration |
|---|---|---|---|
gc_session | Maintains your authenticated session | HttpOnly, Secure, SameSite=Lax | 30 days |
This cookie is essential for the Service to function and does not require consent under the ePrivacy Directive. We do not use any tracking, advertising, or analytics cookies.
5. Data processors
We share personal data only with the following processors, all of which operate under data processing agreements:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting, database, self-hosted services | All data (encrypted at rest) | EU (Germany) |
| Cloudflare, Inc. (R2) | Object storage for uploaded assets | Design files, images, binary assets | EU — Eastern Europe (EEUR) |
| Resend, Inc. | Transactional email delivery | Recipient email address | US (EU-US DPF certified) |
Resend is certified under the EU-US Data Privacy Framework. We have Standard Contractual Clauses in place as an additional safeguard.
We do not use any advertising networks, social media trackers, third-party analytics services, or external CDNs. All fonts, scripts, and assets are served from our own infrastructure.
6. International transfers
Your data is primarily stored and processed within the European Union (Hetzner, Germany). Where data is transferred outside the EEA (Resend for email delivery), the transfer is protected by:
- The EU-US Data Privacy Framework adequacy decision, and
- Standard Contractual Clauses (SCCs) as a supplementary safeguard.
Uploaded assets stored in Cloudflare R2 are configured to the Eastern Europe (EEUR) region and remain within the EU.
7. Data retention
| Data | Retention period |
|---|---|
| Account (email, username) | Until you delete your account |
| Organisation membership | Until you leave the organisation or delete your account |
| Design content and uploaded files | Until you or an organisation owner deletes them |
| Sessions | 30 days (automatically expired) |
| Magic link tokens | 10 minutes (automatically expired), cleaned up within 24 hours |
| Device authorisation codes | 15 minutes (automatically expired) |
| Organisation invitations | 72 hours (configurable, automatically expired) |
| Anonymous analytics | Retained in aggregate; no personal data |
8. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data (you can update your username directly in the Service).
- Erasure — request deletion of your account and associated personal data.
- Data portability — receive your data in a structured, machine-readable format.
- Restriction — request that we limit processing of your data in certain circumstances.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, contact us at the email address listed in Section 1. We will respond within 30 days.
9. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Passwordless authentication (magic links) — no password database to breach.
- Session tokens stored as UUIDs with HttpOnly, Secure, SameSite cookies.
- Magic link and invite tokens hashed with SHA-256 before storage.
- All data encrypted in transit (TLS) and at rest.
- Tenant isolation — all queries scoped by organisation; data is not accessible across organisations.
- Uploaded assets stored in private buckets, accessible only via time-limited signed URLs.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at the email address listed in Section 1 and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect. The "Effective date" at the top of this page indicates when this policy was last revised.
12. Supervisory authority
If you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens
PO Box 93374
2509 AJ The Hague
The Netherlands
autoriteitpersoonsgegevens.nl
13. Contact
For any questions about this Privacy Policy or your personal data, contact us at the email address listed in Section 1.