Last updated: 18 April 2026
This policy explains what personal data Downshift collects, why we collect it, how we use and store it, who we share it with, and what rights you have. Downshift is a trading name of Nadeem Mehmood (“we”, “us”, “our”).
We are the data controller for the personal data described in this policy. This means we decide how and why your personal data is processed.
We have written this policy in plain English. If anything is unclear, contact us at privacy@dshft.com and we will explain.
1. Who We Are
Downshift is a social app for car and bike enthusiasts. We operate the Downshift mobile app and the website at dshft.com.
Data controller: Nadeem Mehmood, trading as Downshift
Contact for data protection matters: privacy@dshft.com
Data Protection Officer: We have not appointed a Data Protection Officer because we are not required to under Article 37 of UK GDPR. We are not a public authority, our core activities do not involve large-scale systematic monitoring of individuals, and we do not process special category data on a large scale. If this changes as we grow, we will appoint one. In the meantime, all data protection queries should be directed to the email address above.
2. What Data We Collect
Account Information
When you create an account, we collect:
| Data | Source | Purpose |
|---|---|---|
| Email address | Provided by you or your sign-in provider | Account identification, one-time passcode authentication, and transactional emails (for example: security alerts, moderation outcomes, subscription receipts). We do not use your account email for marketing. See Section 11 for the separate waitlist signup on our website. |
| Display name | Provided by you during onboarding | Shown on your profile |
| Handle (username) | Chosen by you during onboarding | Unique identifier for your profile, used in @mentions and search |
| Profile photo | Uploaded by you (optional) | Shown on your profile and alongside your content |
| Authentication provider ID | Apple Sign In or Google Sign In | Linking your sign-in method to your Downshift account |
| Date of birth or age confirmation | Provided by you during sign-up | Verifying you meet the minimum age requirement (16+) |
Vehicle Information
When you add a vehicle to your garage:
| Data | Source | Purpose |
|---|---|---|
| Vehicle make, model, year | Selected by you | Displayed on your profile and associated with your journeys |
| Vehicle photo | Uploaded by you (optional) | Displayed on your vehicle profile |
| Vehicle type (car/motorcycle) | Selected by you | Displayed on your vehicle profile |
Journey Data
When you record a journey:
| Data | Source | Purpose |
|---|---|---|
| GPS route (series of coordinates) | Your device’s location services | Displaying your journey route on a map |
| Speed data | Derived from GPS coordinate changes | Stored as part of raw GPS data for accuracy; never displayed to users |
| Distance | Calculated from GPS data | Displayed as a journey statistic |
| Duration | Calculated from recording start/end | Displayed as a journey statistic |
| Journey title | Written by you | Displayed alongside your journey |
| Journey photos | Uploaded by you (optional) | Displayed alongside your journey |
| Timestamp (start and end) | Your device clock | Displayed as journey metadata |
Privacy masking: A randomised distance (between 150 and 300 metres) is automatically removed from the start and end of every journey before it is shared. The full route is stored but the masked portions are never displayed to other users.
Speed data: GPS data inherently contains speed information (derived from coordinate changes over time). We store this as part of the raw GPS data but we do not display speed to users, rank users by speed, or use speed data for any public-facing feature. Speed data is not included in data exports.
Social Activity
When you interact with other users:
| Data | Source | Purpose |
|---|---|---|
| Follow relationships | Your actions | Determining your feed content and follower/following counts |
| Likes | Your actions | Showing engagement on journeys |
| Comments | Written by you | Displayed on journeys |
| Reports | Submitted by you | Content moderation. See our Community Guidelines for how we review and act on reports. |
Device and Technical Data
Collected automatically when you use the app:
| Data | Source | Purpose |
|---|---|---|
| Device type and OS version | Your device | Ensuring compatibility and debugging issues |
| App version | The app | Ensuring compatibility and debugging issues |
| Push notification token | Expo Push | Delivering push notifications you have opted into |
| IP address | Your network connection | Security (rate limiting, abuse prevention), approximate geolocation for analytics |
| Crash reports | The app | Identifying and fixing bugs |
Analytics
In-app analytics
We use Mixpanel for anonymous product analytics within the Downshift app. This is off by default— no analytics data is collected until you choose to opt in via the consent prompt shown after onboarding.
For signed-in users on the mobile app, events are associated with your stable user ID and tagged with your public handle and subscription tier so we can understand how different groups of users experience the app. We do not send your email address, display name, or profile photo to Mixpanel.
If you opt in, we collect:
| Data | Source | Purpose |
|---|---|---|
| Usage events (e.g. screens viewed, features used) | Mixpanel SDK | Understanding how people use the app to improve features |
| User ID (internal identifier) | Mixpanel SDK | Stitching events to a stable identity so we can understand journeys across sessions |
| Public handle and subscription tier | Mixpanel SDK | Understanding how different groups of users experience the app |
| Device type and OS version | Mixpanel SDK | Ensuring compatibility across devices |
Mixpanel analytics in the app:
- Are entirely consent-based — you can opt out at any time in Settings
- Do not collect your name, email, profile photo, or any information beyond what is listed above
- Are never enabled for users under 18 (see Section 9)
- Do not use advertising identifiers or cross-app tracking
Erasure on account deletion
When you delete your account, we submit a deletion request to Mixpanel for all data associated with your user ID. This happens automatically when you confirm deletion — even if you never opted into analytics, as a belt-and-braces measure.
Mixpanel processes deletion requests asynchronously, which can take up to 30 days. Combined with the 7-day grace period before your account is fully removed, your data will be erased from Mixpanel within approximately 37 days of your original deletion request.
We also submit a data deletion request to Sentry as part of the account deletion cascade. This covers crash reports, error events, and any session data associated with your pseudonymised profile ID.
Website analytics (dshft.com)
On the Downshift website, we also use Mixpanel for analytics. This collects:
| Data | Source | Purpose |
|---|---|---|
| Pages visited | Mixpanel tracking | Understanding how people find and use the website |
| Referral source | Mixpanel tracking | Understanding where visitors come from |
| Browser and device type | Mixpanel tracking | Ensuring the website works across devices |
| Approximate location (country/region) | IP-based geolocation via Mixpanel | Understanding our audience geography |
Mixpanel analytics are only loaded with your consent (via the cookie consent banner). If you decline, no Mixpanel data is collected.
Mixpanel events are sent via a first-party reverse proxy on dshft.com (rather than directly to mixpanel.com). Cookies and referer headers are stripped at the proxy and never reach Mixpanel. Your IP address is forwarded so Mixpanel can derive your approximate country and region for geographic analytics; Mixpanel stores the IP on the event record as part of its standard ingest.
We also use Vercel Analytics on the website. Vercel Analytics is privacy-preserving: it does not use cookies, does not track users across sites, and does not collect personal data. It provides aggregate page view and performance data only.
Waitlist (Launch Notifications)
If you join the waitlist on dshft.com:
| Data | Source | Purpose |
|---|---|---|
| Email address | Provided by you | Sending you one email when Downshift launches on the platform you selected (iOS, Android, or both). This is a marketing communication under PECR, sent only with your explicit consent at the time of signup. |
Data we do NOT collect
To be clear about our boundaries:
- We do not collect your contacts or address book
- We do not access your camera or photo library except when you explicitly choose to upload a photo
- We do not record audio or video
- We do not track your location when you are not actively recording a journey
- We do not collect payment card details — subscription billing for D+ (Downshift Plus) is handled entirely by Apple via StoreKit. Downshift receives only subscription plan state, entitlement status, and transaction receipts from RevenueCat; no payment card data is ever held by us.
- We do not collect biometric data
3. Lawful Basis for Processing
Under UK GDPR, we must have a lawful basis for each processing activity. Here is the specific basis for each type of data we process:
| Processing activity | Lawful basis | Explanation |
|---|---|---|
| Creating and maintaining your account | Contract (Article 6(1)(b)) | Necessary to provide the Service you signed up for |
| Storing and displaying your vehicle profile | Contract (Article 6(1)(b)) | Core feature of the Service |
| Recording, storing, and displaying journeys | Contract (Article 6(1)(b)) | Core feature of the Service |
| Processing GPS location data during journey recording | Consent (Article 6(1)(a)) | You explicitly start each recording; location permission is requested by your device |
| Storing speed data as part of raw GPS data | Legitimate interest (Article 6(1)(f)) | Maintaining data integrity and journey accuracy; speed is never displayed |
| Displaying your social activity (follows, likes, comments) | Contract (Article 6(1)(b)) | Core social features of the Service |
| Processing content reports and moderation | Legal obligation (Article 6(1)(c)) | Required under Online Safety Act 2023 and to remove illegal content |
| Collecting device and technical data | Legitimate interest (Article 6(1)(f)) | Security, abuse prevention, and maintaining Service quality |
| Collecting IP addresses for rate limiting and security | Legitimate interest (Article 6(1)(f)) | Preventing abuse and protecting the Service and its users |
| Sending transactional emails (e.g. authentication codes) | Contract (Article 6(1)(b)) | Necessary for account security and Service operation |
| Sending push notifications | Consent (Article 6(1)(a)) | You opt in via your device settings |
| In-app analytics via Mixpanel | Consent (Article 6(1)(a)) | You opt in via the analytics consent prompt; off by default; not available to users under 18 |
| Website analytics via Mixpanel | Consent (Article 6(1)(a)) | You consent via the cookie banner |
| Waitlist email collection and launch notification | Consent (Article 6(1)(a)) and PECR reg. 22 | You voluntarily submit your email; the launch notification is a marketing communication sent with your explicit consent |
| Crash reporting | Legitimate interest (Article 6(1)(f)) | Identifying and fixing bugs to maintain Service quality |
Why consent for location data: Although journey recording is itself a contracted service, we rely on consent for the location data specifically. Consent is the more protective basis, you must explicitly start each recording, and the operating system location permission is requested separately.
Legitimate interest assessments: Where we rely on legitimate interest, we have assessed that:
- The processing is necessary for the purpose and there is no less intrusive way to achieve it
- The processing does not override your rights and freedoms
- You would reasonably expect us to process the data in this way
You can request a copy of our legitimate interest assessments by contacting privacy@dshft.com.
Withdrawing consent: Where processing is based on consent, you can withdraw it at any time:
- Location data: Stop recording journeys, or revoke location permission in your device settings
- Push notifications: Disable in your device settings
- In-app analytics: Toggle off in Settings > Privacy
- Website analytics: Use the cookie consent controls on the website, or clear your cookies
- Waitlist: Visit dshft.com/unsubscribe or email privacy@dshft.com to be removed
- Marketing emails: Toggle off in Settings > Notifications > Email, click unsubscribe in any marketing email, or email privacy@dshft.com
Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
4. How We Store and Protect Your Data
Infrastructure
| Data type | Storage provider | Location |
|---|---|---|
| Account data, journey data, social activity, vehicle metadata | MongoDB (hosted on Railway) | EU |
| Authentication data (email, provider IDs, sessions) | Supabase | EU |
| Photos (profile, vehicle, journey) | Cloudflare R2 | EU (Western Europe, primary storage); global edge caching |
| Push notification tokens | Expo Push | US |
| Analytics (in-app and website) | Mixpanel | US |
| Map tile requests and static map previews | Mapbox | US |
| Subscription status and purchase receipts | RevenueCat | US |
| Background job queue and caching | Redis (hosted on Railway) | EU |
| Crash reports, JS error events, navigation breadcrumbs, session events, pseudonymised (hashed) profile ID, debug symbols | Sentry | EU |
Security Measures
We implement the following technical and organisational measures to protect your data:
Technical measures:
- All data in transit is encrypted using TLS 1.2 or higher (HTTPS)
- All data at rest is encrypted by our infrastructure providers (AES-256 or equivalent)
- Authentication is handled by Supabase using industry-standard protocols (JWT tokens, secure session management)
- All public API endpoints are rate-limited to prevent abuse
- Database access requires authentication and is restricted to the application layer
- Photos are served via signed URLs with expiry times
Organisational measures:
- Access to production systems is limited to essential personnel only
- We follow the principle of least privilege for all system access
- We do not store passwords (authentication is via third-party sign-in or one-time passcodes)
- We review our security practices regularly
Privacy by design: We have built privacy protections into the Service from the start:
- Journey privacy masking (150–300m randomised from start and end) is automatic and cannot be disabled
- Speed data is captured but never exposed through any user interface or API endpoint
- Location tracking only occurs during active journey recording (no background tracking)
- We collect the minimum data necessary for each feature to function
Data Breach Procedures
No system is perfectly secure. If we discover a personal data breach:
- We will assess the risk to individuals without undue delay
- If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly (by email and/or in-app notification) without undue delay, describing the nature of the breach, the likely consequences, and the measures we are taking
- We will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals’ rights and freedoms, as required by Article 33 of UK GDPR
- We will document all breaches, including those that do not require notification, as part of our accountability obligations
5. Who We Share Your Data With
Other Users
When you use Downshift, other users can see:
- Your display name, handle, and profile photo
- Your vehicle profile (make, model, year, photo)
- Your journeys (with privacy-masked start/end points)
- Your follower and following counts
- Your likes and comments
You control what you share by choosing what to post. We do not share private data (email address, full GPS routes including masked portions, speed data, device information) with other users.
Third-Party Data Processors
We use the following third-party services to operate Downshift. They process data on our behalf, under data processing agreements, and only for the purposes we specify:
| Provider | What they process | Lawful basis for sharing | Their privacy policy |
|---|---|---|---|
| Supabase | Authentication data (email, provider IDs, sessions) | Contract — necessary for authentication | supabase.com/privacy |
| Cloudflare | Photos, website traffic | Contract — necessary for content delivery | cloudflare.com/privacypolicy |
| Mixpanel | In-app and website analytics (with consent only) | Consent | mixpanel.com/legal/privacy-policy |
| Railway | Application hosting, database hosting (all app data passes through Railway infrastructure) | Contract — necessary for Service operation | railway.app/legal/privacy |
| Expo (650 Industries) | Push notification tokens, OTA app updates | Consent (push notifications), Contract (updates) | expo.dev/privacy |
| Vercel | Website hosting, privacy-preserving analytics | Legitimate interest — necessary for website operation | vercel.com/legal/privacy-policy |
| Apple | App distribution, Sign In with Apple | Contract — necessary for app distribution and authentication | apple.com/legal/privacy |
| App distribution, Google Sign In | Contract — necessary for app distribution and authentication | policies.google.com/privacy | |
| Sentry | Crash reports, JS error events, navigation breadcrumbs, session events, pseudonymised (hashed) profile ID, debug symbols. Authorization headers and known PII are scrubbed before events are sent. | Legitimate interest — maintaining Service quality | sentry.io/privacy |
| Mapbox | Map tile requests from the app (IP address, map viewport); simplified journey route coordinates sent server-side when generating the static map preview for a published journey | Contract — necessary for map display | mapbox.com/legal/privacy |
| RevenueCat | Subscription status, purchase receipts (no payment details) | Contract — necessary for subscription management | revenuecat.com/privacy |
| Grafana Labs | Application observability — structured backend request logs, distributed trace spans, and error context via OpenTelemetry (OTLP). No user content, no GPS data, no photos. | Legitimate interest — operational stability and debugging | grafana.com/legal/privacy-policy |
Law Enforcement and Legal Obligations
We may disclose your data if:
- Required by law, regulation, or valid legal process (e.g. a court order or warrant)
- Required by a regulatory authority (e.g. the ICO or Ofcom)
- Necessary to protect the safety of our users or the public
- Necessary to prevent or detect crime
Where legally permitted, we will notify you if we receive a request for your data from law enforcement. We will not voluntarily disclose your data to law enforcement without a valid legal basis.
Business Transfers
If Downshift is acquired, merges with another business, or our assets are transferred, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
No Selling of Data
We do not sell your personal data to anyone. We do not share your data with advertisers or data brokers. We will never monetise your personal data.
6. International Data Transfers
Some of our service providers process data outside the United Kingdom:
| Provider | Country | Transfer mechanism |
|---|---|---|
| Mixpanel | United States | UK International Data Transfer Agreement (UK IDTA) / Standard Contractual Clauses |
| Expo | United States | UK IDTA / Standard Contractual Clauses |
| Vercel | United States | UK IDTA / Standard Contractual Clauses |
| Cloudflare | EU (primary storage); global edge caching | UK IDTA / Standard Contractual Clauses; Cloudflare is also certified under recognised frameworks |
| Apple | United States | UK IDTA / Standard Contractual Clauses |
| United States | UK IDTA / Standard Contractual Clauses | |
| Sentry | EU | No transfer required (EU adequacy) |
| Mapbox | United States | UK IDTA / Standard Contractual Clauses |
| RevenueCat | United States | UK IDTA / Standard Contractual Clauses |
| Grafana Labs | EU | No transfer required (EU adequacy) |
When your data is transferred outside the UK, we ensure that:
- Appropriate safeguards are in place, as required by Chapter V of UK GDPR
- We use the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses (as supplemented by the UK Addendum) as our transfer mechanism
- We assess the laws of the destination country to ensure they provide adequate protection, and implement supplementary measures where necessary
You can request a copy of the transfer safeguards we have in place by contacting privacy@dshft.com.
7. How Long We Keep Your Data
We retain your data only for as long as necessary for the purposes described in this policy. Here are the specific retention periods:
| Data type | Retention period | Reason |
|---|---|---|
| Account data (email, name, handle, profile photo) | Until you delete your account | Necessary to provide the Service |
| Journey data (routes, distance, duration, titles, photos) | Until you delete the journey or your account | Necessary to provide the Service |
| Speed data (within raw GPS data) | Until you delete the journey or your account | Stored as part of journey GPS data |
| Photos (profile, vehicle, journey) | Until you remove the photo or delete your account | Necessary to display your content |
| Social activity (likes, comments, follows) | Until you remove them or delete your account | Necessary to provide social features |
| Vehicle data | Until you remove the vehicle or delete your account | Necessary to display your garage |
| Device and technical data | Up to 12 months from collection, then deleted or aggregated | Needed for debugging and security; no longer needed after this period |
| IP addresses (security logs) | Up to 6 months | Needed for abuse investigation; deleted after this period |
| Crash reports | Up to 12 months | Needed to identify and fix bugs |
| Analytics (Mixpanel — in-app and website) | Up to 12 months, then aggregated or deleted | Configured within Mixpanel’s retention settings |
| Push notification tokens | Until you disable notifications or delete your account | Needed to deliver notifications |
| Subscription records (via RevenueCat) | For the life of the account, plus 6 years after account closure | Needed for tax and accounting records under UK law; RevenueCat holds subscription status and receipt metadata only (no payment card details) |
| Waitlist email | Until we send you the launch notification for your chosen platform, or until you unsubscribe, whichever is sooner. Purged within 30 days of the notification being sent. | Single-purpose collection |
| Content moderation records — reports | Up to 3 years after the report | Needed for appeals, legal obligations, and pattern detection |
| Content moderation records — decisions, warnings, suspensions, bans | 6 years after the action | Required under OSA 2023 s.26 and the Limitation Act 1980 (potential civil claims) |
| Authentication logs | Up to 12 months | Security auditing |
When you delete your account:
- Your personal data is deleted from our live systems within 30 days
- Your content (journeys, photos, comments) is removed from public view immediately
- Data may persist in encrypted backups for up to 90 days before being permanently removed
- Aggregated, anonymised data (e.g. total journey count across the platform) may be retained indefinitely, as it is no longer personal data
- Content moderation records may be retained for the periods above, even after account deletion, as we have a legitimate interest and legal obligation in maintaining these records
8. Your Rights Under UK GDPR
You have the following rights over your personal data. These rights are not absolute — some are subject to conditions and exceptions set out in UK GDPR and the Data Protection Act 2018.
| Right | What it means | How to exercise it |
|---|---|---|
| Access (Article 15) | You can request a copy of all personal data we hold about you, along with information about how we process it | Email privacy@dshft.com or use the data export feature in the app |
| Rectification (Article 16) | You can ask us to correct inaccurate personal data or complete incomplete data | Edit your profile in the app, or email privacy@dshft.com |
| Erasure (Article 17) | You can ask us to delete your personal data in certain circumstances | Delete your account in the app, or email privacy@dshft.com |
| Restriction (Article 18) | You can ask us to temporarily stop processing your data while we resolve a concern (e.g. while we verify accuracy) | Email privacy@dshft.com |
| Data portability (Article 20) | You can request your data in a structured, commonly used, machine-readable format (JSON) | Email privacy@dshft.com or use the data export feature in the app |
| Object (Article 21) | You can object to processing based on legitimate interest; we must stop unless we demonstrate compelling legitimate grounds | Email privacy@dshft.com |
| Withdraw consent | Where we process data based on consent, you can withdraw it at any time | See Section 3 for how to withdraw consent for each type |
| Not be subject to automated decisions (Article 22) | You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects | See “Automated decision-making” below |
How to Make a Subject Access Request
To request a copy of your personal data (a “Subject Access Request” or SAR):
- Email privacy@dshft.com with the subject line “Subject Access Request”
- Include enough information for us to verify your identity (the email address associated with your account is usually sufficient)
- Tell us what data you would like, or if you want everything we hold
- We will respond within one calendar month of receiving your request
- If your request is complex or we receive many requests, we may extend this by up to two additional months, but we will tell you within the first month if we need to do this
- There is no fee for a SAR unless the request is manifestly unfounded or excessive
Data Export (Data Portability)
You can request an export of your data at any time through the app or by emailing privacy@dshft.com. We will provide it in JSON format, including:
- Your profile information
- Your vehicle data
- Your journey records (including full GPS routes, excluding speed data)
- Your social activity (follows, likes, comments)
- Your photos (as downloadable links)
We aim to fulfil export requests within 14 days.
Subject Access Requests: If you make a formal Subject Access Request (see above), the response will include all personal data we hold about you, including speed data derived from GPS coordinates. The self-service data export is a convenience feature covering your core content; a SAR is a broader legal right.
Automated Decision-Making
We do not currently make any decisions about you based solely on automated processing that produce legal or similarly significant effects. If this changes in the future, we will update this policy and notify you, including information about the logic involved and the significance of the processing.
Content moderation decisions (e.g. removing a post or suspending an account) are made by humans, not automated systems.
How to Complain
If you are not satisfied with how we handle your data or respond to your rights request:
- Contact us first at privacy@dshft.com. We will try to resolve your concern directly.
- Complain to the ICO: You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You do not need to contact us before complaining to the ICO, but we would appreciate the opportunity to resolve matters directly if possible.
9. Children and Young People
Downshift is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, please contact us at privacy@dshft.com and we will delete the account and associated data promptly.
Users aged 16-17: If you are 16 or 17, you can use Downshift, but please be aware that:
- Journey data reveals your location and travel patterns — think carefully before sharing publicly
- Content you post may be visible to all Downshift users
- You can delete your account and all your data at any time
- We encourage you to read this policy with a parent or guardian
ICO Children’s Code: We have considered the ICO’s Age Appropriate Design Code (Children’s Code) in designing Downshift. Although our minimum age is 16, we recognise that users aged 16-17 are still children under the Code. Our approach includes:
- Privacy masking of journey start/end points is on by default and cannot be disabled
- Geolocation is only active during explicit journey recording (no background tracking)
- We do not use nudge techniques to encourage users to weaken their privacy settings
- We do not profile children for marketing or product-optimisation purposes — in-app product analytics (Mixpanel) is disabled entirely for users under 18, even though our service minimum age is 16 (see Sections 2 and 3)
- We provide clear information about what data is collected and how it is used
10. Cookies and Similar Technologies
Mobile App
The Downshift mobile app does not use cookies. It uses secure token storage (provided by the device OS) for authentication sessions.
Website (dshft.com)
The Downshift website uses the following cookies:
| Cookie | Type | Purpose | Duration | Set by | Requires consent |
|---|---|---|---|---|---|
cookie-consent | Strictly necessary | Remembering your cookie consent choice | 12 months | Downshift | No |
Mixpanel cookies (mp_*) | Analytics | Understanding site usage, page views, user journeys | Up to 12 months | Mixpanel | Yes |
Strictly necessary cookies are required for the website to function and cannot be switched off. They do not store personally identifiable information.
Analytics cookies are only set if you give consent via the cookie banner. If you decline, no analytics cookies are set and Mixpanel is not loaded.
Vercel Analytics does not use cookies. It collects aggregate, non-personal performance and page view data without tracking individual users.
You can manage your cookie preferences at any time:
- Use the cookie consent controls on the website
- Clear cookies through your browser settings
- Use your browser’s privacy/incognito mode
For more information about cookies generally, visit allaboutcookies.org.
11. Marketing Communications
We keep marketing communications to a minimum. This section explains what we do and do not send, what lawful basis we rely on, and how to opt out.
What counts as marketing
Under the Privacy and Electronic Communications Regulations 2003 (PECR), “direct marketing” covers any communication aimed at promoting our products or services to you. This is narrower than general UK GDPR “processing” and excludes purely transactional messages (for example a one-time passcode, a security alert, a moderation outcome, or a subscription receipt).
What we send
| Communication | Audience | Lawful basis | How to stop it |
|---|---|---|---|
| Launch notification (one email when Downshift launches on your chosen platform) | People who joined the waitlist on dshft.com | Consent — UK GDPR Art. 6(1)(a) and PECR reg. 22 | Click the unsubscribe link in the email, visit dshft.com/unsubscribe, or email privacy@dshft.com |
| Marketing emails (product updates, new features, re-engagement reminders) | Registered users who have explicitly opted in via Settings > Notifications > Email | Consent — UK GDPR Art. 6(1)(a) and PECR reg. 22. Opt-in is off by default and separate from account sign-up. | Toggle off in Settings > Notifications > Email, click unsubscribe in any marketing email, or email privacy@dshft.com |
| Transactional emails (one-time passcodes, security alerts, moderation decisions, subscription receipts) | Registered users | Contract — UK GDPR Art. 6(1)(b). These are not “marketing” under PECR and cannot be opted out of without closing your account, because they are necessary to provide the Service. | Close your account if you do not want to receive them |
What we do not do
- We do not send marketing emails to users who have not explicitly opted in
- We do not send marketing push notifications — all push notifications are service messages tied to an action you or someone you follow took in the app
- We do not share your email address with third-party marketers, advertisers, or data brokers
- We do not mix transactional and marketing content in the same email
- We never send marketing emails to users under 18
Your right to object
Under UK GDPR Art. 21(2) you have an absolute right to object to processing of your personal data for direct marketing at any time. We will stop sending you marketing communications as soon as you object, and no reason is required. You can exercise this right by clicking unsubscribe in any marketing email, toggling off in Settings > Notifications > Email, or emailing privacy@dshft.com.
If we introduce new marketing channels
If we decide in future to introduce marketing push notifications or other direct marketing channels, we will obtain your explicit opt-in consent first (separate from account sign-up consent) and update this policy to describe the new channel. We will never add you to a marketing list by default.
12. Changes to This Policy
We may update this policy from time to time. When we do:
- Material changes (e.g. new types of data collection, new third-party sharing, changes to your rights): We will notify you at least 30 days in advance through the app and/or by email. We will clearly explain what has changed and why.
- Minor changes(e.g. clarifications, formatting, updated provider details): We will update the policy and change the “Last updated” date. No individual notification.
We will maintain an archive of previous versions of this policy, available on request.
If a change requires your consent under data protection law, we will obtain it before the change takes effect.
13. Contact
If you have questions about this policy, want to exercise your data protection rights, or have a concern about how we handle your data:
- Email: privacy@dshft.com
- Website: dshft.com
We aim to respond to all data protection queries within 7 days, and to formal rights requests within one calendar month.
This policy was last reviewed on 18 April 2026.