Last updated: 30 March 2026
This policy explains what personal data Downshift collects, why we collect it, how we use and store it, who we share it with, and what rights you have.
We are the data controller for the personal data described in this policy. This means we decide how and why your personal data is processed.
We have written this policy in plain English. If anything is unclear, contact us at privacy@dshft.com and we will explain.
1. Who We Are
Downshift is a social app for car and bike enthusiasts. We operate the Downshift mobile app and the website at dshft.com.
Data controller: Nadeem Mehmood, trading as Downshift
Contact for data protection matters:
- Email: privacy@dshft.com
- Postal address: Available on request via privacy@dshft.com
Data Protection Officer: We have not appointed a Data Protection Officer because we are not required to under Article 37 of UK GDPR. We are not a public authority, our core activities do not involve large-scale systematic monitoring of individuals, and we do not process special category data on a large scale. If this changes as we grow, we will appoint one. In the meantime, all data protection queries should be directed to the email address above.
2. What Data We Collect
Account Information
When you create an account, we collect:
| Data | Source | Purpose |
|---|---|---|
| Email address | Provided by you or your sign-in provider | Account identification, one-time passcode authentication, transactional emails |
| Display name | Provided by you during onboarding | Shown on your profile |
| Handle (username) | Chosen by you during onboarding | Unique identifier for your profile, used in @mentions and search |
| Profile photo | Uploaded by you (optional) | Shown on your profile and alongside your content |
| Authentication provider ID | Apple Sign In or Google Sign In | Linking your sign-in method to your Downshift account |
| Date of birth or age confirmation | Provided by you during sign-up | Verifying you meet the minimum age requirement (16+) |
Vehicle Information
When you add a vehicle to your garage:
| Data | Source | Purpose |
|---|---|---|
| Vehicle make, model, year | Selected by you | Displayed on your profile and associated with your journeys |
| Vehicle photo | Uploaded by you (optional) | Displayed on your vehicle profile |
| Vehicle type (car/motorcycle) | Selected by you | Displayed on your vehicle profile |
Journey Data
When you record a journey:
| Data | Source | Purpose |
|---|---|---|
| GPS route (series of coordinates) | Your device’s location services | Displaying your journey route on a map |
| Speed data | Derived from GPS coordinate changes | Stored as part of raw GPS data for accuracy; never displayed to users |
| Distance | Calculated from GPS data | Displayed as a journey statistic |
| Duration | Calculated from recording start/end | Displayed as a journey statistic |
| Journey title | Written by you | Displayed alongside your journey |
| Journey photos | Uploaded by you (optional) | Displayed alongside your journey |
| Timestamp (start and end) | Your device clock | Displayed as journey metadata |
Privacy masking: The first and last 200 metres of every journey are automatically removed from the publicly shared route. The full route is stored but the masked portions are never displayed to other users.
Speed data: GPS data inherently contains speed information (derived from coordinate changes over time). We store this as part of the raw GPS data but we do not display speed to users, rank users by speed, or use speed data for any public-facing feature. Speed data is not included in data exports.
Social Activity
When you interact with other users:
| Data | Source | Purpose |
|---|---|---|
| Follow relationships | Your actions | Determining your feed content and follower/following counts |
| Likes | Your actions | Showing engagement on journeys |
| Comments | Written by you | Displayed on journeys |
| Reports | Submitted by you | Content moderation |
Device and Technical Data
Collected automatically when you use the app:
| Data | Source | Purpose |
|---|---|---|
| Device type and OS version | Your device | Ensuring compatibility and debugging issues |
| App version | The app | Ensuring compatibility and debugging issues |
| Push notification token | Expo Push | Delivering push notifications you have opted into |
| IP address | Your network connection | Security (rate limiting, abuse prevention), approximate geolocation for analytics |
| Crash reports | The app | Identifying and fixing bugs |
Website Analytics (dshft.com only)
On the Downshift website, we use Mixpanel for analytics. This collects:
| Data | Source | Purpose |
|---|---|---|
| Pages visited | Mixpanel tracking | Understanding how people find and use the website |
| Referral source | Mixpanel tracking | Understanding where visitors come from |
| Browser and device type | Mixpanel tracking | Ensuring the website works across devices |
| Approximate location (country/region) | IP-based geolocation via Mixpanel | Understanding our audience geography |
Mixpanel analytics are only loaded with your consent (via the cookie consent banner). If you decline, no Mixpanel data is collected.
We also use Vercel Analytics on the website. Vercel Analytics is privacy-preserving: it does not use cookies, does not track users across sites, and does not collect personal data. It provides aggregate page view and performance data only.
Android Waitlist
If you join the Android waitlist on dshft.com:
| Data | Source | Purpose |
|---|---|---|
| Email address | Provided by you | Notifying you when Downshift is available on Android |
Data we do NOT collect
To be clear about our boundaries:
- We do not collect your contacts or address book
- We do not access your camera or photo library except when you explicitly choose to upload a photo
- We do not record audio or video
- We do not track your location when you are not actively recording a journey
- We do not collect financial or payment information (subscriptions, if offered in the future, are handled entirely by Apple/Google)
- We do not collect biometric data
3. Lawful Basis for Processing
Under UK GDPR, we must have a lawful basis for each processing activity. Here is the specific basis for each type of data we process:
| Processing activity | Lawful basis | Explanation |
|---|---|---|
| Creating and maintaining your account | Contract (Article 6(1)(b)) | Necessary to provide the Service you signed up for |
| Storing and displaying your vehicle profile | Contract (Article 6(1)(b)) | Core feature of the Service |
| Recording, storing, and displaying journeys | Contract (Article 6(1)(b)) | Core feature of the Service |
| Processing GPS location data during journey recording | Consent (Article 6(1)(a)) | You explicitly start each recording; location permission is requested by your device |
| Storing speed data as part of raw GPS data | Legitimate interest (Article 6(1)(f)) | Maintaining data integrity and journey accuracy; speed is never displayed |
| Displaying your social activity (follows, likes, comments) | Contract (Article 6(1)(b)) | Core social features of the Service |
| Processing content reports and moderation | Legal obligation (Article 6(1)(c)) | Required under Online Safety Act 2023 and to remove illegal content |
| Collecting device and technical data | Legitimate interest (Article 6(1)(f)) | Security, abuse prevention, and maintaining Service quality |
| Collecting IP addresses for rate limiting and security | Legitimate interest (Article 6(1)(f)) | Preventing abuse and protecting the Service and its users |
| Sending transactional emails (e.g. authentication codes) | Contract (Article 6(1)(b)) | Necessary for account security and Service operation |
| Sending push notifications | Consent (Article 6(1)(a)) | You opt in via your device settings |
| Website analytics via Mixpanel | Consent (Article 6(1)(a)) | You consent via the cookie banner |
| Android waitlist email collection | Consent (Article 6(1)(a)) | You voluntarily submit your email |
| Crash reporting | Legitimate interest (Article 6(1)(f)) | Identifying and fixing bugs to maintain Service quality |
Legitimate interest assessments: Where we rely on legitimate interest, we have assessed that:
- The processing is necessary for the purpose and there is no less intrusive way to achieve it
- The processing does not override your rights and freedoms
- You would reasonably expect us to process the data in this way
You can request a copy of our legitimate interest assessments by contacting privacy@dshft.com.
Withdrawing consent: Where processing is based on consent, you can withdraw it at any time:
- Location data: Stop recording journeys, or revoke location permission in your device settings
- Push notifications: Disable in your device settings
- Website analytics: Use the cookie consent controls on the website, or clear your cookies
- Android waitlist: Email privacy@dshft.com to be removed
Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
4. How We Store and Protect Your Data
Infrastructure
| Data type | Storage provider | Location |
|---|---|---|
| Account data, journey data, social activity, vehicle metadata | MongoDB (hosted on Railway) | Europe (EU) |
| Authentication data (email, provider IDs, sessions) | Supabase | Europe (EU) |
| Photos (profile, vehicle, journey) | Cloudflare R2 | Globally distributed (nearest edge location) |
| Push notification tokens | Expo Push | US |
| Website analytics | Mixpanel | US |
| Background job queue and caching | Redis (hosted on Railway) | Europe (EU) |
Security Measures
We implement the following technical and organisational measures to protect your data:
Technical measures:
- All data in transit is encrypted using TLS 1.2 or higher (HTTPS)
- All data at rest is encrypted by our infrastructure providers (AES-256 or equivalent)
- Authentication is handled by Supabase using industry-standard protocols (JWT tokens, secure session management)
- All public API endpoints are rate-limited to prevent abuse
- Database access requires authentication and is restricted to the application layer
- Photos are served via signed URLs with expiry times
Organisational measures:
- Access to production systems is limited to essential personnel only
- We follow the principle of least privilege for all system access
- We do not store passwords (authentication is via third-party sign-in or one-time passcodes)
- We review our security practices regularly
Privacy by design: We have built privacy protections into the Service from the start:
- Journey privacy masking (first/last 200m) is automatic and cannot be disabled
- Speed data is captured but never exposed through any user interface or API endpoint
- Location tracking only occurs during active journey recording (no background tracking)
- We collect the minimum data necessary for each feature to function
Data Breach Procedures
No system is perfectly secure. If we discover a personal data breach:
- We will assess the risk to individuals without undue delay
- If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly (by email and/or in-app notification) without undue delay, describing the nature of the breach, the likely consequences, and the measures we are taking
- We will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals’ rights and freedoms, as required by Article 33 of UK GDPR
- We will document all breaches, including those that do not require notification, as part of our accountability obligations
5. Who We Share Your Data With
Other Users
When you use Downshift, other users can see:
- Your display name, handle, and profile photo
- Your vehicle profile (make, model, year, photo)
- Your journeys (with privacy-masked start/end points)
- Your follower and following counts
- Your likes and comments
You control what you share by choosing what to post. We do not share private data (email address, full GPS routes including masked portions, speed data, device information) with other users.
Third-Party Data Processors
We use the following third-party services to operate Downshift. They process data on our behalf, under data processing agreements, and only for the purposes we specify:
| Provider | What they process | Lawful basis for sharing | Their privacy policy |
|---|---|---|---|
| Supabase | Authentication data (email, provider IDs, sessions) | Contract — necessary for authentication | supabase.com/privacy |
| Cloudflare | Photos, website traffic | Contract — necessary for content delivery | cloudflare.com/privacypolicy |
| Mixpanel | Website analytics (with consent only) | Consent | mixpanel.com/legal/privacy-policy |
| Railway | Application hosting, database hosting (all app data passes through Railway infrastructure) | Contract — necessary for Service operation | railway.app/legal/privacy |
| Expo (70apps Inc) | Push notification tokens, OTA app updates | Consent (push notifications), Contract (updates) | expo.dev/privacy |
| Vercel | Website hosting, privacy-preserving analytics | Legitimate interest — necessary for website operation | vercel.com/legal/privacy-policy |
| Apple | App distribution, Sign In with Apple | Contract — necessary for app distribution and authentication | apple.com/legal/privacy |
| App distribution, Google Sign In | Contract — necessary for app distribution and authentication | policies.google.com/privacy |
Law Enforcement and Legal Obligations
We may disclose your data if:
- Required by law, regulation, or valid legal process (e.g. a court order or warrant)
- Required by a regulatory authority (e.g. the ICO or Ofcom)
- Necessary to protect the safety of our users or the public
- Necessary to prevent or detect crime
Where legally permitted, we will notify you if we receive a request for your data from law enforcement. We will not voluntarily disclose your data to law enforcement without a valid legal basis.
Business Transfers
If Downshift is acquired, merges with another business, or our assets are transferred, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
No Selling of Data
We do not sell your personal data to anyone. We do not share your data with advertisers or data brokers. We will never monetise your personal data.
6. International Data Transfers
Some of our service providers process data outside the United Kingdom:
| Provider | Country | Transfer mechanism |
|---|---|---|
| Mixpanel | United States | UK International Data Transfer Agreement (UK IDTA) / Standard Contractual Clauses |
| Expo | United States | UK IDTA / Standard Contractual Clauses |
| Vercel | United States | UK IDTA / Standard Contractual Clauses |
| Cloudflare | Global (edge locations) | UK IDTA / Standard Contractual Clauses; Cloudflare is also certified under recognised frameworks |
| Apple | United States | UK IDTA / Standard Contractual Clauses |
| United States | UK IDTA / Standard Contractual Clauses |
When your data is transferred outside the UK, we ensure that:
- Appropriate safeguards are in place, as required by Chapter V of UK GDPR
- We use the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses (as supplemented by the UK Addendum) as our transfer mechanism
- We assess the laws of the destination country to ensure they provide adequate protection, and implement supplementary measures where necessary
You can request a copy of the transfer safeguards we have in place by contacting privacy@dshft.com.
7. How Long We Keep Your Data
We retain your data only for as long as necessary for the purposes described in this policy. Here are the specific retention periods:
| Data type | Retention period | Reason |
|---|---|---|
| Account data (email, name, handle, profile photo) | Until you delete your account | Necessary to provide the Service |
| Journey data (routes, distance, duration, titles, photos) | Until you delete the journey or your account | Necessary to provide the Service |
| Speed data (within raw GPS data) | Until you delete the journey or your account | Stored as part of journey GPS data |
| Photos (profile, vehicle, journey) | Until you remove the photo or delete your account | Necessary to display your content |
| Social activity (likes, comments, follows) | Until you remove them or delete your account | Necessary to provide social features |
| Vehicle data | Until you remove the vehicle or delete your account | Necessary to display your garage |
| Device and technical data | Up to 12 months from collection, then deleted or aggregated | Needed for debugging and security; no longer needed after this period |
| IP addresses (security logs) | Up to 6 months | Needed for abuse investigation; deleted after this period |
| Crash reports | Up to 12 months | Needed to identify and fix bugs |
| Website analytics (Mixpanel) | Up to 12 months, then aggregated or deleted | Configured within Mixpanel’s retention settings |
| Push notification tokens | Until you disable notifications or delete your account | Needed to deliver notifications |
| Android waitlist email | Until we notify you of Android availability, or until you ask to be removed, whichever is sooner | Single-purpose collection |
| Content moderation records (reports, actions taken) | Up to 3 years after the action | Needed for appeals, legal obligations, and pattern detection |
| Authentication logs | Up to 12 months | Security auditing |
When you delete your account:
- Your personal data is deleted from our live systems within 30 days
- Your content (journeys, photos, comments) is removed from public view immediately
- Data may persist in encrypted backups for up to 90 days before being permanently removed
- Aggregated, anonymised data (e.g. total journey count across the platform) may be retained indefinitely, as it is no longer personal data
- Content moderation records may be retained for the periods above, even after account deletion, as we have a legitimate interest and legal obligation in maintaining these records
8. Your Rights Under UK GDPR
You have the following rights over your personal data. These rights are not absolute — some are subject to conditions and exceptions set out in UK GDPR and the Data Protection Act 2018.
| Right | What it means | How to exercise it |
|---|---|---|
| Access (Article 15) | You can request a copy of all personal data we hold about you, along with information about how we process it | Email privacy@dshft.com or use the data export feature in the app |
| Rectification (Article 16) | You can ask us to correct inaccurate personal data or complete incomplete data | Edit your profile in the app, or email privacy@dshft.com |
| Erasure (Article 17) | You can ask us to delete your personal data in certain circumstances | Delete your account in the app, or email privacy@dshft.com |
| Restriction (Article 18) | You can ask us to temporarily stop processing your data while we resolve a concern (e.g. while we verify accuracy) | Email privacy@dshft.com |
| Data portability (Article 20) | You can request your data in a structured, commonly used, machine-readable format (JSON) | Email privacy@dshft.com or use the data export feature in the app |
| Object (Article 21) | You can object to processing based on legitimate interest; we must stop unless we demonstrate compelling legitimate grounds | Email privacy@dshft.com |
| Withdraw consent | Where we process data based on consent, you can withdraw it at any time | See Section 3 for how to withdraw consent for each type |
| Not be subject to automated decisions (Article 22) | You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects | See “Automated decision-making” below |
How to Make a Subject Access Request
To request a copy of your personal data (a “Subject Access Request” or SAR):
- Email privacy@dshft.com with the subject line “Subject Access Request”
- Include enough information for us to verify your identity (the email address associated with your account is usually sufficient)
- Tell us what data you would like, or if you want everything we hold
- We will respond within one calendar month of receiving your request
- If your request is complex or we receive many requests, we may extend this by up to two additional months, but we will tell you within the first month if we need to do this
- There is no fee for a SAR unless the request is manifestly unfounded or excessive
Data Export
You can request an export of your data at any time through the app or by emailing privacy@dshft.com. We will provide it in JSON format, including:
- Your profile information
- Your vehicle data
- Your journey records (including full GPS routes, excluding speed data)
- Your social activity (follows, likes, comments)
- Your photos (as downloadable links)
We aim to fulfil export requests within 14 days.
Automated Decision-Making
We do not currently make any decisions about you based solely on automated processing that produce legal or similarly significant effects. If this changes in the future, we will update this policy and notify you, including information about the logic involved and the significance of the processing.
Content moderation decisions (e.g. removing a post or suspending an account) are made by humans, not automated systems.
How to Complain
If you are not satisfied with how we handle your data or respond to your rights request:
- Contact us first at privacy@dshft.com. We will try to resolve your concern directly.
- Complain to the ICO: You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You do not need to contact us before complaining to the ICO, but we would appreciate the opportunity to resolve matters directly if possible.
9. Children and Young People
Downshift is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, please contact us at privacy@dshft.com and we will delete the account and associated data promptly.
Users aged 16-17: If you are 16 or 17, you can use Downshift, but please be aware that:
- Journey data reveals your location and travel patterns — think carefully before sharing publicly
- Content you post may be visible to all Downshift users
- You can delete your account and all your data at any time
- We encourage you to read this policy with a parent or guardian
ICO Children’s Code: We have considered the ICO’s Age Appropriate Design Code (Children’s Code) in designing Downshift. Although our minimum age is 16, we recognise that users aged 16-17 are still children under the Code. Our approach includes:
- Privacy masking of journey start/end points is on by default and cannot be disabled
- Geolocation is only active during explicit journey recording (no background tracking)
- We do not use nudge techniques to encourage users to weaken their privacy settings
- We do not profile children for marketing purposes
- We provide clear information about what data is collected and how it is used
10. Cookies and Similar Technologies
Mobile App
The Downshift mobile app does not use cookies. It uses secure token storage (provided by the device OS) for authentication sessions.
Website (dshft.com)
The Downshift website uses the following cookies:
| Cookie | Type | Purpose | Duration | Set by | Requires consent |
|---|---|---|---|---|---|
cookie-consent | Strictly necessary | Remembering your cookie consent choice | 12 months | Downshift | No |
Mixpanel cookies (mp_*) | Analytics | Understanding site usage, page views, user journeys | Up to 12 months | Mixpanel | Yes |
Strictly necessary cookies are required for the website to function and cannot be switched off. They do not store personally identifiable information.
Analytics cookies are only set if you give consent via the cookie banner. If you decline, no analytics cookies are set and Mixpanel is not loaded.
Vercel Analytics does not use cookies. It collects aggregate, non-personal performance and page view data without tracking individual users.
You can manage your cookie preferences at any time:
- Use the cookie consent controls on the website
- Clear cookies through your browser settings
- Use your browser’s privacy/incognito mode
For more information about cookies generally, visit allaboutcookies.org.
11. Changes to This Policy
We may update this policy from time to time. When we do:
- Material changes (e.g. new types of data collection, new third-party sharing, changes to your rights): We will notify you at least 30 days in advance through the app and/or by email. We will clearly explain what has changed and why.
- Minor changes(e.g. clarifications, formatting, updated provider details): We will update the policy and change the “Last updated” date. No individual notification.
We will maintain an archive of previous versions of this policy, available on request.
If a change requires your consent under data protection law, we will obtain it before the change takes effect.
12. Contact
If you have questions about this policy, want to exercise your data protection rights, or have a concern about how we handle your data:
- Email: privacy@dshft.com
- Website: dshft.com
We aim to respond to all data protection queries within 7 days, and to formal rights requests within one calendar month.
This policy was last reviewed on 30 March 2026.