DropASize
Legal

Last updated: 19 May 2026

Privacy Policy

This policy explains what personal data we collect, why we collect it, what we do with it, and your rights under UK GDPR and the Data Protection Act 2018.

1. Who we are

Data Controller: Zoistek Limited (trading as DropASize)
Company number: 14352784
Registered office: 128 City Road, London EC1V 2NX, United Kingdom
Data Protection contact: hello@dropasize.app
ICO registration: Zoistek Limited, reference ZC156409

Zoistek Limited is the "data controller" for DropASize, meaning we decide how and why your personal data is used.

2. What data we collect

We only collect what we need to build your plan and run our service.

Health and lifestyle data (special category — UK GDPR Article 9)

  • Age, biological sex, height, current weight, goal weight
  • Activity level, sleep, stress level, hormonal status
  • Dietary preferences and food restrictions
  • Injury or medical history (if you share it during the quiz)
  • Pregnancy or postpartum status (if relevant)
  • Eating disorder screening responses

Identity and contact data

  • First name (or preferred name)
  • Email address

Payment data

  • We do not store your card details. All payments are processed by Stripe Payments UK, Ltd, which is PCI-DSS compliant.
  • We receive a transaction reference, the amount paid, and the date.

Technical data

  • IP address, browser type, device type, time zone
  • Pages visited and quiz progress (for analytics)
  • Cookie data (see Cookie Policy)

3. Why we collect it (legal basis)

What we use it forLawful basis (UK GDPR)
Building your personalised planContract (Art. 6(1)(b)) + Explicit consent for health data (Art. 9(2)(a))
Processing your paymentContract (Art. 6(1)(b))
Sending plan emails and customer supportContract (Art. 6(1)(b))
Marketing emails (optional, opt-in only)Consent (Art. 6(1)(a))
Improving our service (anonymised analytics)Legitimate interest (Art. 6(1)(f))
Legal compliance (tax records, fraud prevention)Legal obligation (Art. 6(1)(c))

4. Who we share data with

We never sell your data. We only share it with third-party processors who help us run the service:

ProcessorPurposeLocation
Stripe Payments UK, LtdPayment processingUK / EU / US (adequate safeguards)
Google (Google Workspace)Mailbox hosting for hello@dropasize.appEU / US (Standard Contractual Clauses)
Resend (Resend, Inc.)Transactional email delivery, including sending your personalised plan PDF and any service emailsUS (Standard Contractual Clauses)
Vercel Inc.Website hostingUS (Standard Contractual Clauses)
CloudshareApplication hostingUS (Standard Contractual Clauses)
Anthropic (Claude API)AI plan generationUS (Standard Contractual Clauses)

All processors are bound by Data Processing Agreements requiring them to handle your data lawfully, securely, and only on our instructions.

About AI processing: Your quiz answers are sent to Anthropic's Claude API to generate your personalised plan. Anthropic does not use this data to train their AI models. Data sent is retained for up to 30 days for service operation, then deleted.

5. How long we keep your data

  • Purchase records: 7 years from the date of your purchase (HMRC tax record requirement)
  • Health and quiz data: deleted within 30 days of purchase, unless required for a refund or dispute
  • Marketing email consent: until you unsubscribe
  • Analytics data: anonymised within 14 months

6. Your rights under UK GDPR

You have the following rights, free of charge, by emailing hello@dropasize.app:

  • Access — request a copy of all data we hold about you
  • Rectification — correct any inaccurate data
  • Erasure ("right to be forgotten") — request full deletion of your data
  • Restriction — limit how we use your data
  • Portability — get your data in a machine-readable format
  • Objection — object to certain types of processing (especially marketing)
  • Withdraw consent — at any time, for anything processed under consent
  • Lodge a complaint — with the Information Commissioner's Office (ico.org.uk) if you're unhappy with how we handle your data

We'll respond to any request within 30 days, free of charge in most cases.

7. How we keep your data safe

  • All data is encrypted in transit (HTTPS) and at rest
  • Access is limited to authorised personnel only
  • We use secure password storage (bcrypt or equivalent)
  • Regular security reviews and software updates
  • Data breach notification within 72 hours where required by UK GDPR

8. Children

DropASize is for adults aged 18 and over only. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, please contact us immediately and we will delete it.

9. International transfers

Some of our processors (Vercel, Cloudshare, Anthropic, Resend, Google) are based in the US. We rely on UK GDPR-approved Standard Contractual Clauses (SCCs) and, where applicable, the UK Extension to the EU-US Data Privacy Framework, to lawfully transfer data internationally.

10. Changes to this policy

We may update this policy from time to time. Significant changes will be notified to active customers by email at least 14 days before they take effect.

11. Contact us

Questions, requests, or complaints about this policy:

Email: hello@dropasize.app
Post: Data Protection, Zoistek Limited, 128 City Road, London EC1V 2NX