Email & Data Policy

Version 1.0 · Last reviewed 2026-05-08 · Owner: Are You Faster CIC

Applies to all Are You Faster digital surfaces - areyoufaster.com, community.areyoufaster.com, the iOS and Android applications, and any system that processes personal data on behalf of the company.

This document is the single source of truth for how Are You Faster CIC handles personal data and direct-marketing communications. The implementations in appsscript/Code.gs, firestore.rules, partners.html, and the Hub all derive their behaviour from this document. If a conflict arises between an implementation and this document, this document wins.

1. Identity

Controller	Are You Faster CIC
Legal form	UK Community Interest Company
Company number	16536715
Registered office	Unit 82a, James Carter Road, Mildenhall, IP28 7DE, United Kingdom
Privacy contact	partners@areyoufaster.com
Founder / data lead	Daniel

2. Lawful basis

Personal data collected through the partner-interest form is processed under the consent lawful basis (UK GDPR Art. 6(1)(a)).

Consent is recorded at the moment of form submission as a permanent record on the Firestore document, including:

consent: true - the boolean tick
consent_text: "…" - the exact wording the data subject saw and ticked, stored verbatim, never derived later
submittedAt: <server timestamp> - the moment consent was given

consent_text is included so that, if the form copy ever changes, we still have proof of what each individual subject specifically consented to.

3. Data we collect

Article 5(1)(c) - data minimisation

The partner-interest form collects, and only collects, these fields:

Field	Purpose	Required?
`name`	Personalisation in follow-up	Required
`email`	The communication channel	Required
`organisation`	Context for the partnership conversation	Optional
`organisationType`	Routing the right follow-up	Required
`interests[]`	Which partner offering to follow up on	Optional
`message`	Free-text - what they want to tell us	Optional
`referrer`	The `?from=…` URL parameter, if Daniel sent an invite	Auto-captured
`sourceUrl`	The page URL at the moment of submission	Auto-captured
`consent`	Explicit consent flag	Required
`consent_text`	The exact wording they consented to	Auto-captured

We do not collect: phone numbers, addresses, IP addresses, browser fingerprints, location data, or anything else that would qualify as enhanced personal data under UK GDPR.

4. Recipients

Submitted data is accessible to:

The Are You Faster CIC founder (Daniel) and any person they explicitly delegate to
Google's infrastructure as a sub-processor (Firebase Firestore, Apps Script, Gmail, Sheets) under their respective Data Processing Addenda

We do not:

Share with advertising networks
Sell data to third parties
Pass data to other CIC partners or affiliated organisations
Add submitters to any list other than the AYF partner-update list

5. Retention

Article 5(1)(e) - storage limitation

Document type	Retention period
`partner_interest` documents in state `pending`	Indefinite until processed
`partner_interest` documents in state `emailed` / `error` / `suppressed` / `invalid`	24 months from `submittedAt`, then auto-deleted
`partner_unsubscribed` records	Permanent - required to honour right-to-object on an ongoing basis
Submissions Sheet rows	Same 24 months
`partner_invites` records	24 months from `sentAt`

Auto-deletion is performed by the daily purgeOldSubmissions() Apps Script trigger.

6. Subject rights

Articles 15-22

We acknowledge and uphold every right under UK GDPR. Each is operationalised:

Right	How exercised	Where implemented
Right of access (Art. 15)	Email partners@areyoufaster.com; response within one calendar month	`exportSubjectData()`
Right to rectification (Art. 16)	Email partners@ with the correction	Manual edit of Firestore document
Right to erasure (Art. 17)	Email partners@ requesting deletion	`eraseSubjectData()`
Right to restriction (Art. 18)	Email partners@ requesting we stop processing	Manual addition to suppression list
Right to data portability (Art. 20)	Same as right of access - we return JSON	`exportSubjectData()`
Right to object to direct marketing (Art. 21)	Click any unsubscribe link in any email	Auto-handled - see §7
Right to withdraw consent (Art. 7(3))	Same as right to object	Auto-handled - see §7

Response timeline for all rights: one calendar month from receipt of a verifiable request (Art. 12(3)).

7. Unsubscribe - two paths, one outcome

The data subject can opt out at any time. Two paths exist because email clients (Gmail, Outlook, Apple Mail) prefer a built-in one-click flow for deliverability, while users who follow the in-email link expect a confirmation step.

Path A - Two-step (the in-email "Unsubscribe" link)

User clicks the "Unsubscribe (we'll ask once to confirm)" link in the email footer.
The Apps Script web-app endpoint validates an HMAC-signed token bound to the recipient's email address.
A branded confirmation page is shown: "Are you sure you want to stop receiving partner updates from Are You Faster?" with a single button.
Clicking the button adds the email to partner_unsubscribed (idempotent), sends a courtesy "you've been removed" email, and renders a confirmation page.

Path B - One-click (RFC 8058 List-Unsubscribe header)

Every outbound email carries List-Unsubscribe and List-Unsubscribe-Post: List-Unsubscribe=One-Click headers.
Email clients render an "Unsubscribe" link next to the sender name. Clicking it sends a POST to our endpoint.
The endpoint validates the same HMAC token, adds the email to partner_unsubscribed, and returns HTTP 200.
No UI is shown - the email client renders its own confirmation.

Both paths

Are idempotent
Write to the same partner_unsubscribed collection
Take effect immediately - the next scheduled trigger will skip any address on this list
Are permanent - re-subscribing requires completing the partner-interest form again, with fresh consent

HMAC token security

Tokens are derived as HMAC-SHA-256(secret, lowercase(email))
The secret is a 32-byte random value stored in Apps Script Properties (encrypted at rest by Google)
Tokens cannot be forged without the secret
A leaked token only authorises opt-out for that specific email - no other action is possible
Tokens never expire, but stale tokens still only authorise opt-out

8. Security measures

Article 32

Layer	Control
Transport	HTTPS-only; HSTS preload
Browser	CSP locked; X-Frame DENY; nosniff; Referrer-Policy strict-origin
Form	Honeypot field; client throttle; reCAPTCHA v3 via Firebase App Check
Database	Firestore rules: anonymous create-only on `partner_interest`, strict field whitelist, server-timestamp enforcement, all reads/updates/deletes denied
Bot defence	App Check enforced on Firestore production
Server	Apps Script as user OAuth (no long-lived service-account key)
Logging	PII redacted from execution logs and from error messages
Concurrency	LockService prevents parallel script runs
Rate-limit	Per-email: max one welcome per address per 24 h
Per-run cap	20 documents per trigger run, bounding blast radius

9. Breach response

Articles 33-34

Within	Action
Immediately on detection	Disable App Check enforcement - freezes new writes. Stop the 5-minute trigger.
Within 1 hour	Assess scope: which records, which fields, how many subjects affected.
Within 24 hours	Document the breach in writing (cause, scope, mitigation).
Within 72 hours	Notify ICO via ico.org.uk if the breach is likely to result in a risk to subjects.
Without undue delay	Notify affected subjects directly if the breach is likely to result in a high risk (Art. 34).

10. Records of processing

Article 30

This document, together with the source code in the project repository, constitutes the record of processing required under Art. 30 for partner-interest data processing.

11. Cross-project consistency

This policy applies identically to:

areyoufaster.com marketing site (Firebase project ayf-cic2)
community.areyoufaster.com Hub (Firebase project ayf-cic)
Any future project handling AYF marketing or partner data

Specifically:

The partner_unsubscribed suppression list is honoured across every outbound communication path. If an address is suppressed for marketing emails, it cannot be re-added by submission to a different surface (the Hub must check this collection before sending).
Subject-rights requests received on any surface are routed to partners@areyoufaster.com and processed as described in §6.
The 24-month retention applies to every store of partner-interest data.
The same consent_text wording is used wherever consent is captured for the partner-update mailing list.

12. Canonical consent text

This is the exact wording shown next to the consent checkbox on the partner-interest form, and the exact value stored in the consent_text field of every submission:

I'd like to receive occasional Are You Faster partner updates. We won't share your details, won't add you to anything else, and you can unsubscribe from any email.

Changes to this wording require:

Updating partners.html form copy
Updating the CONSENT_TEXT constant in appsscript/Code.gs
Bumping the version of this document
Documenting the change in the changelog below

13. Cookies

The marketing site at areyoufaster.com sets no first-party cookies and uses no analytics, advertising, or tracking pixels.

The single exception is the partner-interest form at /partners: when you focus a form field, Google reCAPTCHA v3 loads and may set cookies on Google's google.com domain (a third-party context) as part of its anti-bot scoring. This load is deferred until you engage the form, so visitors who never submit experience a cookie-free session. By focusing or submitting the form you accept this anti-bot scoring as a necessary security measure under the legitimate-interest exemption (PECR Reg 6(4)).

No third-party cookies are used for analytics or marketing on this site.

Changelog

Version	Date	Change
1.0	2026-05-08	Initial publication. Canonical consent text v1. 24-month retention. Both unsubscribe paths active.
1.0.1	2026-05-11	Published as a public page at `/policy`. Added §13 (cookies). Documented reCAPTCHA defer-on-focus behaviour.