Email & Data Policy

1. Identity

2. Lawful basis

Personal data collected through the partner-interest form is processed under the consent lawful basis (UK GDPR Art. 6(1)(a)).

Consent is recorded at the moment of form submission as a permanent record on the Firestore document, including:

• consent: true - the boolean tick
• consent_text: "…" - the exact wording the data subject saw and ticked, stored verbatim, never derived later
• submittedAt: <server timestamp> - the moment consent was given

consent_text is included so that, if the form copy ever changes, we still have proof of what each individual subject specifically consented to.

Personal data used for partnership outreach to organisations - our cold-outreach emails and the leads/CRM records that manage them - is processed under the legitimate interests basis (UK GDPR Art. 6(1)(f)). Our legitimate interest is identifying organisations that may benefit from a free partnership with a non-profit; it is balanced against the limited use of publicly listed organisational contact details for a relevant, business-context approach. Recipients can object at any time (see §6 and §7) and we honour it immediately.

3. Data we collect

Article 5(1)(c) - data minimisation

The partner-interest form collects, and only collects, these fields:

Through the website and partner-interest form we do not collect: phone numbers, postal addresses, IP addresses, browser fingerprints, or location data. (The mobile apps do use device location for GPS activities - see their own privacy policies, linked at the top of this page.)

Outreach & CRM data

For partnership outreach we also hold, per organisation: organisation name, a publicly listed contact email, town/region, activity or sport type, and short publicly available business context used to tailor the approach. As we correspond, a relationship record (the “leads” CRM) tracks engagement - emails sent, link clicks, replies, and a derived hot/warm/cold status - so we can avoid contacting an organisation after it has asked us to stop and see who we have already reached. This data is drawn from publicly available organisational listings, not from the individuals themselves.

4. Recipients

Submitted data is accessible to:

• The Are You Faster CIC founder (Daniel) and any person they explicitly delegate to
• Google's infrastructure as a sub-processor (Firebase Firestore, Apps Script, Gmail, Sheets) under their respective Data Processing Addenda

Partnership-outreach and CRM records carry the same access (the founder and the Google sub-processors above) and the same protections set out in this policy.

We do not:

• Share with advertising networks
• Sell data to third parties
• Pass data to other CIC partners or affiliated organisations
• Add submitters to any list other than the AYF partner-update list

5. Retention

Article 5(1)(e) - storage limitation

Auto-deletion is performed by the daily purgeOldSubmissions() Apps Script trigger.

6. Subject rights

Articles 15-22

We acknowledge and uphold every right under UK GDPR. Each is operationalised:

Response timeline for all rights: one calendar month from receipt of a verifiable request (Art. 12(3)).

7. Unsubscribe - two paths, one outcome

The data subject can opt out at any time. Two paths exist because email clients (Gmail, Outlook, Apple Mail) prefer a built-in one-click flow for deliverability, while users who follow the in-email link expect a confirmation step.

Path A - Two-step (the in-email "Unsubscribe" link)

1. User clicks the "Unsubscribe (we'll ask once to confirm)" link in the email footer.
2. The Apps Script web-app endpoint validates an HMAC-signed token bound to the recipient's email address.
3. A branded confirmation page is shown: "Are you sure you want to stop receiving partner updates from Are You Faster?" with a single button.
4. Clicking the button adds the email to partner_unsubscribed (idempotent), sends a courtesy "you've been removed" email, and renders a confirmation page.

Path B - One-click (RFC 8058 List-Unsubscribe header)

1. Every outbound email carries List-Unsubscribe and List-Unsubscribe-Post: List-Unsubscribe=One-Click headers.
2. Email clients render an "Unsubscribe" link next to the sender name. Clicking it sends a POST to our endpoint.
3. The endpoint validates the same HMAC token, adds the email to partner_unsubscribed, and returns HTTP 200.
4. No UI is shown - the email client renders its own confirmation.

Both paths

• Are idempotent
• Write to the same partner_unsubscribed collection
• Take effect immediately - the next scheduled trigger will skip any address on this list
• Are permanent - re-subscribing requires completing the partner-interest form again, with fresh consent

HMAC token security

• Tokens are derived as HMAC-SHA-256(secret, lowercase(email))
• The secret is a 32-byte random value stored in Apps Script Properties (encrypted at rest by Google)
• Tokens cannot be forged without the secret
• A leaked token only authorises opt-out for that specific email - no other action is possible
• Tokens never expire, but stale tokens still only authorise opt-out

8. Security measures

Article 32

9. Breach response

Articles 33-34

10. Records of processing

Article 30

This document, together with the source code in the project repository, constitutes the record of processing required under Art. 30 for partner-interest data processing.

11. Cross-project consistency

This policy applies identically to:

• areyoufaster.com marketing site (Firebase project ayf-cic2)
• community.areyoufaster.com Hub (Firebase project ayf-cic)
• Any future project handling AYF marketing or partner data

Specifically:

• The partner_unsubscribed suppression list is honoured across every outbound communication path. If an address is suppressed for marketing emails, it cannot be re-added by submission to a different surface (the Hub must check this collection before sending).
• Subject-rights requests received on any surface are routed to partners@areyoufaster.com and processed as described in §6.
• The 24-month retention applies to every store of partner-interest data.
• The same consent_text wording is used wherever consent is captured for the partner-update mailing list.

12. Canonical consent text

This is the exact wording shown next to the consent checkbox on the partner-interest form, and the exact value stored in the consent_text field of every submission:

I'd like to receive occasional Are You Faster partner updates. We won't share your details, won't add you to anything else, and you can unsubscribe from any email.

Changes to this wording require:

1. Updating partners.html form copy
2. Updating the CONSENT_TEXT constant in appsscript/Code.gs
3. Bumping the version of this document
4. Documenting the change in the changelog below

13. Cookies

The marketing site at areyoufaster.com sets no first-party cookies and uses no analytics, advertising, or tracking pixels.

The single exception is the partner-interest form at /partners: when you focus a form field, Google reCAPTCHA v3 loads and may set cookies on Google's google.com domain (a third-party context) as part of its anti-bot scoring. This load is deferred until you engage the form, so visitors who never submit experience a cookie-free session. By focusing or submitting the form you accept this anti-bot scoring as a necessary security measure under the legitimate-interest exemption (PECR Reg 6(4)).

No third-party cookies are used for analytics or marketing on this site.

Changelog