Privacy Policy

Last updated: May 2026

Drilld is operated by GEK AB ("Drilld", "we", "us"), a company registered in Sweden. This policy explains how we collect, use, and protect your personal data when you use Drilld.

We are the data controller for personal data processed on the platform. For privacy questions, contact us at hello@drilld.co.

1. Data we collect

Account data

When you create an account, we collect:

Your full name and display name
Email address
Password (stored as a one-way hash)
City and country
Date of birth (for age verification)
Sports you practice and target groups

Profile data

If you complete your profile, we may also collect:

Profile photo and bio
Social media handles (Instagram, etc.)
Location data (city / region for matching)
Sports certifications, experience, and credentials (for instructors)

Booking and payment data

When you book or sell sessions, we collect:

Booking details (date, time, sport, location, price)
Payment information processed via Stripe (we do not store card data ourselves)
Stripe Connect account details (for instructors)
Booking thread messages between students and instructors

Usage data

We automatically collect:

IP address and approximate location
Device type, browser, and operating system
Pages visited, actions taken, and timestamps
Cookies and similar technologies (see Cookie Policy below)

Content you create

Posts, comments, reviews, and other content you share on the platform.

2. How we use your data

We process your data to:

Provide the platform (account management, bookings, payments, communication)
Enable matching between athletes, instructors, and training partners
Process payments and payouts via Stripe
Send transactional emails (booking confirmations, reminders, password resets)
Send marketing emails (only with your consent, you can unsubscribe anytime)
Detect and prevent fraud, abuse, and policy violations
Comply with legal obligations (accounting, tax, anti-money-laundering)
Improve the platform (analytics, feature development)

Legal basis for processing

We process your data based on:

Contract: Providing the platform requires processing your data
Consent: Marketing emails and optional cookies require your explicit consent
Legitimate interest: Fraud prevention, security, and platform improvement
Legal obligation: Tax records, financial reporting, regulatory compliance

3. Who we share data with

We share data only when necessary:

Stripe: Payment processing and instructor payouts
Brevo: Email and SMS delivery
Cloudflare R2 + Stream: Image and video hosting
Supabase: Database hosting
Vercel: Application hosting
Other users: Your public profile data is visible to other users on the platform
Sponsors: If you opt into sponsor visibility, your athlete profile may be shared with sponsors

We do not sell your personal data to third parties.

Legal disclosure

We may disclose data when required by law, court order, or to protect the rights, property, or safety of Drilld, our users, or others.

4. How long we keep data

We keep your data only as long as necessary:

Active accounts: Data is kept while your account is active
Closed accounts: Most data is deleted within 90 days of account closure
Bookings and payments: Retained for 7 years for tax and accounting compliance
Terms acceptance records: Retained indefinitely as audit trail
Fraud prevention records: Retained for up to 5 years

5. Your rights

Under GDPR and similar laws, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate data
Erasure: Request deletion of your data (subject to legal retention obligations)
Restriction: Limit how we process your data
Portability: Receive your data in a portable format
Objection: Object to processing based on legitimate interest
Withdraw consent: Withdraw consent for marketing or optional cookies at any time

To exercise these rights, contact us at hello@drilld.co. We respond within 30 days.

Complaints

If you believe we have mishandled your data, you have the right to file a complaint with the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) at imy.se.

6. Cookies

We use cookies and similar technologies to:

Keep you logged in
Remember your preferences
Analyze platform usage
Deliver marketing (only with consent)

You can manage cookie preferences through the cookie banner shown when you first visit the platform, or via your browser settings.

Cookie categories

Essential: Required for the platform to function (login, security). Cannot be disabled.
Analytics: Help us understand how the platform is used. Optional.
Marketing: Used to deliver personalized content. Optional.

7. Data security

We use industry-standard security measures:

Encryption in transit (HTTPS)
Encryption at rest for sensitive data
Access controls and authentication
Regular security audits
Incident response procedures

No system is fully secure. If we become aware of a data breach affecting your data, we will notify you and relevant authorities as required by law.

8. International transfers

Drilld is based in Sweden (EU/EEA). Some service providers (Stripe, Cloudflare, Supabase, Vercel) may process data outside the EU/EEA. We ensure adequate safeguards are in place, including:

Standard Contractual Clauses approved by the European Commission
Service providers certified under recognized data protection frameworks

9. Children

Drilld is not intended for users under 13. If you are between 13 and 18, you must have parental or legal guardian permission. We do not knowingly collect data from children under 13. If we learn that we have collected such data, we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top reflects the most recent version.

11. Contact

For privacy questions, data subject requests, or complaints, contact us at:

Email: hello@drilld.co
Postal: GEK AB, Sweden