Privacy Policy

Last updated: 1 May 2026

Drapeli (“we”, “us”, “our”) is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains what data we collect, why, and your rights.

1. Who we are

Drapeli is a fashion discovery platform operating as an affiliate publisher. Our registered address and company details are available on request. For data protection enquiries contact: privacy@drapeli.com.

2. Data we collect

Account data

When you create an account we collect:

• Email address
• Display name and username (chosen by you)
• Profile picture (if uploaded)
• Bio (if provided)

Preference data

To personalise your feed we store:

• Style tags selected during onboarding
• Size preferences (top, bottom, shoe)
• Price range preference
• Privacy setting (public or private profile)

Activity data

• Items you save to your favourites
• Items added to your basket
• Outfits you create in your wardrobe
• Affiliate link clicks (product ID, timestamp, hashed IP address, user agent)

Technical data

• Session cookies (necessary for login)
• Hashed IP address (for click fraud prevention — stored for 90 days then deleted)
• Browser user agent (for affiliate reporting)

3. Legal basis for processing

• Contract performance — providing your account, feed, and wardrobe features
• Legitimate interests — affiliate click tracking, fraud prevention, improving our service
• Consent — optional analytics or marketing where you opt in

4. Affiliate links and commissions

Drapeli earns commission when you click a product link and make a purchase. When you click a product link, a tracking cookie may be set by the retailer. We do not share your personal account data with retailers. Click data (hashed IP, user agent, product ID) is used solely for commission tracking and fraud prevention.

5. How we use your data

• Personalise your discovery feed based on your style preferences
• Operate your wardrobe, saved items, and basket
• Track affiliate clicks for commission reporting
• Prevent fraud and abuse
• Send transactional emails (account verification, password reset)
• Improve the platform

6. Data sharing

We share data only where necessary:

• Supabase — database and authentication infrastructure (EU/US data centres; EU Standard Contractual Clauses apply)
• Affiliate networks and retailers — commission tracking for purchases made through product links
• Vercel — hosting and content delivery
• Cloudflare — DNS and security (no personal data stored)

We do not sell your personal data.

7. Data retention

• Account data — held for as long as your account is active, plus 30 days after deletion request
• Hashed IP addresses in click logs — 90 days
• Affiliate click records — 3 years (required for commission disputes)
• Backups — overwritten within 30 days

8. Your rights under UK GDPR

You have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data (edit via your profile and settings)
• Erasure — request deletion of your account and associated data
• Restriction — ask us to limit how we use your data
• Portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any right, email privacy@drapeli.com. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

9. Cookies

We use essential cookies to keep you signed in. See our Cookie Policy for full details.

10. Security

Passwords are never stored — authentication is handled by Supabase Auth using industry-standard bcrypt hashing and secure email verification. All data is transmitted over HTTPS. Access to the database is restricted to authorised personnel only.

11. Children

Drapeli is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has created an account, contact us and we will delete it promptly.

12. Changes to this policy

We may update this policy. Material changes will be notified by email or prominent notice on the platform. Continued use after changes constitutes acceptance.