Trust, Security & GDPR

Send The Fit is operated by [Legal entity name, company number], registered in [Country] at [Registered address].

Data protection contact: privacy@sendthefit.com

• Name and email address
• Costume / cast code assigned by the production
• Photos uploaded by the artist for their digital fitting
• Submission timestamps and basic technical metadata

We do not collect special-category data, payment information, phone numbers or location data.

Solely to facilitate the digital fitting workflow for the named production: collecting reference images from supporting artists and making them available to the costume team. The data is never used for marketing, profiling, or any secondary purpose.

Each production sets its own retention window when a scene is created. Once that window elapses (typically 30 days after the shoot wraps), all submissions, uploaded images and supporting-artist records for that scene are automatically purged by a scheduled job. Productions can also trigger early purges from the Data & GDPR panel at any time.

Purges are recorded in an internal deletion log (date, scene, count) kept for 12 months for audit purposes — the log contains no personal data.

Emails and personal details are only visible to agency members through this portal. Photos are visible to the production's costume team. Send The Fit staff access data solely for support and technical maintenance. We do not sell, share, or use the data for advertising.

• Hosted on Cloudflare with DDoS protection, WAF and TLS 1.3
• Database with Row-Level Security enforced on every table; access scoped per user
• Service / admin keys held server-side only, never in the browser
• Image access via short-lived signed URLs
• Passwords hashed; secure reset flow with single-use tokens
• Leaked-password protection (Have I Been Pwned check) on signup and password change
• Automatic data purge once retention window elapses
• [TO FILL IN] MFA enforced for admin accounts
• [TO FILL IN] Last third-party penetration test: [date]

Cyber liability: [Insurer] — cover limit [£amount].

Professional indemnity: [Insurer] — cover limit [£amount].

Certificates of insurance are available on request from privacy@sendthefit.com.

Lawful basis: legitimate interests of the production and agency in running an efficient digital fitting, combined with the consent the agency obtains from each supporting artist before submitting their details.

Data-subject rights: any supporting artist can ask for access, correction, deletion or withdrawal of consent by emailing privacy@sendthefit.com. Requests are actioned within 30 days; in most cases deletion happens within 24 hours.

International transfers: data is processed within the UK / EEA where our sub-processors operate equivalent safeguards.

• Cloudflare — application hosting, CDN, DDoS protection
• Supabase — managed Postgres database, file storage and authentication
• Resend — transactional email delivery (invites, password resets)

We will notify customers in advance of any change to this list.

Agencies are responsible for obtaining GDPR-valid consent from their artists before submitting details. The following text can be adapted and sent to artists:

"We'd like to share your name, email and a costume reference photo with Send The Fit (sendthefit.com), the digital fitting tool used by the costume team. They will hold the data only for the duration of this shoot and delete it afterwards. Their full privacy and security information is at sendthefit.com/trust. You can withdraw consent at any time by replying to this email — please confirm YES/NO."

A signed Data Processing Agreement (DPA) is available on request for any agency or production that needs one for their records. Email privacy@sendthefit.com and we'll send the current template within two working days.

We monitor application and database logs for unusual activity. In the event of a confirmed personal-data breach we will notify affected customers without undue delay and report to the ICO within 72 hours where required by UK GDPR Article 33.

For any GDPR, security or legal queries: privacy@sendthefit.com