Privacy Policy

LAST UPDATED 20.03.2026

GAIN Credit LLC, trading as Drafty, is incorporated in Delaware, United States, and authorised and regulated by the Financial Conduct Authority (FCA), registration number 689378. We are also registered with the Information Commissioner’s Office (ICO), registration number Z2752028.

As the entity operating under the Drafty trading name, GAIN Credit LLC is the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Policy applies to your use of the Drafty website and services in the United Kingdom.

We have appointed a Data Protection Officer (DPO), who is responsible for overseeing how we handle personal data and ensuring compliance with data protection law. If you have any questions about this Privacy Policy, how we use your personal data, or if you would like to exercise your data protection rights, you can contact us as follows:

• DPO Email: DPO@gaincredit.com
• Website: www.drafty.co.uk

You may also write to us at: Drafty, PO Box 10756, Leicester, LE3 4GX.

We collect personal data when you apply for our services, use your account, contact us, use our website or mobile app, and from third parties such as credit reference agencies and fraud prevention agencies. In some cases, and with your consent, we may also collect information from your bank using Open Banking.

• Information you provide to us
  You provide personal data directly when you apply for a loan or line of credit, contact us, or use our services. This may include your name, date of birth, contact details, personal circumstances, employment details, income and expenditure information, bank account and transaction information, details of your applications and account history, and any information you provide when contacting customer support. We use this information to assess your application, provide our services, and manage your account.
• Information from credit reference, fraud, and identification verification agencies
  We obtain personal data from credit reference agencies, fraud prevention agencies, and identity verification providers to assess your application, verify your identity, prevent fraud and financial crimes, and meet our legal and regulatory obligations, including those under anti-money laundering legislation. This may include your credit history, credit score, financial associations, identity verification information, and fraud and financial crime prevention information.
  
  Where you are an existing or previous customer, we may also obtain credit information about you from credit reference agencies for the purpose of assessing your creditworthiness in connection with potential product offers, such as credit limit reviews, loan top-ups, or reactivation of your account. We do this without you having made a new application, relying on our legitimate interests in making relevant and responsible offers to customers who may benefit from them.
• Information obtained using Open Banking (where you consent)
  Where you consent to share your financial information using Open Banking, we may receive account balances, transaction history, and income and expenditure information. We use this information to assess affordability and support responsible lending decisions. You can withdraw your consent through your bank or Open Banking provider at any time, which will stop future sharing.
• Information collected automatically
  When you use our website, mobile app, or services, we automatically collect technical and usage information. This may include:
  • Your IP address, operating system, and browser type
  • Mobile device information, including device type, unique device identifiers, mobile network information, and operating system
  • Information about how you use our website and app, including pages visited, time spent, and navigation patterns
  • Cookie and tracking information (further information is available in our Cookie Policy)
  We use this information to operate our services, maintain security, prevent fraud, and improve our website and app.
• Website and app analytics
  We use analytics tools, such as Microsoft Clarity, to understand how our website and app are used and to improve our services. Where required by law, this information is collected only with your consent.
• Information from service providers and public sources
  We may receive personal data from service providers who support our business, such as identity verification providers, payment processors, and technology providers. We may also obtain limited information from publicly available sources where permitted by law.
• Payment information
  Where you make payments through our services, your payment data is processed securely. Depending on the payment method used, this may be processed directly by us, in compliance with the Payment Card Industry Data Security Standard (PCI-DSS), or by a trusted third-party payment service provider (PSP) on our behalf. Where a PSP is used, your payment details are transmitted securely to them, and we do not store your payment card details directly.
• Providing your personal data
  You must provide certain personal data for us to assess your application and provide our services. If you do not provide this information, we may be unable to assess your application or offer you a product.

We use your personal data for the following purposes, in accordance with data protection law.

• To assess your application and provide our services
  We use your personal data to assess your application for a loan or line of credit, verify your identity, assess affordability and creditworthiness, and decide whether to offer you a product. If a product is provided, we use your personal data to manage your account, process payments, manage your credit limit, and communicate with you about your account.
• To assess creditworthiness for existing and previous customers
  Where you are an existing or previous customer, we may assess your creditworthiness using information obtained from credit reference agencies to identify whether you may be eligible for a credit limit review, a loan top-up, or to reactivate your account. We do this in our legitimate interests in making responsible and relevant offers, and to ensure any offer we make is appropriate for your circumstances at the time.
• To prevent fraud and financial crime, and ensure security
  We use your personal data to verify your identity, prevent fraud and financial crime, and protect our customers, services, and systems. This may include monitoring account activity and analysing communications.
• To provide customer support and manage our relationship with you
  We use your personal data to communicate with you, respond to enquiries, investigate complaints, and provide customer support.
• To comply with legal and regulatory obligations
  We process personal data to comply with applicable laws and regulations, including requirements imposed by the Financial Conduct Authority and other regulatory bodies.
• To improve our services, website, and app
  We use personal data to monitor and improve our services, systems, website, and mobile app. Where possible, we use aggregated or anonymised information for analysis and improvement.
• To send marketing communications (where you consent)
  We may send you information about our products and services where you have given your consent. You can withdraw your consent at any time.
• Automated decision-making, credit scoring, and credit limit management
  We use automated systems, including credit scoring, to assess applications and make lending decisions. Our automated system analyses your application using information such as your credit history, income and expenditure, existing financial commitments, and other information derived from your application and from third party sources. Applications scoring below a set threshold will be automatically declined.
  
  For existing Drafty Flex line of credit customers, we also use automated processes to periodically review and adjust your credit limit based on your account behaviour, repayment history, and updated credit information. This may result in your credit limit being increased or decreased.
  
  As an online-only lender, all lending decisions are made solely by automated means without human review. Under UK data protection law, where a decision is made solely by automated processing and has a significant effect on you, you have the right to request that the decision be reviewed by a member of our team, to express your point of view, to obtain an explanation of the decision, and to contest the outcome. To exercise any of these rights, please contact us.
  
  We have safeguards in place to help ensure our automated decisions are fair, consistent, and accurate.

We rely on the following legal bases:

• Contract — where processing is necessary to assess your application or provide our services
• Legal obligation — where we must comply with legal or regulatory requirements
• Legitimate interests — where processing is necessary for responsible lending, fraud prevention, service improvement, and security
• Consent — where required, such as for Open Banking or marketing communications

Special category data is sensitive personal information, such as information about your health. We do not request special category data as part of our loan application process or when providing our services.

In limited circumstances, you may choose to provide health information when contacting us or during the servicing of your account, for example when explaining your personal circumstances or requesting support. Where you share this type of information with us, we will only process it where permitted by data protection law, including where you have provided your explicit consent or where processing is necessary to protect your vital interests, establish, exercise or defend legal claims, or comply with legal obligations.

We do not use special category data to assess your application, make lending decisions, or for marketing purposes. We apply additional safeguards to protect this information and retain it only for as long as necessary to fulfil the purpose for which it was provided and to comply with our legal and regulatory obligations. Where we rely on your consent, you have the right to withdraw that consent at any time by contacting us using the details in Section 2. Withdrawing consent will not affect anything we did before you withdrew it.

We may share your personal data with the following categories of third parties where necessary to provide our services, comply with legal and regulatory obligations, and operate our business.

• Credit reference agencies
  We share personal data with credit reference agencies (CRAs) to assess your application, verify your identity, assess affordability and creditworthiness, and manage your account. When you apply, we will supply your personal data to CRAs, and they will provide us with information about you, including information from your credit application, financial history, and public records such as the electoral register. This helps us make responsible lending decisions.
  
  We will also continue to share information with CRAs about your account, including your repayment history and account performance. If you do not repay as agreed, this may be recorded by CRAs and shared with other organisations, including other lenders. CRAs will record searches on your credit file, which may be visible to other organisations and may affect your ability to obtain credit.
  
  The credit reference agencies we use are TransUnion and Experian. Further information about how CRAs use your personal data, including your rights, is available in the Credit Reference Agency Information Notice (CRAIN): https://www.transunion.co.uk/crain
• Service providers who support our business
  We share personal data with trusted third-party service providers who perform services on our behalf. This includes providers of payment services, identity verification, Open Banking, technology and IT systems, customer support, analytics and app and website services, and account servicing and administrative support.
  
  These service providers process personal data on our behalf as data processors and are required to process it only in accordance with our instructions and to protect it in accordance with data protection law.
• Debt collection agencies
  We may share personal data with debt collection agencies who act on our behalf to help manage and recover amounts owed to us. These agencies process your personal data on our behalf and in accordance with data protection law.
• Debt purchasers and account assignment
  We may transfer or assign your account, including associated personal data, to a debt purchaser. Where this happens, the debt purchaser will become responsible for managing your account and will process your personal data as a data controller in accordance with their own privacy policy and legal obligations.
• Regulators, authorities, and law enforcement
  We may share personal data where required to comply with legal or regulatory obligations, including with the Financial Conduct Authority, the Information Commissioner’s Office, courts, law enforcement agencies, and other regulatory authorities.
• Business transfers and professional advisers
  If we sell, transfer, or restructure our business or assets, personal data may be shared with potential or actual buyers, their advisers, and our professional advisers, such as legal, financial, and audit advisers, where necessary and subject to appropriate safeguards.

We operate globally and may transfer your personal data to, or allow access to your personal data from, our group companies, affiliates, and service providers located outside the United Kingdom where necessary to provide our services and operate our business. This may include transfers to countries such as the United States and India.

Where we transfer personal data to countries that have not been recognised by the UK as providing an adequate level of data protection, we ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement (UK IDTA) or standard contractual clauses approved for use in the UK.

Where your personal data is transferred to a country that has been recognised by the UK as providing an adequate level of data protection, we rely on that adequacy decision as the basis for the transfer. These safeguards are designed to ensure your personal data remains protected to UK data protection standards.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. This includes providing our services, complying with legal and regulatory obligations, preventing fraud, resolving disputes, and enforcing our legal rights.

For customers who take out a Drafty loan with us, we generally retain your personal data for 5.5 years from the date your loan account is closed. For customers who take out a Drafty Flex line of credit with us, we generally retain your personal data for 5.5 years from the date your account is closed or from the date you last used our service.

In some circumstances, we may need to retain your personal data beyond this standard period. This may apply where there is an unresolved complaint, dispute, or legal proceedings, a data subject access request (DSAR), or where retention is required by the Financial Conduct Authority or other regulatory body. In such cases, we retain relevant data until the matter is fully resolved and any applicable legal limitation period has expired.

When personal data is no longer required, it will be securely deleted in accordance with our data retention and security policies. Credit reference agencies and fraud prevention agencies may retain your personal data in accordance with their own retention policies.

You have certain rights in relation to your personal data under data protection law. These include the right to:

• Request access to the personal data we hold about you
• Request correction of inaccurate or incomplete personal data
• Request deletion of your personal data in certain circumstances
• Request restriction of how we use your personal data
• Object to the use of your personal data, including for direct marketing. You have an absolute right to object to direct marketing at any time and we will always honour this without question.
• Request transfer of your personal data to you or another organisation in a structured, commonly used format, where applicable
• Request a review of automated decisions that affect you (see Section 4 for further information)
• Withdraw your consent where we rely on consent to process your personal data

You can exercise your rights by contacting us using the details in Section 2. We will normally respond within one month and will never charge you for doing so. If you have concerns about how we use your personal data, you can contact our Data Protection Officer and we will investigate and respond.

You also have the right to complain to the Information Commissioner’s Office (ICO) at any time. More information is available at www.ico.org.uk.

We may send you information about our products and services by email, SMS, or other electronic means where you have given your consent, in accordance with the Privacy and Electronic Communications Regulations (PECR).

You can withdraw your consent and stop receiving marketing communications at any time by using the unsubscribe link in our communications or by contacting us. Once you withdraw your consent, we will stop sending you marketing. You have an absolute right to object to direct marketing at any time, and we will always honour this.

Where you have given separate consent, we may share your personal data with selected third-party partners so they can contact you about their products and services. You can withdraw your consent to this at any time, either by contacting us or the third party directly.

We do not sell your personal data to third parties.

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, disclosure, alteration, or destruction. These measures include secure systems, encryption, access controls, and staff training.

We also require third-party service providers who process personal data on our behalf to protect it in accordance with data protection law and appropriate security standards.

We regularly review and update our security measures to help ensure your personal data remains protected.

We use cookies and similar technologies to operate our website, maintain security, and understand how our website is used so we can improve our services and customer experience. We comply with applicable data protection law and the Privacy and Electronic Communications Regulations (PECR).

Some cookies are necessary for our website to function. Other cookies, including analytics cookies, are only used with your consent. You can manage or withdraw your consent at any time using our cookie consent tool or your browser settings. Further information is available in our Cookie Policy.

Our website and app may contain links to third-party websites. If you follow a link to any of these websites, please note that they have their own privacy policies and we are not responsible for their practices.

Our services are only available to people aged 18 or over. We do not knowingly collect data from children.

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or how we use personal data. The latest version will always be available on our website and will include the date it was last updated.