Legal

Privacy Policy

Effective: March 4, 2026 · Last updated: March 10, 2026

DriveTrace is an independent app built and operated by a single developer trading as New Street Technologies. This Privacy Policy explains how personal information is collected, used, stored, and protected when you use the DriveTrace mobile application (iOS and Apple Watch), the website at drivetrace.app, and any related services (collectively, the "Service").

By using DriveTrace, you acknowledge that you have read and understood this policy. If you do not agree, please discontinue use of the Service and contact us to request deletion of your data.

Contents

Information We Collect
How We Use Your Information
Legal Basis for Processing
Data Sharing & Sub-processors
Payment Processing
Cookies & Website Tracking
Data Retention
Location Data
Your Rights
International Data Transfers
Children's Privacy
Security
Data Breach Notification
Changes to This Policy
Contact & Complaints

1. Information We Collect

We collect only the data necessary to provide the Service.

Category	What it includes	Source	Purpose
Account information	Email address, display name, invite code	You provide directly	Account creation, login, communication
Precise location	GPS coordinates, altitude, accuracy radius, heading	Device sensors (with your permission)	Trip recording, live map, place detection
Motion & driving data	Speed, activity type (driving / walking / stationary), hard-braking events, acceleration events	Device motion sensors	Trip summaries, safety scoring, points calculation, driver rewards
Safety & rewards data	Trip safety scores, points ledger, badge awards, reward redemption history, leaderboard ranking	Derived from driving data	Driver safety programme, rewards, gamification
Authentication credentials	Password hash, passkey public keys, TOTP secrets, MFA recovery tokens	You provide / device generates	Account authentication and multi-factor security
Device information	Stable device identifier, device name, app version, battery level, OS version	Device (automatic)	Multi-device management, offline sync
Usage data	Trip history, saved places, place visit counts, place requests, subscription tier, feature usage	App usage (automatic)	App functionality, billing, history
Server log data	IP address, timestamp, HTTP method, URL path, response code. Trip and location data is never written to logs.	Server (automatic)	Security, uptime monitoring, abuse prevention

Note on IP addresses: Server logs capture IP addresses, which may constitute personal data under applicable law. These logs are retained for 30 days and are used solely for security and operational purposes.

2. How We Use Your Information

Providing core app features: live location map, trip recording and history, place detection, geofences, and trip auto-naming.
Calculating driver safety scores, awarding and deducting points, evaluating badges, and maintaining leaderboard rankings.
Enabling the rewards programme: managing your points ledger, reward catalog, and redemption history.
Enabling family/fleet sharing within your DriveTrace tenant, including configurable device visibility per member.
Processing and managing your subscription and billing.
Authenticating your identity using passwords, passkeys, or multi-factor authentication (MFA) methods you have enrolled.
Detecting and recovering from connectivity outages by caching data on-device.
Sending account-related transactional emails (OTP verification, invite emails, billing receipts, place request notifications).
Maintaining server security, enforcing database-level tenant isolation (Row Level Security), and preventing fraudulent or abusive use of the Service.
Improving the Service based on aggregate, anonymised usage patterns.

We do not sell your personal data, use it for behavioural advertising, or share it with third parties outside the scope described in this policy.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following lawful bases under Article 6 of the UK/EU GDPR:

Processing activity	Lawful basis
Providing core Service (location tracking, trip history, live map, safety scoring, rewards)	Performance of a contract — Art. 6(1)(b)
Account creation, login, and multi-factor authentication	Performance of a contract — Art. 6(1)(b)
Billing and subscription management	Performance of a contract — Art. 6(1)(b)
Transactional emails (OTP, billing, invites)	Performance of a contract — Art. 6(1)(b)
Server security and operational logs	Legitimate interests — Art. 6(1)(f) (preventing abuse, maintaining uptime)
Service improvement (aggregate analytics)	Legitimate interests — Art. 6(1)(f)

Note on location data: Precise, continuous GPS location is collected only to deliver the core tracking features you have explicitly requested and enabled. You can withdraw permission at any time through iOS Settings → Privacy & Security → Location Services → DriveTrace. Withdrawal stops future collection; it does not delete historical data already recorded unless you request deletion separately.

4. Data Sharing & Sub-processors

Your location and trip data is shared only within your DriveTrace group (family or fleet). Members you invite can see live locations and trip summaries according to the permissions you configure. No data is shared outside your group without your explicit action.

The following third-party services are used to run the Service. Each is governed by its own privacy policy and terms of service, which include data protection commitments:

Provider	Role	Data involved	Location
Google Cloud	Server hosting and managed infrastructure (all application services run here)	All server-side data	USA
Stripe	Card payment processing	Payment details, billing email, IP address	USA (SCCs in place)
PayPal	PayPal payment processing	PayPal account details, billing email	USA (SCCs in place)
Apple	App distribution, in-app purchase, push notifications	App Store receipts, device push tokens	USA (SCCs in place)

No personal data is shared with any other third parties except as required by law.

5. Payment Processing

When you subscribe to a paid plan via our website, payment is processed by Stripe or PayPal. When you subscribe within the iOS app, payment is handled by Apple In-App Purchase. In all cases:

DriveTrace does not store your full card number, CVV, bank account details, or full PayPal credentials.
Stripe and PayPal are PCI-DSS Level 1 certified. Apple adheres to its own payment security standards.
We receive only a transaction confirmation, subscription status, and a billing reference token from these processors.
Billing records (amounts, dates, subscription tier) are retained for 7 years as required by applicable tax and accounting law.
Stripe's privacy policy: stripe.com/privacy. PayPal's privacy policy: paypal.com/privacy.

6. Cookies & Website Tracking

Our marketing website (drivetrace.app) uses the following:

Strictly necessary session tokens: Used to maintain authenticated sessions at drivetrace.app. These are required for the service to function and cannot be opted out of.
On-device local storage (app only): The iOS app caches trip data locally during connectivity outages. This data does not leave your device until a network connection is restored.

We do not currently use third-party analytics services (e.g. Google Analytics), advertising cookies, fingerprinting, or any cross-site tracking on drivetrace.app. If this changes, we will update this policy and present an explicit cookie notice prior to any such tracking beginning.

7. Data Retention

Data type	Free plan	Residential plan	Commercial plan
Trip history & location records	7 days	12 months	12 months (extendable)
Safety scores, points ledger & rewards	Until tenant deletion (not subject to trip retention limits)
Account data (email, name, device list)	Until tenant deletion
MFA credentials (passkeys, TOTP secrets)	Until credential removal or account deletion
Server security logs (IP, timestamps)	30 days (rolling)
Billing & payment records	7 years (legal/tax requirement)

Location data is automatically purged when it exceeds the retention window for your plan. All data associated with a tenant is permanently deleted when that tenant is deleted. The tenant owner can delete all location data at any point from Settings → Danger Zone → Delete All Data — this permanently removes location records from the database and the deletion cannot be undone.

When you downgrade to a lower-tier plan, data outside the new plan's retention window is purged during the next nightly maintenance cycle. Export anything you want to keep before downgrading.

Operational backups: Data may also be present in infrastructure-level backups maintained for the purpose of recovering from outages or operational failures. These backups are governed by internal policies that are subject to change without notice and are not directly accessible to users. Backup data is not used for any purpose other than operational recovery.

8. Location Data

DriveTrace requests Always-On location access to record trips in the background while you drive. The following applies to all location data:

Location data is transmitted over HTTPS/TLS to our servers hosted on Google Cloud (in the region associated with your tenant) and stored in your account. It is used to record trips, calculate safety scores, award points, and detect place visits.
Location tracking can be paused or stopped at any time from Settings → This Device within the app, or by revoking access via iOS Settings → Privacy & Security → Location Services → DriveTrace.
On Apple Watch, location access is used in the same way to enable independent Watch tracking.
Location data is never shared with advertisers, used for profiling outside the Service, or disclosed to third parties beyond the sub-processors listed in Section 4.
Within your group, members you have invited can see your live location and trip history as permitted by your group's settings. You can leave a group at any time from the app.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. We will respond to all valid requests within 30 days (extendable by two further months for complex requests, with notification).

Right	What it means	How to exercise
Access	Obtain a copy of the personal data we hold about you	App export, or email privacy@drivetrace.app
Rectification	Correct inaccurate or incomplete data	Update in-app, or contact us
Erasure	Request deletion of your personal data ("right to be forgotten")	Settings → Danger Zone, or email us
Restriction	Ask us to restrict processing in certain circumstances (e.g. while a dispute is resolved)	Email privacy@drivetrace.app
Portability	Receive your data in a structured, machine-readable format (JSON/CSV)	App export feature, or contact us
Objection	Object to processing based on legitimate interests	Email privacy@drivetrace.app
Withdraw consent / permission	Stop future location collection at any time	iOS Settings → Location Services → DriveTrace
Complaint	Lodge a complaint with a data protection supervisory authority	See Section 15

There is no charge for exercising any of these rights.

10. International Data Transfers & Data Residency

By default, application data is stored in the United States on Google Cloud infrastructure. If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data transfer restrictions, your personal data — including location and trip data — is transferred to and processed in the United States.

Data residency options: DriveTrace supports regional deployments where all tenant data — location records, trips, personal information, and scoring data — is stored and processed within a specific geographic region. When a regional deployment is provisioned, your data never leaves that region. This is available for Commercial plan subscribers who require data sovereignty or compliance with local regulations. Contact hello@drivetrace.app to discuss regional deployment options.

Google Cloud participates in Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data from the EEA and UK to the United States. Payment processors Stripe and PayPal similarly rely on SCCs for EU/UK data transfers.

By using DriveTrace you acknowledge that your data will be stored and processed in the region associated with your tenant (United States by default). You can contact privacy@drivetrace.app for more information about the transfer mechanisms and data residency options available.

11. Children's Privacy

DriveTrace is not directed at children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children below these ages. If you are a parent or guardian and believe a child has provided us with personal data without your consent, contact us at privacy@drivetrace.app and we will delete it promptly.

For family accounts where minors aged 13–17 are added as group members, the parent or guardian who creates the group is responsible for obtaining any applicable parental consent and for supervising the minor's use of the Service.

12. Security

Encryption in transit: All data is transmitted using HTTPS/TLS 1.2 or higher. Connections using older protocols are rejected.
Multi-factor authentication: DriveTrace supports passkey-first login, TOTP authenticator apps, SMS codes, and email verification as MFA options. Tenant owners can enforce MFA policies for all members.
Tenant data isolation: PostgreSQL Row Level Security (RLS) is enforced at the database level. Every query is scoped to the authenticated tenant, ensuring that one tenant's data is never accessible to another — even in the event of an application-layer defect. The application uses a restricted database role with limited privileges.
Credential storage: Passwords are stored as bcrypt hashes. Passkey private keys never leave your device. TOTP secrets are encrypted at rest. Authentication tokens are stored in the iOS Keychain (hardware-backed Secure Enclave where available).
Network isolation: The database has no public internet exposure; it is accessible only from the application server on the same private network.
Server access: Infrastructure access is restricted to the developer and secured with SSH key authentication.
Dependency management: Dependencies are kept up to date and the server configuration is reviewed regularly.

No system is completely secure. Please use a strong, unique password, enable MFA on your account, and keep your credentials private. Report suspected security issues to privacy@drivetrace.app.

13. Data Breach Notification

In the event of a personal data breach, affected users will be notified via the email address on their account without undue delay. Where required by applicable law (e.g. GDPR Art. 33), the relevant supervisory authority will also be notified within 72 hours of becoming aware of the breach.

14. Changes to This Policy

We may update this policy as the Service evolves. For material changes, we will notify you via in-app notification or email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of DriveTrace after the effective date of changes constitutes acceptance of the updated policy. If you do not accept the changes, you may delete your account before the effective date.

15. Contact & Complaints

For all privacy questions, data requests, or to exercise your rights, please contact us:

Email: privacy@drivetrace.app
General enquiries: hello@drivetrace.app
Website: https://drivetrace.app

If you are in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority:

UK: Information Commissioner's Office (ICO) — ico.org.uk
EU: Your national Data Protection Authority — edpb.europa.eu
Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au