1. Overview
Drivant ("we", "us", "our") respects your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data. This policy applies to the Drivant web application, desktop application, and website at drivant.com.
We maintain formal data processing records in accordance with GDPR Article 30, documenting all processing activities, purposes, legal bases, retention periods, and third-party recipients. These records are available upon request by contacting support.
2. Information We Collect
| Data | Purpose | Retention | Legal Basis (GDPR Art. 6) |
|---|---|---|---|
| Email address, name | Account creation, communication | Until account deletion | Contract (Art. 6(1)(b)) |
| Password | Authentication (stored as bcrypt hash, never in plaintext) | Until account deletion | Contract (Art. 6(1)(b)) |
| Company name, phone (optional) | Billing profile | Until account deletion | Contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) |
| Route and stop data | Core service functionality | Until project deletion + 30-day archive | Contract (Art. 6(1)(b)) |
| Payment information | Subscription billing (processed by Stripe — we never see full card numbers) | Managed by Stripe | Contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) |
| Usage telemetry | Feature usage events for product improvement (linked to user ID when logged in). Disabled by default for new accounts; users may opt in via the toggle in Account & Billing > Privacy. No usage events are recorded until consent is granted. | 90 days (when enabled) | Consent (Art. 6(1)(a)) — opt-in by default-off |
| Error reports | Bug detection and fixing | 90 days | Legitimate interest (Art. 6(1)(f)) |
| IP address (login) | Rate limiting, shared-credential / brute-force detection. The two most recent login IPs are stored on your user record (last_login_ip, previous_login_ip) and replaced on each successful login. | Replaced on next successful login; permanently deleted on account closure. | Legitimate interest (Art. 6(1)(f)) |
| IP address (notice acknowledgement) | Audit trail for driver-acknowledged notices (legal compliance signature receipts). | Retained with the notice receipt for as long as the receipt itself is kept; permanently deleted on account closure. | Legal obligation (Art. 6(1)(c)) + Legitimate interest (Art. 6(1)(f)) |
Driver notice-acknowledgement signature (drawn signature image stored on driver_notice_receipts.signature_data) | Mandatory legal-compliance receipt confirming a driver received and acknowledged a workplace notice from their dispatcher. Distinct from per-stop POD signatures: notice signatures cannot be opted out of by the driver and constitute a record-of-acknowledgement under employment-law obligations. | Retained with the parent notice receipt; permanently deleted on driver-user-account closure. | Special category — biometric data (GDPR Art. 9). Lawful basis: Art. 9(2)(b) — necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller in the field of employment law. Also Art. 9(2)(f) — necessary for the establishment, exercise, or defence of legal claims. |
| Driver data (name, email, phone, vehicle, photos) | Dispatch and delivery tracking (Signal Dispatch feature) | Until deleted by account owner | Contract (Art. 6(1)(b)) |
| Delivery proof (POD name, signature, photos, timestamps) | Proof of delivery, operational reporting. Per-stop signatures are voluntary contextual records; see the dedicated row above for the distinct treatment of mandatory notice-acknowledgement signatures. | Until deleted by account owner | Contract (Art. 6(1)(b)) |
| Manifest images (photographed shipping documents from receive-scan) | OCR extraction of pickup-stop line items via the receive-scan feature | Image bytes: configurable per organization on Team Settings > Manifest Image Retention (defaults: 180 days Free/Standard; up to 1 year Standard, 2 years Pro, 7 years Teams; Enterprise may set indefinite for DOT/FMCSA archive compliance). Extracted line items + audit trail: 2 years regardless of image retention. | Contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) for transportation audit trail (extended retention) |
| Receive-scan items (extracted line items, match states, dispatcher overrides) | Operational reconciliation of received vs. expected freight, OS&D reporting | 2 years from event date, then permanently deleted | Contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) for transportation audit trail |
Dispatcher override identity (the user ID of the dispatcher who corrected a receive-scan item; column scan_item_corrections.overridden_by_user_id) | Audit-trail integrity — transportation-industry record-keeping requires preserving the actor identity behind a manifest correction, so this column is retained even after the user's primary record is removed | Retained for the parent receive-scan item's 2-year window. After that, the entire correction row (including the actor ID) is purged with the parent row. | Legal obligation (Art. 6(1)(c)) for transportation audit trail; documented exception to Art. 17 erasure scoped to the override actor identity only |
| AI usage events (per-org rollups: token counts, cost, feature, timestamp) | Per-org spend cap enforcement, billing attribution | 90 days, then aggregated to monthly totals and individual rows deleted | Contract (Art. 6(1)(b)) + Legitimate interest (Art. 6(1)(f)) for fraud / abuse detection |
| Webhook events (Stripe billing webhooks: event_id, type, user_id, timestamp; never the full Stripe payload body) | Idempotency for billing state changes, reconciliation when a Stripe event is delivered more than once | 90 days, then permanently deleted | Contract (Art. 6(1)(b)) + Legitimate interest (Art. 6(1)(f)) for billing-state integrity |
| Passkey authentication challenges (one-time-use random challenge, user_id, purpose, timestamp; no PII) | WebAuthn registration and authentication ceremony — server issues a random challenge, browser signs it with the user's passkey, server verifies and discards. Stored only long enough to complete the ceremony. | 5 minutes (rows are used once and deleted, or expired and purged) | Contract (Art. 6(1)(b)) |
3. How We Use Your Information
- Provide the Service: Store and process your route data, authenticate your account, manage your subscription.
- Billing: Process payments through Stripe. We share your email and name with Stripe for payment processing. See Stripe's Privacy Policy.
- Product improvement: Usage telemetry helps us understand which features are used and identify bugs. Telemetry is off by default for new accounts; users may opt in via the toggle in Account & Billing. Telemetry is linked to your user ID only while you are logged in and only when you have opted in.
- Communication: We send transactional emails about your account (verification, password reset, billing, security). During your trial period, we send a short onboarding email sequence (feature highlights, tips, trial status) under legitimate interest (Art. 6(1)(f)). You can opt out of non-essential emails via the telemetry toggle in Account settings. We do not send marketing emails to non-users.
4. Data Storage and Security
- Project data is stored in Wasabi S3 cloud storage (US region). Database metadata is stored in MySQL.
- Passwords are hashed with bcrypt (cost factor 12) and never stored in plaintext.
- Authentication uses signed session tokens transmitted over HTTPS in HttpOnly cookies (15-minute access tokens; 7-day refresh tokens). The Drivant desktop (Electron) app additionally receives the same tokens in the login/refresh response body so its main-process cookie jar can plant them — they're visible momentarily in browser developer tools when running the desktop client. Web-browser users receive cookies only and never see token values in plaintext. All authentication endpoints set
Cache-Control: no-storeso intermediaries cannot cache the response. - Encrypted export (Pro feature) uses AES-256-GCM with PBKDF2 key derivation — encryption happens client-side and we never see your passphrase.
- API communication is encrypted via TLS (HTTPS).
- Desktop app uses Electron with context isolation and disabled Node.js integration for web content.
We maintain an internal incident response runbook covering detection, triage, GDPR Art. 33 supervisor notification within 72 hours, and Art. 34 user notification when high-risk breaches occur. Post-mortem reports are written for every Severity 0/1 incident within 14 days of incident close. Customers are notified without undue delay of any Personal Data Breach affecting their data.
5. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, name, payment details |
| Mapbox | Map rendering, geocoding | Addresses (for geocoding), map tile requests |
| HERE Technologies | Truck routing (Pro tier) | Route waypoint coordinates |
| OSRM | Driving directions | Route waypoint coordinates |
| Wasabi | Cloud storage | Project data, manifest images (encrypted at rest) |
| Mailgun | Transactional email (verification, password reset, billing alerts, OS&D — over/short/damaged — reports to dispatchers and admins) | Recipient email + name. OS&D reports also include the driver name, stop label and address, summary counters, the offending line items (description, barcode, quantity, match state), and a CSV attachment of the full event for billing/claims processing. No payment data, account credentials, or org-internal IDs. |
| Umami | Privacy-friendly site analytics on the marketing site (cookie-free, no cross-site tracking). Honors browser Do Not Track headers — when DNT is set, the script is not loaded. | Aggregate page-view counters and referrer URLs. No personal data, no cookies, no IP retention beyond Umami's session window. |
| OpenRouter | AI gateway for manifest extraction (receive-scan feature). Routes vision-model requests to upstream providers (currently Anthropic Claude Sonnet 4.6). | Photographed manifest pages, extraction prompts. No personal account data is included; org_id is sent for billing attribution. |
| Anthropic | Vision-model inference for manifest OCR + table extraction. Receives manifest page images from OpenRouter. | Manifest images submitted via the receive-scan feature. |
All sub-processors listed above operate under Data Processing Agreements (DPAs) or equivalent contractual commitments that ensure GDPR-compliant data handling. Stripe is PCI DSS Level 1 certified. Wasabi encrypts data at rest (AES-256). Mailgun processes email data solely for delivery on our behalf. OpenRouter and Anthropic process manifest images solely for the duration of an inference request and do not retain them for training (per their respective enterprise terms).
Drivant's own customer-facing Data Processing Agreement is published in full at drivant.com/dpa. Org owners can request a counter-signed counterpart from inside the app or via the security contact page; counter-signed PDFs are returned within 5 business days.
5.1 International Data Transfers
Several of the sub-processors above (Stripe, Mailgun, OpenRouter, Anthropic, Wasabi) are based in or process data in the United States. For users in the EU, UK, or Switzerland, we rely on the following lawful-transfer mechanisms (GDPR Art. 44–49, UK GDPR Art. 44–49, FADP):
- EU-US Data Privacy Framework (DPF) and UK Extension where the sub-processor is certified — applies to providers self-certified under the Framework.
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our standard sub-processor agreements where DPF certification is unavailable.
- UK International Data Transfer Addendum for transfers from the UK.
EU/UK/Swiss users have the right to request a copy of the SCCs covering a specific sub-processor relationship. Submit a data request citing "SCC copy request" and we will provide the relevant clauses within 30 days.
6. Your Rights
You have the right to:
- Access your data: Export all your projects at any time via the Export feature (.dvnt, Excel, CSV, or other formats).
- Delete your data: Delete individual projects (moved to "Recently Deleted" for 30 days, then permanently removed) or request full account deletion.
- Correct your data: Update your profile information in Account & Billing at any time.
- Port your data: Export your data in standard formats (CSV, GPX, KML, GeoJSON, Excel).
- Telemetry consent: Telemetry is off by default for new accounts. You may opt in (or revoke consent at any time) from your Account & Billing settings. When opted out, no usage events are recorded for your account.
To exercise any of these rights formally, submit a data request through our intake form. We respond within 30 days as required by law.
7. California Privacy Rights (CCPA)
We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes. California residents have the right to request disclosure of the categories and specific pieces of personal information we have collected, to request deletion of their data, and to opt out of any future sale of their personal information. To exercise these rights, submit a data request or contact us at support.
8. Data Deletion
When you delete a project, it moves to "Recently Deleted" for 30 days (allowing recovery), then is permanently deleted from both the database and cloud storage. When you delete your account, all associated data is permanently removed: projects, folders, telemetry, error reports, dispatch routes and sessions, driver photos, receive-scan events and manifest images, AI usage records, document templates, and any organizations you own. The cascade also clears all cloud storage (Wasabi S3) under your owned organizations' prefixes. Account deletion is final and cannot be undone.
9. Data Retention
We retain different categories of data for different periods based on their purpose. Automated cleanup jobs run daily to enforce these retention schedules.
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Account data (email, name, profile) | Until account deletion | Permanently deleted on account closure |
| Project data (routes, stops) | Until project deletion + 30-day archive | Archived projects auto-purged after 30 days |
| Usage telemetry | 90 days | Automatically deleted by scheduled cleanup |
| Error reports | 90 days | Automatically deleted by scheduled cleanup |
| Webhook events | 90 days | Automatically deleted by scheduled cleanup |
| Manifest images (receive-scan) | Configurable per organization (Team Settings → Manifest Image Retention) | Default 180 days. Tier ceilings: Free 180d, Standard 1y, Pro 2y, Teams 7y, Enterprise indefinite. Set on organizations.image_retention_days; daily worker honors the live value (extending retention recovers docs not yet swept). The parent receive-scan event row remains for the 2-year audit window with extracted line-item data only. |
| Driver / proof-of-delivery photos (POD images uploaded at stops) | Configurable per organization (Team Settings → POD Photo Retention) | Default 2 years. Tier ceilings: Free/Standard 2y, Pro 5y, Teams 7y, Enterprise indefinite. Set on organizations.pod_photo_retention_days; daily worker honors the live value, with orphan rows (rare — pre-org-link photos) falling back to the platform default. FMCSA requires 6 months minimum for delivery records, so even Free covers compliance. Org owners may delete sooner via the dispatch UI. On account/org deletion the entire prefix is purged immediately. |
| Receive-scan events + items + dispatcher corrections | 2 years from event date | Automatically deleted by scheduled cleanup; row count surfaced in admin DevOps dashboard |
| AI usage events (per-call rows) | 90 days | Automatically deleted by scheduled cleanup; monthly totals retained in aggregate form on the org for billing |
| Shared links | Until expiry (max 48 hours for non-expiring shares) | Expired shares deleted immediately from database and storage |
| Report PDFs | 30 days | Automatically deleted from storage by scheduled cleanup |
| Database backups | 30 days | Older backups automatically removed by retention policy |
| Payment data | Managed by Stripe | Subject to Stripe's retention policy |
All automated retention jobs are auditable and run independently from the main application. If you need your data deleted sooner, submit a data request.
10. Cookies
Drivant uses a small set of cookies that are strictly necessary to keep you signed in and to protect your account from cross-site request forgery. We do not use cookies for advertising, analytics, or third-party tracking, and we do not sell or share cookie data with anyone.
The cookies set when you sign in are:
__Host-dv_session— your short-lived authentication token (valid for 15 minutes). Marked HttpOnly, Secure, and scoped todrivant.comonly.__Host-dv_session_refresh— a refresh token used to renew your session without re-asking for your password (valid for up to 7 days). Marked HttpOnly, Secure, and scoped todrivant.comonly.__Host-dv_csrf— a random anti-forgery token that pairs with the session cookie to block forged requests from other sites. Readable by the Drivant app's own JavaScript (this is required for the protection to work) but useless to third parties.
All three cookies are scoped to the drivant.com registered domain. They may be sent across subdomains of drivant.com (for example, between app.drivant.com and drivant.com) to support our web and desktop apps, but they are never sent to any third-party domain. They are deleted automatically when you sign out.
Because these cookies are strictly necessary for the service to function, no consent banner is required under the EU ePrivacy Directive (Article 5(3)) or comparable rules. Without them you cannot sign in or save your work.
Our marketing website (drivant.com outside the application) does not set any cookies and does not run analytics or advertising scripts.
11. Children's Privacy
Drivant is not intended for use by children under 16. We do not knowingly collect personal information from children under 16.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Contact
For privacy-related questions or data requests, submit a data request or contact our support team.