Privacy Policy
Last updated: March 2026
1. Who we are
DriveSync is operated by Usman Ghani trading as DriveSync ("we", "us", "our"). We provide a SaaS platform for UK driving instructors to manage their pupils, lessons, and bookings.
- Contact email: support@drivesync.live
- Contact address: Contact via email: support@drivesync.live
- ICO registration number: C1898635
2. What data we collect and why
Instructor data
When you register as an instructor, we collect:
- Name, email address, phone number
- Business name
- Home postcode and derived GPS coordinates
Lawful basis: Contract — this data is necessary to provide the DriveSync service to you.
Pupil data
When instructors add pupils to the platform, we process:
- Name, email address, phone number
- Address and postcode
- Pickup GPS coordinates (derived from postcode)
- Booking history and lesson schedules
- Cancellation data: late cancellation counts, no-show counts, and derived reliability scores
- Check-in data: timestamp when a pupil confirms attendance via reminder link
Lawful basis: Legitimate interests of the instructor (their customer) to manage lessons efficiently. Instructors are the data controllers for their pupils' data; DriveSync acts as a data processor.
Payment and financial data
Subscription payment processing is handled by Stripe (web), Apple (iOS), or Google (Android) depending on your platform. We do not store your credit card details. We receive subscription status confirmations and transaction identifiers to manage your account access. We use RevenueCat to manage in-app subscriptions across platforms.
DriveSync also stores lesson payment records (amount, method, date), business expenses (amount, category, date), and mileage logs (transfer miles, dead miles, optional odometer readings) that you enter or that are auto-calculated from route data. This financial data is linked to your instructor account and is used solely to provide financial tracking and reporting features.
Lawful basis: Contract — necessary to process subscription payments and provide financial tracking features.
Location and GPS data
We derive GPS coordinates from postcodes provided by instructors and pupils. These coordinates are used solely for route optimisation — calculating efficient travel routes between pupil pickup locations.
Lawful basis: Legitimate interests — route optimisation reduces travel time and cost for instructors.
Usage and security data
Our servers automatically log IP addresses and browser type for security and debugging purposes. Failed login attempts are logged with email address, IP address, and user agent to detect and prevent unauthorised access.
Lawful basis: Legitimate interests — maintaining security and service reliability.
3. How we use the data
- Lesson scheduling and calendar management
- Route optimisation (calculating travel times between pupils)
- Email and SMS notifications about bookings, confirmations, reminders, and daily summaries
- Subscription billing via Stripe
- Financial tracking: generating payment, expense, and mileage reports for your business records
- Tax export: generating CSV reports of income, expenses, and mileage for your accountant
- Reliability scoring: calculating pupil attendance patterns based on cancellation and no-show data
- Mileage calculation: auto-calculating transfer miles and dead miles from daily route data
- Security: detecting and preventing unauthorised access via failed login monitoring
We do not sell your data to third parties. We do not use pupil data for advertising or marketing.
4. Data sharing — third-party processors
We share data with the following service providers, who process it on our behalf:
| Provider | Purpose | Data shared | Safeguard |
|---|---|---|---|
| Stripe | Payment processing (web) | Instructor email, billing details | UK Extension to EU-US Data Privacy Framework |
| RevenueCat | In-app subscription management (iOS, Android) | Instructor ID, subscription status, transaction identifiers | UK Extension to EU-US Data Privacy Framework |
| Twilio | SMS notifications | Phone numbers, message content | UK Extension to EU-US Data Privacy Framework |
| Mapbox | Route calculations | GPS coordinates only (no personal identifiers) | UK Extension to EU-US Data Privacy Framework |
| SMTP2GO | Email delivery | Email addresses, message content | Standard Contractual Clauses |
| DigitalOcean | Hosting | All application data | London UK datacenter — data stays in UK |
| postcodes.io | Postcode lookup and geocoding | Postcodes only (no personal identifiers) | UK-based open data service |
| Cloudflare | DNS and email routing | Domain queries, email forwarding metadata | UK Extension to EU-US Data Privacy Framework |
5. Data retention
- Active accounts: Data retained while the account is active.
- Inactive pupils: Anonymised 12 months after the last lesson.
- Cancelled accounts: Data deleted within 30 days of request, except billing and financial records which are retained for 7 years (UK tax requirement).
- Financial records: Payment, expense, and mileage data retained for the duration of the account plus 7 years (UK tax requirement).
- Server logs: Retained for 30 days.
- Failed login logs: Retained for 30 days then deleted.
- Mileage logs: Retained for the duration of the account.
- Travel time cache: Retained indefinitely. Contains only GPS coordinates with no personal data.
6. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you (Subject Access Request).
- Right to rectification — request correction of inaccurate data.
- Right to erasure — request deletion of your data ("right to be forgotten").
- Right to restrict processing — request that we limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@drivesync.live. We will respond within 30 days.
If you are not satisfied with our response, you can complain to the Information Commissioner's Office (ICO).
7. Children's data
Some pupils using DriveSync may be 17-year-old learner drivers, who are minors under UK GDPR. We take the following measures:
- We process the minimum data necessary for lesson scheduling.
- Location data is used only for route optimisation during active lesson periods.
- Under UK law, 17-year-olds can consent to data processing themselves.
- We comply with the ICO's Children's Code (Age Appropriate Design Code).
8. International transfers
Some of our processors (Stripe, Twilio, Mapbox, Cloudflare) are US-based companies. All hold UK Extension to EU-US Data Privacy Framework certification, making data transfers lawful under UK GDPR adequacy provisions.
9. Security
We take the security of your data seriously:
- All data is encrypted in transit using TLS/HTTPS.
- Passwords are hashed using bcrypt (never stored in plaintext).
- PIN authentication is rate-limited to prevent brute-force attacks.
- Multi-tenant data isolation ensures instructors can only access their own data.
- Honeypot fields on registration forms to detect automated submissions.
- Failed login attempt logging (email, IP address, user agent) for security monitoring.
- Secure cookie flags (secure, httponly, samesite) on all session cookies.
- Content Security Policy and HSTS headers in production.
- We apply regular security updates and follow industry best practices.
10. Changes to this policy
We may update this privacy policy from time to time. Material changes will be communicated via email to registered instructors. Continued use of the service after changes constitutes acceptance of the updated policy.