Privacy Policy
Last updated: 2026-05-12
Draft — awaiting legal review
This document is a working draft, not a binding agreement. The final version will be reviewed by legal counsel and published before launch. If you have questions in the meantime, contact support@drvn.io.
Who we are and what this policy covers
Driven operates the Dr1ven platform — a digital business card service accessible at drvn.io. We are the data controller for information you provide when creating an account, building your profile, and using the platform. This policy describes what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have. Provisional jurisdiction: Delaware, USA (subject to final legal review before launch). Effective date: 2026-05-12.
Information we collect
Account information: your email address and display name, collected at registration. Your email is stored in encrypted form; a one-way lookup index lets us find your account at login without storing your address in plaintext. Profile information: display name, job title, company, bio, links, avatar, and cover image. Images are stored on Cloudflare R2 object storage; profile text is stored in our database. Scan and analytics data: when someone visits your profile, we log a timestamp, device class, country, region, and city. We never store raw IP addresses. Instead, the IP is hashed using HMAC-SHA-256 with a rotating secret key that lives only in our server environment. The hash cannot be reversed without the key. Contact and CRM data: names, email addresses, phone numbers, companies, and notes that you add to your own contacts list, or that visitors submit via your lead-capture form. This data is encrypted at rest using AES-256-GCM. Payment data: processed exclusively by Stripe. We receive only a Stripe customer ID and subscription status — we never see or store your card number. Cookies and similar technologies: see our Cookies Policy.
How we use your information and our lawful basis
We use your data for the following purposes, each grounded in a lawful basis under GDPR Article 6: To provide the service and fulfil our contract with you (Article 6(1)(b)): account creation, profile publishing, vCard generation, lead capture on your behalf, billing, and customer support. Legitimate interest (Article 6(1)(f)): security monitoring, abuse prevention, rate limiting, and aggregate product analytics that help us improve the platform. We have balanced these interests against your privacy rights and concluded they do not outweigh them. Legal obligation (Article 6(1)(c)): retaining payment records for tax and audit compliance. Consent (Article 6(1)(a)): optional marketing emails, such as product updates and tips. You can withdraw consent at any time via the unsubscribe link in any marketing email or from your account settings. Data sharing and processors: we share your data only with the service providers listed below who act on our instructions. We do not sell your data. - Stripe (payments, USA): processes card payments and manages subscription billing. - Resend (email delivery, USA): sends transactional and optional marketing emails on our behalf. - Cloudflare R2 (object storage, USA/global edge): stores profile images. - Fly.io (hosting and database, USA): runs our web application and Postgres database. - Google (OAuth sign-in): if you choose to sign in with Google, they verify your identity and share your verified email with us. Each provider operates under a Data Processing Agreement (DPA) with Driven. For EU users, data transfers to US-based processors rely on Standard Contractual Clauses (SCCs).
Data retention, security, and children
Retention: active account data is kept while your account is open. After you delete your account, a 30-day grace period applies, after which all personal data is permanently purged. Audit logs are retained for 365 days. Scan events are retained for 365 days. Encrypted database backups are kept for 30 days. Payment records required for tax purposes are retained for 7 years. Security: all data in transit is encrypted with TLS. PII stored in our database (contact names, emails, phones) is encrypted at rest with AES-256-GCM. Passwords are hashed with Argon2id and never stored in recoverable form. We apply the principle of least privilege — systems and staff access only the data necessary for their function. Children: the Driven platform is not directed at anyone under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact support@drvn.io and we will delete it promptly.
Your rights and how to contact us
Depending on your location, you may have the following rights regarding your personal data: Access — request a copy of the data we hold about you. Rectification — ask us to correct inaccurate data. Erasure — request deletion of your data (right to be forgotten). Portability — receive your data in a machine-readable format. Restriction — ask us to pause processing while a dispute is resolved. Objection — object to processing based on legitimate interest. Withdraw consent — opt out of marketing emails at any time. To exercise any of these rights, email support@drvn.io. We aim to respond within 7 days, and in all cases within the legally required 30-day window. You also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your data correctly. Changes to this policy: when we make material changes we will post an updated version here with a new effective date and notify you by email at least 14 days in advance. Data controller: Driven. Postal address: to be confirmed before launch. Provisional jurisdiction: Delaware, USA. Contact: support@drvn.io.
See also: Cookies Policy and Terms of Service.