Privacy Policy
Last updated: 30 April 2026
This Privacy Policy explains how Drivelines ("we", "us", "our") collects, uses, and protects your personal information when you use the Drivelines website at https://drivelines.app and related services (the "Service").
We've tried to keep this in plain English. If anything is unclear, email us — details at the bottom.
1. Who we are
Drivelines is operated by Joshua Parkin, a sole trader based in the United Kingdom. For the purposes of the UK GDPR and Data Protection Act 2018, Joshua Parkin is the data controller for personal information processed through the Service.
You can contact us at: [email protected]
2. Information we collect
2.1 Information you provide
- Account information — when you create an account, we collect your email address. If you sign in with Google, we also receive your name and profile picture from Google. Authentication is handled by our provider, Clerk.
- Profile information — any optional details you add, such as a display name.
- Routes and drives — routes you plan and drives you log, including titles, descriptions, and images you upload. Routes and drives are private by default; you can choose to make individual ones public.
- Images and photo location data — photographs you upload to attach to a drive or route. When you upload a photo, we read the location coordinates and timestamp from its embedded metadata (EXIF) and use them to plot the photo at the correct point on the route map. This is a core feature of how drives work. The location data is stored alongside the photo. If you choose to make a drive public, the photo locations become visible to other users. Photos without embedded location data can still be uploaded but won't be automatically placed on the map.
- Communications — if you contact us by email, we keep that correspondence so we can respond and follow up.
- Payment information (when paid features launch) — handled directly by Stripe. We do not store your card details.
2.2 Information collected automatically
- Analytics data — we use Umami, a privacy-friendly analytics tool that does not use cookies and does not track individuals across sites. It records aggregated information like page views, referrers, and approximate country derived from IP address.
- Server logs — our API logs requests, including IP address, timestamps, and browser/user-agent information, for security, debugging, and abuse prevention.
- Authentication data — Clerk processes authentication-related information (IP address, device, login times) to keep your account secure.
2.3 Location data — what we do and don't collect
The only location data we process is:
- The route geometry of routes you plan or save in the app.
- The GPS coordinates embedded in photos you choose to upload, used to place each photo on its route.
We do not do any of the following:
- Track your real-time GPS location while you use the app.
- Access your device's location when the app is in the background.
- Record GPS traces of your drives.
By default, we strip the start and end points of your saved routes and drives from public view to help protect your home and other frequent locations. Note that this protection applies to the route itself — uploaded photos are placed at their own coordinates, so a photo taken at or near your home will reveal that location if the drive is made public.
3. How we use your information
| Purpose | Lawful basis (UK GDPR Article 6) |
|---|---|
| Provide and maintain the Service (accounts, routes, drives) | Performance of a contract |
| Authenticate users and protect against fraud and abuse | Legitimate interests |
| Send service communications (password resets, important updates) | Performance of a contract |
| Send marketing emails about new features and similar offerings | Consent |
| Analyse usage patterns to improve the Service | Legitimate interests |
| Generate route suggestions using AI | Performance of a contract |
| Read location data embedded in uploaded photos to plot them on the map | Performance of a contract |
| Process payments for paid features (when launched) | Performance of a contract |
| Comply with legal obligations | Legal obligation |
We do not use your personal data for automated decision-making that produces legal or similarly significant effects.
4. Sharing your information
We do not sell your personal data. We use the following service providers (sub-processors) to help us operate the Service:
| Provider | Purpose | Region |
|---|---|---|
| Clerk | Authentication and account management | United States |
| Neon | Database hosting (PostgreSQL) | European Union |
| Render | API hosting | European Union |
| Mapbox | Map tiles, geocoding, and routing | United States |
| Google (Gemini API) | AI-powered route suggestions | United States / global |
| Umami | Website analytics | European Union |
| Cloudflare | DNS and network infrastructure | Global |
| Stripe | Payment processing (forthcoming) | United States / United Kingdom |
Each of these providers is bound by their own privacy and security obligations and processes your data only on our instructions or as necessary to provide their service.
We may also disclose information if required by law, to enforce our Terms, or to protect the rights, safety, or property of Drivelines, our users, or others.
5. Public content
When you choose to make a route or drive public, the content — title, description, route geometry (with start/end stripped), and any uploaded images — becomes visible to other users of the Service and may be indexed by search engines or visible to people who don't have an account.
Please don't include anything in public content that you wouldn't want a stranger to see. You can change a public route or drive back to private at any time.
6. International transfers
Some of our service providers are located outside the United Kingdom and the European Economic Area, primarily in the United States. When we transfer personal data internationally, we rely on appropriate safeguards permitted under UK GDPR, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, and transfers to providers certified under the UK-US Data Bridge where applicable.
7. Cookies
Drivelines uses only cookies that are strictly necessary for the Service to function:
- Authentication cookies set by Clerk to keep you signed in.
- Payment cookies set by Stripe when paid features launch, only when you interact with payment flows.
We use Umami for analytics, which does not set cookies. We do not use advertising or cross-site tracking cookies.
8. How long we keep your data
- Account and profile data — kept for as long as your account exists. You can delete your account at any time from within the app. When you delete your account, we delete or irreversibly anonymise your personal data within 30 days, except where we are legally required to retain certain records (e.g. tax records of payments).
- Routes and drives — deleted along with your account, including any public ones.
- Server logs — retained for up to 12 months for security and debugging purposes.
- Analytics data — aggregated and non-identifying; retained per Umami's defaults.
- Marketing email subscriptions — kept until you unsubscribe.
- Payment records (when applicable) — retained for at least 6 years to comply with UK tax law.
9. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectify information that is inaccurate or incomplete.
- Erase your data ("right to be forgotten") — most data can be deleted by deleting your account in-app, or by emailing us.
- Restrict how we process your data in certain circumstances.
- Portability — request a machine-readable copy of the data you've provided.
- Object to processing based on legitimate interests.
- Withdraw consent at any time, for example by unsubscribing from marketing emails.
To exercise any of these rights, email [email protected]. We will respond within one month.
If you're unhappy with how we handle your data, you can complain to the UK Information Commissioner's Office (ICO):
- Website: https://ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
10. Marketing communications
If you've opted in, we may send you marketing emails about new Drivelines features, scenic route guides, and similar offerings. Every marketing email includes a one-click unsubscribe link, and you can withdraw your consent at any time.
Unsubscribing from marketing emails does not stop service-related emails (account verification, password resets, important changes to the Service, or transactional payment notifications), which we send under the contract we have with you.
11. Data security
We take reasonable technical and organisational measures to protect your data, including:
- Encryption in transit (HTTPS/TLS).
- Encryption at rest with our hosting providers.
- Access controls limiting who can access account data.
- Regular review of our sub-processors' security practices.
No internet service is perfectly secure, and we cannot guarantee absolute security. If we ever discover a data breach that affects you, we will notify you and the ICO as required by law.
12. Children
The Service is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will delete it.
13. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify you by email or through a notice in the app at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent version.
14. Contact
For any questions about this policy, your personal data, or to exercise your rights:
Joshua Parkin (sole trader, United Kingdom)
Email: [email protected]