Privacy Policy

This Privacy Policy explains how Draivn Corporation and its subsidiaries (the “Draivn Group”, “Draivn”, “we”, “us”, or “our”) collect, use, disclose, and protect personal information in connection with the Draivn Visibility software platform (the “Platform”), our websites, and related services (collectively, the “Services”) in the United States and Canada.

Draivn Visibility is data infrastructure for commercial fleet insurance. It connects fleet operators, who choose to share data about their vehicles and drivers, with the insurers, brokers, and partners who serve them. Because of how the Platform is built, the role we play depends on whose data is involved. This Policy makes that distinction clear, because it determines who controls the data and how rights are exercised.

Please read this Policy together with the separate written agreement that governs your relationship with us. Where this Policy and that agreement both apply, the agreement governs the contractual relationship and this Policy describes our privacy practices.

Your use of our websites is also governed by our Terms of Use, and our use of cookies and similar technologies is described in our Cookie Policy. Together with this Policy, these documents explain the terms that apply when you use Draivn’s websites and Services.

1. Our Role: Data Processor; the Fleet is the Data Owner

Privacy laws assign responsibilities based on who decides why and how personal information is processed (a “controller” or “business”) versus who processes it on another party’s behalf and instructions (a “processor”, “service provider”, or “contractor”). Draivn acts in different roles depending on the data:

• Website and account data. When you visit our websites, contact us, or register an account, Draivn acts as a controller for that limited information (for example, contact details, account credentials, and website usage data).
• Fleet Data and Platform personal information. When a fleet operator licenses data about its vehicles and drivers to the Platform, the fleet operator is the controller of that personal information and is responsible for establishing the legal basis and obtaining any required consents. Draivn processes that data as a service provider and processor, only to deliver the Platform and the Specified Purpose the fleet has selected.
• Customer Data uploaded by insurers, brokers, and partners. When an insurer, broker, or partner uploads its own data into the Platform, that customer is the controller and Draivn acts as its processor under its agreement with Draivn.

Insurers, brokers, and partners are independent controllers for the underwriting, pricing, servicing, and claims decisions they make using the Platform. Draivn does not make those insurance decisions. This structure is intentional: the fleet contracts with Draivn rather than directly with each insurer, which keeps data access narrow, purpose-bound, and easier to govern.

Where Draivn acts as a processor or service provider, individuals who wish to exercise their privacy rights should ordinarily direct their request to the relevant controller (the fleet operator, insurer, broker, or partner). We will assist that controller as required by law and as described in Section 13.

2. Scope of this Policy

The Services are a business-to-business platform for commercial fleet insurance, intended solely for commercial use by businesses and their authorized users. We do not offer the Services to consumers, we do not direct them to individuals acting in a personal, family, or household capacity, and we do not knowingly collect personal information directly from such individuals. The Platform analyzes vehicles and fleet operations rather than individual drivers, and we do not seek to identify, profile, or make decisions about specific drivers. The personal information we process relates primarily to vehicles and fleet operations and, to a limited extent, to the drivers associated with those vehicles; it is provided to us by our fleet-operator customers under their agreements with us, which remain responsible as controllers for that information.

This Policy applies to the Services and to information collected through them, including via email, text, and other electronic communications sent through or in connection with the Services. It does not apply to information collected offline, to other Draivn products that link to a different privacy notice, or to the independent practices of the fleets, insurers, brokers, partners, or other third parties who use the Platform or whose sites link to or from the Services. We encourage you to review the privacy notices of those parties.

3. Information We Collect

3.1 Information you provide directly

We collect information that account holders and website visitors provide, including name, business email, business contact details, and the contents of inquiries or support requests. When an organization registers, we collect the information needed to create and administer accounts and to verify authority to bind the organization.

3.2 Platform data (Fleet Data, Results, Customer Data, and Customer Analytics)

The Platform ingests, harmonizes, enriches, and analyzes data about fleet vehicles and their operation. Depending on the modules selected, this may include:

Category	Examples
Vehicle and policy data	Vehicle identification and characteristics, registration, insurance schedule, and related reconciliation data
Telematics and vehicle-operation data	Trip and vehicle-usage data, vehicle health, fuel and emissions data, and operating behavior, received with the consent of the fleet
Location data	Vehicle location coordinates and movement, including precise geolocation, where included in the data a fleet configures its devices to send
Accident and claims data	Accident indicators from connected systems and standardized accident reports
Enrichment and public reference data	Third-party and public context we add to standardize and improve the data, such as weather, traffic, mapping and reference data, and public safety and registration records (for example, FMCSA data)
Results	Standardized outputs derived from the data described above and made available to authorized recipients
Customer Data	Data an insurer, broker, or partner uploads to the Services or that we process on its behalf
Customer Analytics	Aggregated or anonymized statistics and benchmarks that do not identify any organization or individual

This data originates from the software and telematics systems the fleet uses, connected vehicle and mobile devices, and similar sources selected by the fleet. We also enrich it with third-party and public data sources, such as weather, traffic, mapping and reference data, and public safety and registration records, and may add additional data sources over time. The fleet operator owns the Fleet Data and warrants that it has obtained and maintains all consents and permissions required for it to be shared with Draivn for the Specified Purpose.

3.3 Information collected automatically on our websites

On our websites we use cookies and similar technologies to collect usage details such as IP address, device and browser type, operating system, pages viewed, referring and exit pages, and interactions with the site. We use these to operate, secure, and improve the site. You can control non-essential cookies through the consent tool on our site and through your browser settings. For more information, see our Cookies Policy.

4. How We Use Information

As a service provider and processor, we use Platform personal information only to provide the Platform and to fulfill the Specified Purpose selected by the fleet and authorized by consent, and as instructed by the relevant controller. As a controller for website and account data, we use information to:

• Provide, secure, maintain, and improve the Services and respond to inquiries and support requests
• Onboard fleets and vehicles, harmonize and reconcile data, and generate Results for authorized recipients within the Specified Purpose
• Send administrative and service communications, including security, subscription, and support messages
• Detect, prevent, and address fraud, security incidents, misuse, and other unlawful activity
• Create aggregated or anonymized Customer Analytics that do not identify any organization or individual
• Comply with legal obligations and establish, exercise, or defend legal claims

We collect, use, and disclose personal information only for the purposes identified at or before collection, or for compatible purposes permitted or required by law. For Platform personal information, the fleet operator or other controller is responsible for the legal basis and for obtaining any consent required.

5. Consent, Purpose Limitation, and Automatic Expiry of Access

Access to Platform personal information is consent-based, purpose-bound, and time-limited by design. When a fleet shares data, it selects a Specified Purpose (by default, to quote, service, and handle claims for fleet insurance) and the consent it provides defines and limits who may access the data and for how long. Recipients only obtain access through a signed agreement with Draivn, and that access is automatically constrained to the consented purpose and time window:

Access	Window granted to recipients
Historic lookback (quoting, servicing, or claims)	Up to 3 policy years of historic data prior to the current policy year
Ongoing access (quote, servicing, and claims)	Until 60 days after the end of the last active policy or the closure of any open claims, whichever is later

When the purpose ends, recipient access ends automatically. In practice, a recipient may access up to three policy years of historic data prior to the current policy year for quoting, servicing, or claims, and ongoing access continues only until 60 days after the end of the last active policy or the closure of any open claims, whichever is later, after which access ends. Draivn retains a copy of the underlying data only as needed for audit and record-keeping for up to five years after the later of the policy end date and the closure of the last related claim, and to meet legal and contractual obligations, after which it is deleted or de-identified in accordance with Section 10. Fleet operators retain all rights to their Fleet Data and the Results at all times and may terminate sharing under their agreement with Draivn. The only data Draivn owns and controls is the aggregated or anonymized Customer Analytics, which do not identify any individual. The access and retention periods stated in this Section are maximum periods; Draivn may provide access for a shorter time, or delete or de-identify data sooner.

6. How We Share Information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising or targeted advertising. We disclose information only as described here:

• Authorized recipients under the Platform. Fleet Data and Results are made available to the insurers, brokers, and partners authorized by the fleet’s consent, solely for the Specified Purpose and within the access windows in Section 5, each bound by a signed agreement with Draivn.
• Service providers and sub-processors. We use vetted sub-processors to host and operate the Platform. They act on our documented instructions under contracts that require appropriate safeguards. See Section 7.
• Within the Draivn Group. We may share information with our subsidiaries and affiliates to operate, secure, and improve the Services, subject to this Policy.
• Legal and safety. We may access, preserve, and disclose information when we have a good-faith belief it is required by law or legal process, or necessary to detect or prevent fraud or other illegal activity, to enforce our agreements, or to protect the rights, safety, and property of Draivn, our users, or the public.
• Change of control. If Draivn is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction. The recipient will be required to honor the commitments in this Policy.
• Aggregated or anonymized data. We may use and disclose Customer Analytics and other aggregated or de-identified data that does not identify any organization or individual for any lawful business purpose. We do not attempt to re-identify such data.

7. Sub-processors

We use carefully vetted sub-processors to provide hosting, infrastructure, telematics connectivity, analytics, and similar functions necessary to operate the Platform. They act on our documented instructions under contracts that require appropriate confidentiality and security safeguards, and we remain responsible for their compliance with our obligations. Customers that have a written agreement with Draivn may, on request and as provided in that agreement, obtain information about the sub-processors we use and receive advance notice of new or replacement sub-processors. We do not otherwise publish a public list of our sub-processors.

8. Sensitive Information and Precise Geolocation

Some Platform data, including precise geolocation and driver behavior data, may be treated as sensitive personal information under certain laws. We process this data only as necessary to provide the Platform and the Specified Purpose, only within the consent and access limits described in Section 5, and subject to data minimization. We do not use sensitive personal information to infer characteristics about individuals for our own purposes, and we do not sell or share it. Where Draivn is a controller and the law requires opt-in consent or a right to limit the use of sensitive information, we honor those requirements; where the fleet is the controller, the fleet is responsible for obtaining any required consent before the data is shared.

9. Automated Processing and Decision-Making

The Platform uses automated processing to harmonize, reconcile, match, and analyze data and to generate standardized Results and accident reports. Draivn does not make underwriting, pricing, eligibility, or claims decisions about individuals. Those decisions are made by insurers and brokers acting as independent controllers using their own criteria. Where an insurer, broker, or partner uses the Platform to support a decision that produces legal or similarly significant effects about an individual, that controller is responsible for providing any required notice, explanation, human review, and the ability to contest the decision. Where Draivn is a controller and engages in such automated decision-making, we will, on request, inform the individual of that fact, the main factors involved, and the right to obtain human review and to submit observations.

10. Retention

We keep personal information only as long as necessary for the purposes described in this Policy or as required by law. Recipient access to Platform personal information ends automatically when the Specified Purpose ends, as described in Section 5. Draivn retains Fleet Data and Results for up to five years after the later of the policy end date and the closure of the last related claim for audit and record-keeping, and may retain limited information longer where necessary to comply with legal obligations, resolve disputes, enforce our agreements, or respond to a legal hold. Website and account data are retained for the life of the account and for a reasonable period afterward. When information is no longer needed, we delete it or de-identify it. Backups are deleted on a rolling cycle, which may take up to 90 days.

11. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful loss, access, alteration, or disclosure. These include access controls, encryption in transit, role-based and purpose-bound access, logging, and vendor due diligence. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Account holders are responsible for safeguarding their credentials and for controlling who they authorize to access data through their account or through sharing features. Notify us immediately of any suspected unauthorized use.

12. Data Processing Locations and Cross-Border Transfers

Draivn is based in the United States and processes information in the United States and Canada, and may use sub-processors that operate in those countries. Personal information collected in Canada may be processed in the United States and may be accessible to US authorities under applicable law. Where we transfer personal information out of Quebec, we conduct a privacy impact assessment as required by Quebec law before the transfer and apply contractual and technical safeguards designed to provide adequate protection. A description of the relevant safeguards is available on request.

13. Your Privacy Rights

Depending on where you live and your relationship with us, you may have rights to access, correct, delete, or obtain a portable copy of your personal information, to opt out of certain processing, and to withdraw consent. Because Draivn often acts as a processor or service provider, if your information reached us through a fleet, insurer, broker, or partner, please direct your request to that organization, which is the controller. We will assist the controller in responding as required by law. Where Draivn is the controller, you may exercise your rights directly using the contacts in Section 19.

To protect you, we may need to verify your identity before acting on a request, and we may ask for additional information to locate the relevant data. We will not discriminate against you for exercising your rights. We respond within the timeframes required by applicable law, generally within 30 to 45 days, with an extension where permitted. You may use an authorized agent where the law allows.

14. United States: State Privacy Rights

This Section applies to residents of US states with comprehensive privacy laws, including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and the other states whose laws are in effect. Because Draivn is a business-to-business service, these rights are most relevant to individuals, such as fleet drivers, whose personal information is provided to us by a business customer that acts as the controller. Please direct your request to that organization, or see Section 13 for how we assist. Subject to each state’s law and exemptions, you may have the right to:

• Confirm whether we process your personal information and access it
• Correct inaccuracies in your personal information
• Delete your personal information
• Obtain a portable copy of your personal information
• Opt out of the sale of personal information, targeted advertising, and profiling that produces legal or similarly significant effects
• Limit the use and disclosure of sensitive personal information
• Appeal a refusal of your request, and contact your state Attorney General

We do not sell personal information and do not process it for targeted advertising or for profiling that produces legal or similarly significant effects on our own behalf. We honor recognized universal opt-out signals, including Global Privacy Control (GPC), on our websites. To exercise your rights, contact us by email at legal@draivn.com.

California. California residents may request the categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes for collecting it, and the categories of third parties to whom it is disclosed. We do not sell or share personal information as those terms are defined under California law. You also have the right to limit the use of sensitive personal information, and the right not to receive discriminatory treatment for exercising your rights. Where Draivn acts as a service provider or contractor, we process personal information only as permitted by our customer contracts and applicable law.

Additional state-specific points. Rhode Island residents may request the specific third parties to whom we have disclosed their personal information. Minnesota and Oregon residents may request the specific third parties to whom we have disclosed their personal information and, where profiling occurs, additional information about it. Maryland residents benefit from heightened data minimization and a prohibition on the sale of sensitive personal information, which we apply.

In states without a comprehensive privacy law, we still handle your information in accordance with this Policy and applicable federal and state law.

15. Canada: PIPEDA, Quebec Law 25, and Provincial Laws

If you are in Canada, we handle personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, including Quebec’s Act respecting the protection of personal information in the private sector, as amended by Law 25, and the Personal Information Protection Acts of Alberta and British Columbia.

• Consent. We collect, use, and disclose personal information with knowledge and consent, except where the law permits or requires otherwise. For sensitive information, including precise geolocation and telematics, express consent is required, and for Fleet Data the fleet operator is responsible for obtaining it before sharing. You may withdraw consent at any time, subject to legal and contractual restrictions and reasonable notice.
• Purposes and limitation. We identify the purposes for which personal information is collected at or before collection and limit collection, use, retention, and disclosure to those purposes.
• Access, correction, deletion, portability. You may request access to and correction of your personal information and, where Law 25 applies, deletion or de-indexing and portability of computerized personal information.
• Automated decisions. Where a decision about you is based exclusively on automated processing by a Draivn controller, we will, on request, inform you of that fact, the personal information used, the principal factors leading to the decision, and your right to have it reviewed and to submit observations.
• Cross-border transfers. Before transferring personal information outside Quebec, we conduct a privacy impact assessment as required by Law 25 and apply appropriate safeguards.
• Breach reporting. We report breaches presenting a real risk of significant harm to the Office of the Privacy Commissioner of Canada and affected individuals, and, for Quebec residents, to the Commission d’accès à l’information, as required by law.

Privacy Officer. Our designated person responsible for the protection of personal information is Draivn’s Chief Data Privacy Officer, who can be reached at legal@draivn.com. A French-language version of this Policy is available to Quebec residents at draivn.com/confidentialite. The English version is the official version and prevails; the French version is provided as a courtesy translation.

16. Children

The Services are intended for businesses and their authorized users and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

17. Other Websites and Services

The Services may link to websites and services we do not control, and the fleets, insurers, brokers, and partners who use the Platform have their own privacy practices. We are not responsible for the practices of those parties and encourage you to review their privacy notices.

18. Changes to this Policy

We may update this Policy from time to time. The date at the top shows when it was last revised. If we make material changes, we will provide notice as required by law, which may include posting the updated Policy or, where appropriate, asking you to accept it. Your continued use of the Services after an update takes effect indicates acceptance of the updated Policy, except where additional consent is required.

19. How to Contact Us

If you have questions about this Policy or wish to exercise your rights, contact us at legal@draivn.com, or by mail at: Draivn Corporation, 251 Little Falls Drive, Wilmington, New Castle County, Delaware 19808, USA.