Privacy Policy

The data controller responsible for your personal data is:

• Company: Drivzu Ltd
• Address: Dublin, Ireland
• Privacy contact: privacy@drivzu.ie
• Website: drivzu.com

If you have any questions or concerns about how we handle your personal data, please contact us at privacy@drivzu.ie. We aim to respond to all enquiries within one month.

We collect the following categories of personal data depending on how you interact with the Platform:

Identity Data

• Full name
• Email address
• Phone number
• Date of birth
• Profile photo / avatar

Driving-Related Data

• Learner permit number (Students)
• Approved Driving Instructor (ADI) number (Instructors)
• Vehicle details (Instructors)

Location Data

• Address and Eircode
• GPS location (when you use location-based features such as finding nearby Instructors, with your consent)

Financial Data

• Payment information is processed securely by Stripe. Drivzu does not store your full credit or debit card numbers. We retain only a tokenised reference, card type, and last four digits for display purposes.
• Billing address
• Transaction history

Voice Data

• Audio streams when you use our AI voice assistant (processed in real time via Deepgram, Google Gemini, Cartesia, and LiveKit)
• Transcripts of voice interactions

Technical Data

• IP address
• Device type and operating system
• Browser type and version
• User agent string

Usage Data

• Login history and session data
• Booking history and search queries
• Pages visited and features used
• Interaction with Instructors and the voice assistant

Communication Data

• Emails sent via Resend
• SMS messages sent via Vonage
• Support correspondence

Review Data

• Ratings and written reviews submitted on the Platform, linked to verified bookings

Under the GDPR, we process your personal data on the following legal bases:

Consent (Article 6(1)(a) GDPR)

• Voice AI processing: You provide consent when you initiate a voice session with our AI assistant.
• Marketing communications: We send promotional emails or SMS only with your opt-in consent.
• Non-essential cookies: We use analytics and marketing cookies only with your consent via our cookie banner.

Contract (Article 6(1)(b) GDPR)

• Processing necessary to fulfil our contract with you, including managing your account, processing bookings, facilitating payments, and providing customer support.

Legitimate Interest (Article 6(1)(f) GDPR)

• Fraud prevention and security: Detecting and preventing fraudulent activity, abuse, and security threats.
• Platform improvement: Analysing usage patterns to improve the Platform's features and user experience.
• Safety: Ensuring the safety and integrity of the marketplace for all users.

Legal Obligation (Article 6(1)(c) GDPR)

• Tax compliance (DAC7): We are required to report certain Instructor earnings data to Irish Revenue under the EU DAC7 Directive.
• ADI verification: Verifying that Instructors hold valid RSA-approved ADI credentials.
• Responding to lawful requests from law enforcement or regulators.

We use your personal data for the following purposes:

• Account management: Creating and maintaining your account, authenticating your identity, and providing account security features (OTP, MFA, OAuth).
• Instructor matching: Helping Students find suitable Instructors based on location, availability, pricing, and preferences.
• Bookings: Processing, confirming, and managing driving lesson bookings between Students and Instructors.
• Payments: Processing payments from Students, calculating commission, and facilitating payouts to Instructors via Stripe.
• Voice AI: Powering our AI voice assistant to help you search, book, and interact with the Platform using natural language.
• Communication: Sending booking confirmations, reminders, account notifications, and (with consent) marketing communications.
• Safety & trust: Verifying Instructor credentials, detecting fraud, enforcing our Terms of Service and Community Guidelines.
• Legal compliance: Meeting tax reporting obligations (DAC7), responding to legal requests, and maintaining required records.

Our AI voice assistant uses a pipeline of specialised third-party services to process your voice in real time:

1. LiveKit handles the real-time audio streaming infrastructure, transmitting your voice data securely between your device and our processing pipeline.
2. Deepgram converts your spoken words into text (speech-to-text / STT).
3. Google Gemini (large language model) processes the transcribed text to understand your request and generate an appropriate response.
4. Cartesia converts the generated text response back into natural-sounding speech (text-to-speech / TTS).

Consent & Opt-Out

Voice data processing is consent-based. You provide consent when you initiate a voice session (for example, by clicking the microphone button). You may withdraw consent and opt out at any time by simply ending the voice session. The Platform's full functionality remains available through its text-based interface without using the voice assistant.

Data Retention for Voice

Voice audio streams are processed transiently in real time and are not permanently stored by Drivzu after the session ends. Transcripts may be retained temporarily for quality and debugging purposes but are deleted in accordance with our data retention schedule.

For more information, please see our AI & Voice Disclosure.

We share your personal data only with trusted third-party processors who help us operate the Platform. We never sell your personal data.

All processors are bound by data processing agreements that require them to handle your data in accordance with GDPR and our instructions.

Some of our third-party processors are based outside the European Economic Area (EEA). When we transfer your personal data outside the EEA, we ensure adequate protection through the following safeguards:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with all processors located outside the EEA to ensure your data receives equivalent protection.
• EU-US Data Privacy Framework: Where applicable, we rely on processors that are certified under the EU-US Data Privacy Framework as an additional transfer mechanism.
• Supplementary measures: We implement additional technical and organisational measures where necessary, including encryption in transit and at rest.

You may request a copy of the relevant transfer safeguards by contacting privacy@drivzu.ie.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

When data is no longer required, it is securely deleted or anonymised so that it can no longer be linked to you.

Under the GDPR and Irish data protection law, you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete data.
• Right to erasure: You can request deletion of your personal data where there is no compelling reason for us to continue processing it.
• Right to restrict processing: You can ask us to suspend processing of your data in certain circumstances.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format and transfer it to another controller.
• Right to object: You can object to processing based on legitimate interests, including profiling.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Right to complain to the DPC: You have the right to lodge a complaint with the Data Protection Commission (see Section 15 below).

To exercise any of these rights, please email privacy@drivzu.ie. We will respond to your request within one month. In certain cases, this period may be extended by a further two months where requests are complex or numerous, and we will inform you of any such extension.

We may ask you to verify your identity before processing your request to protect your data from unauthorised access.

The Drivzu Platform is intended for users aged 17 and over, in line with the minimum age for applying for a learner driving permit in Ireland.

We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly.

If you are a parent or guardian and believe your child has provided personal data to us, please contact privacy@drivzu.ie.

Drivzu uses automated processing in the following areas:

• Instructor matching algorithm: When you search for Instructors, our algorithm ranks results based on factors such as location proximity, availability, pricing, ratings, and your search preferences. This is done to provide you with the most relevant results.
• Voice AI assistant: Our AI voice assistant uses automated processing to understand your requests and generate responses. It does not make binding decisions on your behalf without your confirmation.
• Fraud detection: We use automated systems to detect potentially fraudulent or abusive activity on the Platform.

None of these automated processes make decisions that produce legal effects or similarly significant effects on you without human involvement. You have the right to request human intervention, express your point of view, and contest any decision that significantly affects you.

To request human review of an automated decision, contact privacy@drivzu.ie.

We use cookies and similar technologies to operate the Platform, remember your preferences, and improve your experience. Cookies are small text files stored on your device when you visit our website.

We use the following categories of cookies:

• Essential cookies: Required for the Platform to function (authentication, security, session management). These do not require consent.
• Functional cookies: Remember your preferences (such as theme and language). These do not require consent.
• Analytics cookies: Help us understand how users interact with the Platform. These require your consent.
• Marketing cookies: Used to deliver relevant advertising. These require your consent.

You can manage your cookie preferences at any time through our cookie banner or your browser settings. For full details, please see our Cookie Policy.

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it, including:

• Encryption: All data is encrypted in transit (TLS/HTTPS) and sensitive data is encrypted at rest.
• Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls.
• Secure authentication: We support OTP, MFA, and OAuth for secure account access.
• Infrastructure security: Our infrastructure is hosted on reputable cloud providers with industry-standard security certifications.
• Regular reviews: We regularly review and update our security practices to address emerging threats.

Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Data Protection Commission (DPC) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you of significant changes via email or a prominent notice on the Platform.
• Where changes affect processing based on consent, we will seek fresh consent where required.

We encourage you to review this policy periodically to stay informed about how we protect your data.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Privacy enquiries: privacy@drivzu.ie
• General enquiries: hello@drivzu.ie
• Address: Drivzu Ltd, Dublin, Ireland

Complaints to the Data Protection Commission

If you are not satisfied with our response to your enquiry or believe that we are processing your personal data in a manner that is not compliant with data protection law, you have the right to lodge a complaint with the Data Protection Commission (DPC):

• Name: Data Protection Commission
• Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
• Website: dataprotection.ie

We would appreciate the opportunity to address your concerns before you contact the DPC, so please reach out to us first at privacy@drivzu.ie.