Privacy Policy

Last updated: 4 March 2026

1. Who we are

DrivePro is operated by Develp Media Ltd, a company registered in England and Wales (company number available on request). We are the data controller for personal data processed through this service.

Contact us: hello@drivepro.app

2. What data we collect

We collect the following categories of personal data:

  • Instructor account data: name, email address, phone number, address, DVSA ADI licence number, National Insurance number (NINO, for HMRC submissions), bank details (via Stripe - we do not store card numbers directly)
  • Pupil data: name, email, phone number, date of birth, emergency contact details, driving licence number, lesson history, DVSA syllabus progress, test results
  • Financial data: lesson charges, payments received, expenses, mileage records - used for Making Tax Digital Income Tax submissions
  • HMRC connection data: OAuth tokens (encrypted at rest using AWS KMS), HMRC business identifiers, and fraud prevention header data (see section 3)
  • Referral data: referral codes, referrer/referee relationships, sign-up IP addresses, and Stripe payment fingerprints (used for fraud prevention)
  • Enterprise data: licence key identifiers and driving school associations for enterprise-provisioned accounts
  • Usage data: log-in times, feature usage, error logs - used to improve the service
  • Communications: support emails and messages sent to us

3. How we use your data

  • To provide and operate the DrivePro service
  • To process payments via Stripe
  • To send lesson reminders to pupils on your behalf (SMS via AWS Pinpoint)
  • To submit Income Tax Self Assessment returns to HMRC on your instruction via the Making Tax Digital for Income Tax API
  • To transmit fraud prevention headers to HMRC as required by law when making API requests on your behalf. This includes your IP address, device identifiers, browser information, screen dimensions, and timezone
  • To detect and prevent referral fraud (IP address and payment method comparison between referrer and referee)
  • To send service emails (account updates, invoices, important notices)
  • To improve and debug the service

We do not use your data for advertising or sell it to third parties.

4. Legal basis for processing

  • Contract performance: processing necessary to deliver the service you have subscribed to
  • Legal obligation: Making Tax Digital Income Tax submission, HMRC fraud prevention headers (required by law for all Making Tax Digital API calls), financial record retention
  • Legitimate interests: service improvement, security monitoring, abuse prevention, referral fraud detection
  • Consent: where we ask for it (e.g. marketing emails)

5. Data storage and security

Application data (database, file storage) is stored securely in the United Kingdom using AWS eu-west-2 (London). Authentication is provided by AWS Cognito in us-east-1; only authentication tokens and user identifiers are stored there - no pupil data or financial records leave the UK.

We use industry-standard encryption for data in transit (TLS) and at rest. HMRC OAuth tokens are encrypted using AWS KMS before storage. Access to personal data is restricted to authorised personnel only.

We are registered with the Information Commissioner's Office (ICO) under UK GDPR.

6. Data retention

  • Instructor account data: retained for the duration of your subscription. On account deletion, personal fields are anonymised but financial records are retained for 7 years (HMRC record-keeping requirements)
  • Pupil data: deleted when you delete the pupil record, or when your account is purged after deletion. Financial records linked to pupils are retained for 7 years
  • Financial records (expenses, ledger entries): 7 years from creation (legal requirement)
  • Referral data: retained for the duration of the referral programme or 7 years, whichever is longer
  • Support communications: 2 years

7. Third parties we share data with

  • Stripe - payment processing and subscription billing (Stripe's privacy policy applies to card data)
  • AWS - cloud infrastructure (eu-west-2), SMS delivery via Pinpoint, authentication via Cognito (us-east-1), and encryption via KMS
  • HMRC - Making Tax Digital Income Tax submissions on your instruction, including fraud prevention header data (IP address, device identifiers, browser information) as required by law
  • OpenAI - AI voice debrief transcription (where feature is used; audio deleted after processing)

We do not share your data with any other third parties without your explicit consent.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data (subject to legal retention obligations)
  • Object to or restrict processing
  • Data portability - export your data in a machine-readable format
  • Withdraw consent at any time (where processing is consent-based)

To exercise any of these rights, email hello@drivepro.app. We will respond within 30 days.

You also have the right to lodge a complaint with the ICO at ico.org.uk.

9. Cookies

We use essential cookies to keep you logged in and remember your preferences. See our Cookie Policy for full details.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email. Continued use of DrivePro after changes take effect constitutes acceptance.