1. Introduction

DrivePilot ("we", "us", "our") operates drivepilot.eu and provides software-as-a-service for European driving schools. This Privacy Policy explains how we collect, use, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR) and applicable national laws.

Data Controller: DrivePilot, Luxembourg
Contact: privacy@drivepilot.eu

2. What Data We Collect

We collect the following categories of personal data:

Account data: name, email address, hashed password
School staff data: name, contact details, role, availability and qualifications (for instructors)
Student data: name, contact details, lesson history, progress, and documents submitted during onboarding
Usage data: login history, IP address, browser type and session events
Payment data: invoice records only — no payment card details are stored by DrivePilot (Payconiq handles card processing)

3. How We Use Your Data

We process your personal data for the following purposes:

Service delivery: scheduling, student CRM, invoicing, and document management
Communication: email reminders, compliance alerts and customer support
Legal compliance: retaining records required by Luxembourg and applicable EU law
Security: preventing fraud, abuse and unauthorised access

Legal basis: contractual necessity, legal obligation and legitimate interest in providing the SaaS service.

4. Data Retention

Invoices and financial records: 10 years (Luxembourg commercial law)
Student and instructor data: duration of the service relationship plus 10 years (linked to invoice retention)
Activity and security logs: 2 years
Demo requests: 12 months

5. Your Rights (GDPR)

As a data subject you have the following rights:

Right to access: request a copy of the data we hold about you
Right to rectification: correct inaccurate or incomplete data
Right to erasure: request deletion of your data (financial records must be retained per applicable law)
Right to data portability: receive your data in CSV or JSON format
Right to object: object to processing based on legitimate interest
Right to lodge a complaint: contact Luxembourg's supervisory authority, the CNPD (Commission Nationale pour la Protection des Donnees)

To exercise any right, email privacy@drivepilot.eu. We respond within 30 days as required by GDPR.

6. Data Security

Encryption in transit: TLS 1.3
Encryption at rest: AES-256
Authentication: JWT tokens, hashed passwords, account lockout after repeated failed attempts
Tenant isolation: each school's data is fully separated at the database level
Backups: daily encrypted backups retained for 30 days

7. Third-Party Processors

We use the following sub-processors, all operating under GDPR-compliant data processing agreements:

Microsoft Azure: database and application hosting (EU data centres)
SendGrid (Twilio): transactional email delivery (GDPR-compliant, EU servers)
Payconiq: payment processing (Luxembourg-based)

All data is stored in EU data centres. No personal data is transferred outside the European Economic Area.

8. Cookies

We use strictly necessary session cookies for platform authentication. We do not use analytics, advertising or marketing cookies. No third-party tracking scripts are loaded on the platform.

9. Data Breach Notification

In the event of a personal data breach we will:

Notify the Luxembourg CNPD within 72 hours of becoming aware
Notify affected individuals without undue delay where there is a high risk to their rights
Document the breach in our internal register

Security contact: security@drivepilot.eu

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or in-platform notification. The date below indicates when this policy was last revised.

11. Contact Us

For privacy questions or to exercise your GDPR rights:

Email: privacy@drivepilot.eu
General inquiries: hello@drivepilot.eu
Address: Luxembourg

Last updated: February 2026