Privacy Policy
Summary: We collect only what we need to track your trips and generate SARS logbooks. We don't sell your data, we don't record audio, and we don't use advertising trackers. Your data is stored in South Africa. Trip coordinates are processed by third-party mapping services as described in Section 8. You can export or delete everything at any time.
1. Who We Are
DriveLog ("we", "us", "our") is a South African mileage tracking service that helps individuals and businesses maintain SARS-compliant travel logbooks. This policy explains how we handle your personal information in terms of the Protection of Personal Information Act, 4 of 2013 (POPIA).
2. Information We Collect
We collect only the information necessary to provide the service:
- Account information: email address and password (hashed with bcrypt — we cannot read your password).
- Trip data: GPS coordinates (start/end points and route waypoints), timestamps, distances, maximum and average speed (calculated from GPS), trip classification (business/personal), purpose, and notes.
- Vehicle information: make, model, year, registration number, colour, and odometer readings.
- Fuel records: fill-up date, litres, cost, odometer reading, and notes.
- Location preferences: learned locations (saved places like "Office" or "Home"), route rules for auto-classification, and catcher geofences for auto-start zones.
- Bluetooth device names: the names of paired Bluetooth devices you select for car detection. No audio is recorded.
- Subscription data: plan type, subscription status, and payment history. Credit card and banking details are processed by PayFast and are never stored by DriveLog.
- Settings: your preferences such as default trip type, GPS sensitivity, business hours, and theme.
- PDF export logs: When you generate a PDF logbook, we log your IP address for fraud prevention and document authenticity purposes.
What we do NOT collect:
- No microphone audio or voice recordings
- No camera or photo access
- No contacts, phone book, call logs, or SMS
- No advertising identifiers or tracking pixels
- No data is sold or shared with advertisers or data brokers
3. How We Use Your Information
Your information is used exclusively to:
- Record and display your trips, distances, and routes;
- Generate SARS-compliant travel logbook PDFs and CSV exports;
- Calculate tax deductions using the SARS flat rate and deemed cost methods;
- Sync your data across devices;
- Enforce plan limits (trip counts, vehicle limits);
- Send transactional emails (account verification, password reset);
- Maintain the security and integrity of your account.
- Provide fleet administrators with driver trip and behaviour data (including speed statistics) for fleet management purposes — this applies only to drivers who have accepted a fleet invite.
We do not use your data for advertising, profiling, or any purpose other than delivering the service you signed up for.
4. Location Data
DriveLog uses your device's GPS to track trip routes. Location data is collected only during active trip recording and transmitted to our servers when the trip is saved. On the Android app, a foreground service keeps GPS tracking active while the app is in the background during a trip — a persistent notification is shown whenever this is active.
Catcher geofences (if enabled) monitor your location to auto-start tracking when you enter a defined zone. This also uses the foreground location service.
GPS access requires your explicit permission. You can revoke this at any time through your device settings, though this will prevent trip tracking from functioning. You may delete individual trips or your entire account to remove stored location data.
5. Bluetooth Data
If you enable Bluetooth car detection, DriveLog reads the names of your paired Bluetooth devices to identify when your phone connects to your car. This is used solely to auto-start trip recording.
No audio is recorded. DriveLog does not access your microphone. The "Nearby Devices" permission on Android is used exclusively to read Bluetooth device names and detect connection/disconnection events.
6. AI Chatbot Interactions
DriveLog offers AI-powered SARS eligibility and claiming advisor chatbots. When you use these features:
- Your messages are sent to the Anthropic Claude API for processing.
- Conversations are session-limited (maximum 30 messages) and are not stored long-term.
- No personal financial data, trip data, or account information is sent to the AI — only the text of your question.
- Responses are general guidance and do not constitute tax advice.
7. Data Storage and Security
Your data is stored on servers hosted in South Africa. When processing trip routes and addresses, start and end coordinates are sent to third-party mapping services (Mapbox, LocationIQ, HERE) via our servers — see Section 8 for details. These services may process data in the EU or United States. This cross-border processing is permitted under POPIA Section 72 as it is necessary to fulfil the service you signed up for. We protect your data using:
- Passwords stored as bcrypt hashes — we cannot recover or read your password;
- HTTPS encryption for all data in transit;
- CSRF token protection on all form submissions and API calls;
- Rate limiting on authentication endpoints to prevent brute-force attacks;
- Secure, HttpOnly session cookies.
Your trip data belongs to you. You can export it as CSV or PDF at any time from the Export tab.
No system is perfectly secure. If we become aware of a data breach that poses a risk to your rights, we will notify you and the Information Regulator as required by POPIA.
8. Third-Party Services
We use the following third-party services to operate DriveLog:
- PayFast — processes subscription payments. PayFast handles all card and banking details; DriveLog never sees or stores this information.
- Anthropic — powers the AI chatbot features via the Claude API. Only your chatbot message text is sent; no personal or trip data.
- OpenStreetMap — provides map tiles for the route visualisation map.
- Mapbox — calculates road distances and route geometry for trip entries. Your trip start and end coordinates are sent to the Mapbox Directions API via DriveLog's servers. Routes may be cached on our servers to reduce external requests.
- LocationIQ — converts GPS coordinates to street addresses via DriveLog's servers. Coordinates are rounded to approximately 11 metres precision and cached to minimise external requests.
- HERE — provides detailed address lookup (including house number) when you tap "Get full address". Only called on request, not automatically.
- Leaflet — open-source map display library. Runs entirely in your browser; no data is sent to Leaflet.
We do not use Google Analytics, Facebook Pixel, or any advertising or tracking services.
9. Android App Permissions
The DriveLog Android app requests the following permissions, each for a specific purpose:
- Location (fine and background): Records GPS coordinates during trips. Background location keeps tracking active while the app is minimised during an active trip.
- Nearby Devices (Bluetooth): Detects when your phone connects to your car's Bluetooth to auto-start trip recording. No audio is accessed.
- Internet: Syncs your trip data with the server and loads map tiles.
- Foreground Service — Location: Keeps GPS tracking running during active trips when the app is in the background. A notification is always visible.
- Foreground Service — Connected Device: Keeps Bluetooth car detection running when the app is minimised. A notification is always visible.
- Receive Boot Completed: Restarts the Bluetooth car detection service after your phone restarts (only if you have enabled this feature).
- Wake Lock: Prevents the phone from sleeping during active trip recording to ensure continuous GPS tracking.
- Notifications: Shows trip tracking status and Bluetooth connection alerts.
10. Cookies and Local Storage
We use a single session cookie to keep you logged in. This cookie is set with HttpOnly and SameSite=Lax flags. We do not use tracking cookies, analytics cookies, or third-party cookies of any kind.
Trip data and settings are also cached in your browser's localStorage for offline functionality. This data remains on your device and is under your control.
11. Data Retention
We retain your personal information for as long as your account is active. Deleted trips are soft-deleted and permanently purged after 90 days. When you delete your account, all associated data is permanently removed. You can export all your data as CSV or PDF before deleting your account.
12. Your Rights Under POPIA
As a data subject under POPIA, you have the right to:
- Access: request a copy of all personal information we hold about you.
- Correction: update your account information at any time from within the app.
- Deletion: permanently delete your account and all associated data.
- Objection: object to the processing of your personal information.
- Complaint: lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za if you believe we have not handled your information lawfully.
13. Children
DriveLog is intended for users 18 years and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has registered, please contact us and we will delete the account.
14. Changes to This Policy
We may update this policy as the service evolves. Material changes will be communicated via email or a prominent notice in the app. Continued use after notice constitutes acceptance of the updated policy.
15. Contact
For any privacy-related questions, data access requests, or complaints, contact us at:
Email: support@drivelog.co.za