Privacy Policy
Last updated: June 1, 2026
Data Controller
Bíró Ádám EV
info@drivemate.hu
Hungary
Data protection officer: based on the current operating model, the controller is not required to appoint a separate DPO.
Full operator, contact, and registration details are available in the Impressum page.
For privacy questions or data-subject requests, contact us at info@drivemate.hu.
Scope of This Notice
DriveMate is an account-based web service for vehicle administration, document handling, reminders, OCR-assisted data extraction, and AI-assisted buyer tools.
This notice describes the data categories, browser storage, and processors that are actually present in the current Hungary web launch path as of June 1, 2026. The requested account data, especially your email address, is required for registration and for the core service to work; without it the service cannot be used.
Data We Collect & Purposes
We process the following main data categories when you use the service:
Account and identity data
Data involved: Name, email address, hashed password for local accounts, login provider and provider identifier, email verification, password-reset and email-change tokens, language setting, subscription tier, search-credit balance, and refresh-token related metadata.
Purpose: Registration, sign-in, session handling, account recovery, account security, and management of subscription entitlements.
Legal basis: Primarily performance of a contract or steps before a contract (GDPR Article 6(1)(b)); security-related elements also rely on the controller's legitimate interests (GDPR Article 6(1)(f)).
Vehicle and garage data
Data involved: Vehicle records such as plate, VIN, make, model, mileage, deadlines, and other garage-related details you store in the app.
Purpose: Providing garage management, reminder, and plan-limit features.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)).
Vehicle documents and uploaded files
Data involved: Maintenance records, invoices, vehicle documents, JSZP import files, OCR-uploaded images or PDFs, and stored object keys for files kept in private storage.
Purpose: Document handling, controlled file access, and support for import and OCR workflows.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)).
Driver-license and reminder data
Data involved: License details, alert settings, notification preferences, and generated in-app notices related to your account.
Purpose: Operating expiry tracking and reminder features.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)).
Buyer AI and OCR processing data
Data involved: Buyer-search inputs and outputs, OCR inputs and parsed results, buyer AI search records, and related structured records created from your requests.
Purpose: Executing the OCR and AI features you trigger, displaying results, and keeping them available inside your account.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)); only the content needed for the requested feature is forwarded to OpenAI.
Contact requests
Data involved: Name, email address, subject, and message content sent through the contact form, together with the information needed to handle support or complaint requests.
Purpose: Handling support, bug-report, and complaint requests and documenting the related communication.
Legal basis: The controller's legitimate interests in providing smooth customer communication and case handling (GDPR Article 6(1)(f)).
Technical, security, and session data
Data involved: Auth-cookie state, locale preference, request and error-handling metadata, and security information needed for session refresh and abuse prevention.
Purpose: Operating the service, refreshing sessions, preventing abuse, applying rate limits, and maintaining IT security.
Legal basis: The controller's legitimate interests in keeping the system secure and stable (GDPR Article 6(1)(f)).
Legal Basis
The legal basis depends on the feature and data category involved. The main bases are:
- Performance of a contract or steps before a contract (GDPR Article 6(1)(b)): account creation, sign-in, vehicle records, document storage, reminders, OCR and buyer AI features, and other service actions you request.
- Legitimate interests (GDPR Article 6(1)(f)): security, abuse prevention, rate limiting, support handling, complaint handling, session protection, and operational stability.
- Legal obligation (GDPR Article 6(1)(c)): processing payment, billing, and accounting records to the extent required by applicable tax and accounting rules.
Retention Period
We retain data based on purpose limitation, deletion workflows, and mandatory legal retention periods:
- Account, vehicle, document, OCR, buyer, and reminder data remain in the service while your account is active.
- Verification, password-reset, and email-change tokens remain only until they are used or expire.
- The API issues auth cookies with max ages of up to 7 days for access and 30 days for refresh unless they are cleared earlier.
- Data tied to payment, billing, and accounting records is retained according to mandatory Hungarian legal retention requirements; in practice this can mean retention for at least 8 years.
- Contact and complaint messages are generally retained for up to 1 year after the request is closed; longer retention can be justified where a dispute or legal claim is involved.
- When you delete your account, deletion of the user record and related active application data starts immediately together with cleanup of related private stored files; billing or accounting data that must be retained by law can remain as an exception.
Processors and infrastructure
The service relies on the following main processors and infrastructure providers; some of them are only involved when you actually use the related feature:
| Provider | Role | Data involved | Transfer note |
|---|---|---|---|
| Vercel | Hosting and CDN delivery for the `drivemate.hu` web frontend. | Technical request metadata, static-page delivery, edge caching, and operational logs for the web surface. | Not a Hungary-only provider; international-transfer safeguards follow the provider's GDPR mechanisms. |
| Google Cloud Run / Artifact Registry | Runtime and deployment infrastructure for the API. | API requests, auth-cookie session traffic, application logs, and server-side business data sent for processing. | The service runs in Europe, but the provider is international and contractual transfer safeguards still apply. |
| Neon | Production PostgreSQL database hosting. | Structured storage for account, vehicle, document, license, payment, billing, and related application records. | The database runs in a European region, but the provider is not a Hungary-only operator. |
| Cloudflare R2 | Private object storage and signed file delivery. | Uploaded documents, images, import files, and the related object keys used by the application. | Not a Hungary-only provider; the actual transfer path depends on Cloudflare infrastructure. |
| Resend | Transactional email delivery. | Recipient email address, name, message or notification content, and delivery-related metadata. | Transfers can occur through the provider's international email infrastructure. |
| Barion | Hosted online checkout, payment-status confirmation, and payment-transaction reference handling. | Payer email and name hints, order amount, plan or pack descriptors, payment identifiers, and provider-status data. Card details are handled by Barion. | Hungarian-regulated payment provider, but it may rely on international payment infrastructure. |
| Billingo | Invoice issuance and invoice-reference handling for successful payments. | Billing name, email address, address data, tax number where provided, purchased items, and payment references. | Hungarian invoicing provider; its own processing terms and technical infrastructure apply. |
| OpenAI | OCR and AI processing for features you explicitly trigger. | For OCR, the image or PDF you uploaded is processed via a signed file URL; for buyer AI, the search parameters and generated outputs are processed. | The provider uses international infrastructure; where data leaves the EEA, the provider's contractual safeguards apply. |
| Google Identity | Google sign-in script and Google ID-token based authentication for the web interface. | Technical metadata related to sign-in and the identity token issued by Google. | Google uses global infrastructure; the details are governed by Google's own terms and transfer mechanisms. |
OpenAI and Google Identity are only involved when you use the relevant feature; they do not receive blanket access to your full account.
International Transfers
The current service relies on infrastructure and application providers that operate across multiple countries. In practice this means:
- The service does not make a blanket promise that every data path stays only in Hungary or only within the EEA.
- The actual transfer path can depend on the feature you use, the infrastructure provider involved, and that provider's support or processing model.
- Where personal data is transferred outside the EEA, the controller relies on the relevant provider's contractual and GDPR-compatible transfer safeguards.
Your Rights
Under GDPR, you have the following rights:
- Right of access — request a copy of your data
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data
- Right to restriction — request restriction of processing
- Data portability — request your data in machine-readable format
- Right to object — object to processing, especially where processing is based on legitimate interests
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting earlier lawful processing.
To exercise your rights or ask a privacy question, contact info@drivemate.hu.
For complaints, you can also contact the Hungarian DPA (NAIH): Falk Miksa utca 9-11, 1055 Budapest, Hungary, https://www.naih.hu
AI Features and Automated Decision-Making
DriveMate uses OCR and AI-assisted processing for features you explicitly trigger, but the current web launch path does not use solely automated decision-making that produces legal or similarly significant effects about you.
AI and OCR outputs are assistive results. You should independently verify important legal, technical, financial, and purchase decisions.
Data Security
In the current implementation, the service uses HTTPS, hashed passwords for local accounts, HttpOnly and secure auth cookies, refresh-token rotation, failed-login limits and temporary lockout, signed private file access, rate limiting, and server-side security controls.
Cookies
For exact current cookie and browser-storage behavior, see the Cookies page. →
Changes
When this notice changes materially, we will publish the updated version here and change the date shown above.