DriveLink
Sign inList your fleet

Legal

Privacy Policy

Last updated: 11 May 2026

1. What this policy covers

This policy explains what personal information DriveLink SL ("we", "our") collects when you use our platform, why we collect it, who we share it with, and the rights you have over it. It applies to everyone who uses drivelink.lk — renters, agencies, and visitors.

2. What we collect

From renters:

  • Full name, mobile number, optional email address
  • National Identity Card (NIC) photo and selfie, processed by our identity-verification partner Didit
  • Bookings you place: dates, vehicle chosen, payment status
  • Communications with DriveLink support and agencies you book with

From agencies:

  • Owner name, mobile number, optional email
  • Agency name, address, city, description
  • Vehicle details: photos, registration plate, pricing, insurance type
  • Booking activity, ratings, and reliability statistics

Automatically when you visit the site:

  • Browser type, device information, IP address
  • Authentication cookies so you stay logged in
  • Pages viewed and interactions, for product improvement

3. Why we collect it

  • To run the platform: match renters with agencies, process bookings, send OTP codes, deliver SMS alerts and email notifications.
  • To verify identity: reduce fraud and protect agencies from unreliable renters (and renters from unreliable agencies).
  • To enforce safety: investigate disputes, suspend abusive accounts, maintain reliability and rating systems.
  • To improve the product: aggregate usage data tells us what to build next. Individual data is not used for marketing without consent.
  • To comply with law: respond to lawful requests from Sri Lankan authorities when required.

4. Who we share it with

We share only the minimum needed, with these third parties:

  • Didit (identity verification) — receives NIC photo, selfie, and your contact info to perform liveness checks.
  • text.lk (SMS provider) — receives your phone number and the message content (OTP codes, booking notifications).
  • SMTP email provider (currently Google Gmail) — handles transactional email delivery (verification, notifications).
  • Supabase (database + auth) — stores your account data on our behalf.
  • Vercel (hosting) — runs the application servers.
  • Between renters and agencies — when a booking is confirmed and paid, renters and agencies see each other's names, phone numbers, and vehicle handover details.

We do not sell personal data to advertisers, brokers, or any third party. Anonymous, aggregate analytics may be used for marketing claims ("5,000 bookings this month") — never anything tied to your identity.

5. How long we keep it

  • Account data: as long as your account exists, plus 12 months after deletion for fraud-prevention and dispute history.
  • NIC/selfie images: stored encrypted, accessible only to admins during KYC review. Deleted on account deletion.
  • Booking history: retained for 2 years for legal, accounting, and reliability-score calculation.
  • OTP codes and verification tokens: 10 minutes maximum, then deleted.
  • Server access logs: 30 days for security monitoring.

6. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate information — most fields are editable from your account settings; otherwise contact support.
  • Delete your account, which removes all directly-identifying data (we keep anonymised booking statistics for product analytics).
  • Object to specific uses by contacting support.

7. Security

We use HTTPS everywhere, store passwords as one-way hashes (you can't actually log in with a password on DriveLink — only OTP), encrypt sensitive uploads, and limit admin access to a small team. No system is perfectly secure, but we follow current best practices and update them as threats evolve.

8. Cookies

We use first-party cookies for authentication (so you stay logged in) and to remember your preferences. We do not use third-party advertising cookies. If you disable cookies, the platform won't work properly.

9. Children

DriveLink is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe we have, contact us immediately and we'll delete it.

10. Changes to this policy

We may update this policy. Material changes will be notified via email and/or in-app. The "last updated" date at the top of this page always reflects the latest version.

11. Contact

Privacy questions or data requests: privacy@drivelink.lk. General support: support@drivelink.lk or via the in-app support chat for agencies.