Data Protection Notice
Last updated: April 11, 2026
LeftDrive is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection laws. This notice explains how we collect, use, and protect your personal information.
1. Data Controller
LeftDrive operates as the data controller for personal data collected through our platform. We are responsible for ensuring that your data is processed lawfully, fairly, and transparently.
2. Categories of Personal Data
We process the following categories of personal data:
| Category | Data Types | Purpose | Legal Basis |
|---|---|---|---|
| Identity | Name, username | Account management | Contract |
| Contact | Email address | Communication, account recovery | Contract |
| Usage | Course progress, quiz results | Service delivery | Contract |
| Technical | IP address, browser type, device info | Security, analytics | Legitimate interest |
| Payment | Stripe customer ID, subscription status | Payment processing | Contract |
| Preferences | Language, theme settings | Personalization | Consent |
3. Legal Bases for Processing
- •Contract performance: Processing necessary to provide our educational services and manage your subscription.
- •Legitimate interests: Analytics to improve our platform, security monitoring, and fraud prevention.
- •Legal obligation: Compliance with tax laws, financial regulations, and other legal requirements.
- •Consent: Optional personalization features and marketing communications (you can withdraw consent at any time).
4. Data Retention
- •Account data: Retained for the duration of your account plus 3 years after deletion.
- •Payment records: Retained for 7 years to comply with financial regulations.
- •Usage analytics: Aggregated and anonymized after 2 years.
- •Support communications: Retained for 2 years after resolution.
- •Backup data: Automatically purged within 90 days of deletion.
5. International Data Transfers
- •Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place:
- •Standard Contractual Clauses (SCCs) approved by the European Commission.
- •Adequacy decisions for countries recognized as providing adequate protection.
- •Binding Corporate Rules for intra-group transfers.
- •All third-party processors are contractually bound to maintain equivalent data protection standards.
6. Your Rights Under GDPR
- •Right of access: Request a copy of all personal data we hold about you.
- •Right to rectification: Correct inaccurate or incomplete personal data.
- •Right to erasure: Request deletion of your personal data ('right to be forgotten').
- •Right to restriction: Limit how we process your data in certain circumstances.
- •Right to data portability: Receive your data in a structured, machine-readable format.
- •Right to object: Object to processing based on legitimate interests or for direct marketing.
- •Rights related to automated decision-making: Not be subject to solely automated decisions that significantly affect you.
- •To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
7. Security Measures
- •Technical measures: TLS 1.3 encryption for data in transit, AES-256 encryption for data at rest, bcrypt password hashing.
- •Organizational measures: Staff data protection training, access controls, regular security audits.
- •Infrastructure: Hosted on ISO 27001 certified infrastructure with regular penetration testing.
- •Incident response: Documented breach response procedures with 72-hour notification to supervisory authorities.
8. Data Breach Notification
- •In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- •Notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
- •Inform affected individuals without undue delay when the breach is likely to result in high risk.
- •Document all breaches in our internal breach register regardless of notification requirements.
- •Take immediate steps to contain the breach and prevent further unauthorized access.
9. Cookies and Tracking
- •Essential cookies: Required for platform functionality and security. Cannot be disabled.
- •Analytics cookies: Help us understand how users interact with our platform. Require consent.
- •Preference cookies: Remember your language and display settings. Require consent.
- •We do not use advertising or tracking cookies. You can manage cookie preferences through our cookie banner.
10. Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority. In the EU, this is typically the data protection authority in your country of residence. You can find contact details for all EU supervisory authorities at the European Data Protection Board website (edpb.europa.eu).
11. Changes to This Notice
We may update this Data Protection Notice to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of significant changes by posting the updated notice on this page and updating the 'Last updated' date.
Contact Our Data Protection Officer
If you have questions, concerns, or requests regarding the protection of your personal data, please contact our Data Protection Officer (DPO):
Data Protection Officer, LeftDrive
Email: [email protected]
Website: https://leftdrive.app
We respond to all requests within 30 days as required by GDPR.