Privacy Policy

DrivewayNights is the data controller for personal data processed through the platform. We are based in the United Kingdom and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

• Account data

  Email address, full name, and role (guest or host) provided at sign-up.

• Identity verification

  Documents submitted via Stripe Identity (driver's licence, proof of address). These are processed and stored by Stripe, not on our servers.

• Listing data

  Driveway address, photos, description, pricing, amenities, and house rules.

• Booking data

  Stay dates, payment amounts, payment status, and dispute records.

• In-platform messages

  Messages you send to a host or guest after a booking is confirmed. Stored verbatim and kept for the life of the booking plus our standard retention window. See the messages section for the full disclosure.

• Payment data

  Processed entirely by Stripe. We store Stripe customer IDs, payment intent IDs, and connected-account IDs. We do not store card numbers.

• Usage data

  Server logs (IP address, user agent, timestamps) retained for security and debugging.

• To create and manage your account.
• To process bookings and payments.
• To verify host identity and property ownership.
• To resolve disputes between guests and hosts.
• To send transactional emails (booking confirmations, payout notifications, dispute updates).
• To maintain platform security and prevent fraud.
• To maintain an audit trail of admin actions (required for financial compliance).

DrivewayNights includes a guest↔host messaging surface that opens once a booking is confirmed. We want you to read this section before you type anything sensitive.

• Messages are stored verbatim — no automated content stripping or scanning. We do not analyse them with AI or share them with advertisers.
• Both participants can see every message in the thread for the life of the booking. There is no "unsend".
• Deleting your account redacts your name (you appear as "Former user") but the words you sent another user remain that user's record. This is the same approach taken by every reputable marketplace and is required so we can resolve disputes years later if needed.
• We retain messages for the same window as the parent booking (see the retention table below). Financial-record retention (7 years) applies to messages tied to disputed bookings.

Please keep all booking-related communication on the platform. Contact made off-platform (WhatsApp, SMS, email) is not covered by our dispute, refund, or safety protections.

We process your data under the following legal bases: contract performance (bookings, payments), legitimate interests (security, fraud prevention), legal obligation (financial record keeping, anti-money laundering), and consent (marketing communications, if any).

• Stripe

  Payment processing, identity verification, and connected-account management.

• Supabase

  Database hosting and authentication (EU-West region, UK data residency).

• Resend

  Transactional email delivery.

• OVHcloud

  Application hosting on a UK-region VPS. OVHcloud data centres run on 100% renewable electricity, which makes every booking you place carbon-light by default.

• Account data

  Retained while your account is active, deleted within 30 days of account deletion request.

• Financial records & audit logs

  Retained for 7 years as required by UK financial regulations.

• Server logs

  Retained for 90 days.

• In-platform messages

  Retained for the life of the booking. Messages tied to a disputed booking inherit the 7-year financial-records retention window.

• Stripe Identity documents

  Retained per Stripe's data retention policy.

Under UK GDPR, you have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Request erasure ("right to be forgotten"), subject to legal retention requirements.
• Restrict or object to processing.
• Data portability.
• Lodge a complaint with the Information Commissioner's Office (ICO).

To exercise your rights, contact us at the email address below.

We use industry-standard security measures including encrypted connections (TLS), row-level security on all database tables, multi-factor authentication for admin accounts, and service-role isolation for privileged database operations.

For privacy-related enquiries, contact [email protected].