Privacy Policy - DRI COPILOT

Responsible entity: InAppBot Inc. ("InAppBot", "we", "our") operates DRI COPILOT, including the mobile application, website, and related services (the "Service"). This Policy explains how we collect, use, share, retain, and protect personal data when you use DRI COPILOT. Please read it carefully along with our Terms of Use and Cookie Policy.

1. Scope and acceptance

This Policy applies to:

Drivers and registered users of DRI COPILOT (iOS/Android mobile application).
Website and landing page visitors.
Users of the integrated marketplace.
Individuals who contact our support team or engage with our communications.

By downloading, installing, registering, or using the Service, you accept the practices described in this Policy. If you do not agree, you should not use the Service. In jurisdictions where explicit consent is required for certain processing (such as background location or push notifications), we will request it separately.

2. Information we collect

We collect data you provide directly, data automatically generated by your use of the Service, and data obtained from authorized third parties.

2.1 Data you provide

Account and identification data: name, email address, phone number, user identifiers, login credentials, session tokens.
Verification and regulatory compliance data: TLC (Taxi and Limousine Commission) license number, vehicle data (plate, make, model, year, color, type), vehicle identification number (VIN), and information linked to DMV/TLC monitoring.
Community content: incident reports (location, type, description, optional photos), votes, vehicle plate alerts, images, and associated metadata.
Voice and command data: audio recordings or transcriptions voluntarily submitted when you use voice assistant or command processing features.
Commerce and marketplace data: cart contents, wishlist, shipping addresses, marketplace profile, and service preferences.
Communications: message content with support, legal requests, privacy requests, and responses.

2.2 Automatically collected data

Precise location data: GPS coordinates (latitude/longitude), altitude, heading/direction, speed, horizontal accuracy, and timestamp. See Section 11 for details on background location.
Device and technical data: device model, operating system and version, device language, time zone, device identifiers (including IDFA on iOS and Android Advertising ID when available), push notification tokens (FCM), error logs, and usage events.
Navigation and trip data: route geometry, stop points, distance traveled, trip duration, navigation history, and daily summaries. If manually entered by the user, the following may also be recorded: service platform, vehicle type, passenger type, pickup/destination location, fare, and tip.
Sensor data: accelerometer data (for motion detection and battery optimization) and compass data (for heading calculation).
Session and preference data: preferred language (es/en), visual theme (light/dark), onboarding status, notification preferences, and app settings.
Parking location: when you use the "Park" feature, your vehicle coordinates are stored exclusively on your device (local storage). This information is never transmitted to our servers, external providers, or other users. Only the account owner using the device where it was saved can view this location.
Usage analytics data (with consent): if you agree to share anonymous usage data, we collect aggregated information about screens visited, features used, and interaction events through Firebase Analytics (Google). This data is anonymous, does not include location data, personal content, or advertising identifiers (IDFA/AAID), and is used exclusively to improve the app experience. This collection requires your explicit consent, which you can grant or revoke at any time from Settings > Usage Analytics within the application. If you do not grant consent, no analytics data is collected.

2.3 Data obtained from third parties

Government and public databases: for-hire vehicle (FHV) records from NYC Open Data, TLC driver licenses, DMV suspension status (drivers and vehicles), NYC parking violation records, restaurant inspection data, and VIN information from NHTSA (National Highway Traffic Safety Administration).
Flight data: real-time flight information from NYC airports (JFK, LGA) provided by AirLabs API, including flight codes, airlines, status, aircraft position, and arrival times.
Infrastructure providers: technical data from Mapbox (geocoding, routing), Firebase (notification delivery), Supabase (database infrastructure), Shopify (marketplace checkout and payment processing), and RevenueCat (subscription status, in-app purchase history).
AI providers: processing results from Google AI (Gemini), Groq, and xAI when you use optional voice or command features.

3. How we use information

Service delivery: operate real-time navigation, proximity alerts (no-stopping zones, stop signs, taxi zones, hydrants, parking meters), community reports, and tools for TLC drivers.
Verification and compliance: verify TLC license status, monitor DMV suspensions, track parking violations, and alert about document expirations.
Security and authentication: authenticate users, protect accounts, detect and prevent abuse, fraud, or unauthorized use of the Service.
Operational communications: send push notifications about alert status changes, license expirations, violation penalties, plate alerts, and account updates.
Community features: facilitate incident reports, vehicle-related alerts among users, and community safety features.
Subscriptions: manage Nitro Pro subscriptions (activation, renewal, cancellation), verify premium entitlement status, coordinate in-app purchases between Apple App Store and Google Play Store through RevenueCat, and process purchase restoration.
Marketplace and commerce: operate the integrated store, process purchases through Shopify, and manage deliveries, returns, and related issues.
Service improvement: analyze usage patterns to improve performance, interface, routes, and features. When the user grants explicit consent, we use Firebase Analytics to collect anonymous usage data (screens visited, features used) that help us prioritize improvements. This analytics does not include personal data, location, or advertising identifiers.
Legal compliance: fulfill legal, regulatory, tax obligations, and requirements from competent authorities, including subpoenas, court orders, and valid government requests.
Dispute resolution: investigate incidents, resolve disputes between users, and enforce our Terms of Use.

4. Legal bases for processing (EEA/UK)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your data under the following GDPR legal bases:

Performance of contract (Art. 6(1)(b)): when processing is necessary to provide the Service you requested, including navigation, alerts, license verification, and marketplace features.
Legitimate interest (Art. 6(1)(f)): Service security, abuse prevention, product improvement, operational analytics, and Service-related communications. We assess that these interests do not override your fundamental rights and freedoms.
Consent (Art. 6(1)(a)): for background location, push notifications, voice/AI features, and other optional permissions. You can withdraw your consent at any time.
Legal obligation (Art. 6(1)(c)): when we must retain or disclose information by law, regulation, legal process, or binding government request.

5. When we share information

We do not sell personal data as defined by the California Consumer Privacy Act (CCPA/CPRA) or other state privacy laws. We do not share personal data for cross-context behavioral advertising as a primary practice of the Service.

We share limited information in the following scenarios:

Service providers and processors: we share data with providers that process information on our behalf under contractual instructions, including cloud infrastructure, authentication, notification delivery, maps, payment processing, e-commerce, and technical support. These providers are contractually obligated to protect your data and not use it for their own purposes.
Authorities and legal compliance: exclusively when there is a valid court order issued by a competent court or binding legal mandate. InAppBot will not voluntarily disclose user data, community reports, or app-generated information to regulatory agencies (including the TLC), law enforcement, or government entities for the purpose of enforcement or sanctions against drivers. Informal, administrative, or convenience-based requests will be rejected. InAppBot reserves the right to legally challenge requests it considers excessive, indiscriminate, or contrary to the privacy rights of its users.
Protection of rights: to investigate fraud, abuse, security threats, violations of our Terms of Use, or illegal activities.
Corporate transactions: in the event of a merger, acquisition, reorganization, asset sale, or bankruptcy, your data may be transferred as part of the transaction, with reasonable safeguards and prior notice when feasible.
Content visible between users: certain incident reports and community alerts are visible to other authenticated users of the Service, with minimization of personally identifiable information. Targeted plate alerts are only visible to the registered vehicle owner, except for broadcast alerts (such as vehicles reported as stolen).
With your consent: in other cases where you have given express consent to share specific data.

6. Third-party providers and services

The Service integrates SDKs, APIs, and third-party services that may collect data according to their own privacy policies. We recommend reviewing their policies:

Provider	Function	Shared data	Privacy policy
Supabase	Database, authentication, backend functions, storage	Account data, location, alerts, reports, preferences	supabase.com/privacy
Mapbox	Maps, navigation, geocoding, geofencing	Location coordinates, geocoding queries, route data. Mapbox may collect anonymous telemetry data through its SDK.	mapbox.com/legal/privacy
Firebase (Google)	Push notifications (FCM), file storage, usage analytics (with user consent)	FCM tokens, notification content, media files, anonymous app usage data (with consent only)	firebase.google.com/support/privacy
Shopify	Marketplace catalog, secure checkout (hosted checkout), and payment processing	Cart data, orders, purchase preferences, payment information (managed directly by Shopify, not stored by InAppBot)	shopify.com/legal/privacy
RevenueCat	In-app subscription management (Nitro Pro), purchase coordination between Apple/Google	Anonymous user identifier, subscription status, purchase history, device platform. RevenueCat does not receive payment card data.	revenuecat.com/privacy
Google AI (Gemini)	Voice/command processing (optional)	Audio or voice command transcriptions	ai.google.dev/gemini-api/terms
Groq	AI processing (optional)	Command transcriptions	groq.com/privacy-policy
xAI	AI processing (optional)	Command transcriptions	x.ai/legal/privacy-policy
AirLabs	Real-time flight data	Flight queries (public data, no personal information)	airlabs.co/privacy-policy
NYC Open Data (SODA API)	FHV records, TLC licenses, parking violations	Plate and license queries against public databases	NYC Open Data Terms

Note about Mapbox: in accordance with Mapbox SDK requirements, we inform you that Mapbox may collect certain telemetry and performance data through its SDK integrated into our application. For more information about Mapbox data practices, see the Mapbox Privacy Policy and its Data Processing Addendum.

7. Regulatory and government data

DRI COPILOT integrates data from public government and regulatory sources to provide informational tools to TLC drivers. It is important that you understand how we handle this data:

Sources: we query public data available through NYC Open Data (SODA API), New York State DMV records, and the NHTSA VIN database.
Data types: for-hire vehicle (FHV) records, TLC driver licenses, DMV driver and vehicle suspension statuses, and parking violation records.
Permitted use: this data is used exclusively to provide informational alerts, compliance monitoring, and assistance tools to registered TLC drivers, within uses permitted by applicable law.
Driver's Privacy Protection Act (DPPA): to the extent that any data queried is subject to the Driver's Privacy Protection Act (18 U.S.C. Chapter 123), we use it solely for authorized purposes, including provision of the Service requested by the user, record verification, and legitimate business purposes related to motor vehicles. We do not resell or distribute motor vehicle records to unauthorized third parties.
Accuracy: this data is periodically synchronized but may have delays, errors, or inconsistencies compared to official real-time records. Always verify critical information directly with the issuing authority.

8. International data transfers

Your data is primarily processed in the United States (us-east region). Our service providers (Supabase, Firebase/Google, Shopify, Mapbox, AI providers) may process data in multiple countries where they operate data centers.

For transfers from the EEA, United Kingdom, or Switzerland, we apply appropriate transfer mechanisms, including:

Standard contractual clauses (SCCs) approved by the European Commission.
Adequacy decisions when available.
Certifications or recognized frameworks (such as the EU-U.S. Data Privacy Framework when applicable).
Supplementary technical measures (encryption in transit and at rest).

9. Data retention

We retain data for as long as necessary for the purposes described in this Policy, to fulfill legal obligations, and to resolve disputes:

Data category	Retention period	Criterion
Account data	While the account is active + 90 days	Grace period for reactivation and security
Location/navigation history	Up to 90 days on device, up to 12 months on our servers	Service functionality, trip statistics
Parking location	Device only, until the user deletes it	Exclusively local storage; never transmitted to servers
Community reports and incidents	Per report settings (hours to days)	Configurable automatic expiration
Alerts and regulatory monitoring	While the user keeps monitoring active	Deleted when the user deactivates alerts
Transaction/payment data	Up to 7 years	Applicable tax and legal obligations
Flight data	Up to 24 hours	Transient data updated every 10 minutes
Security and audit logs	Up to 24 months	Fraud prevention and compliance
Voice/AI data	Not retained by InAppBot after processing	Sent to AI providers and discarded locally

When you request account deletion, we delete or anonymize data we are not legally required to retain. Data already contributed to community reports is unlinked from your identity but may remain as anonymous statistical data.

10. Data security

We implement a data security program with reasonable administrative, technical, and organizational controls, in accordance with NY SHIELD Act requirements and industry best practices:

Technical: encryption in transit (TLS/HTTPS), encryption at rest in databases, role-based access controls (RLS - Row Level Security), session tokens with expiration, privilege separation between services.
Administrative: minimum necessary access policies, permission reviews, centralized secrets management, and data processing contracts with providers.
Organizational: provider evaluation, data access auditing, and incident response.

Payment data: all credit/debit card information from the marketplace is managed directly by Shopify through its secure checkout (hosted checkout). Nitro Pro subscriptions are processed by Apple App Store or Google Play Store, coordinated through RevenueCat which only receives anonymous identifiers and purchase status, never card data. InAppBot never stores, processes, or transmits complete payment card data.

No system is 100% invulnerable. If we detect a security incident affecting your personal data, we will notify you in accordance with applicable law (including the NY SHIELD Act which requires notification without unreasonable delay).

11. Background location and sensitive permissions

Location collection is a core feature of DRI COPILOT. Below we transparently explain how it works:

11.1 Foreground location

When the app is open and visible, we continuously collect precise location to show your position on the map, calculate routes, display nearby points of interest, and provide real-time navigation.

11.2 Background location

If you grant "Always" location permission, the app may process location when in the background or closed for:

Proximity alerts (no-parking zones, stop signs, hydrants, parking meters).
Geofence detection (restaurants, custom points of interest, automotive services).
Community safety notifications (police, TLC, nearby reports).
Trip logging and navigation statistics.
Live Activity/Dynamic Island features on iOS 16+: the widget extension accesses neighborhood name, borough, and population density through a shared App Group between the main app and the system widget.

Background frequency: background updates occur approximately every 30 seconds with a minimum movement of 100 meters, significantly less frequent than in the foreground.

11.3 How to disable location

iOS: Settings > Privacy & Security > Location Services > DRI COPILOT > Select "Never" or "While Using the App".
Android: Settings > Apps > DRI COPILOT > Permissions > Location > Select "Deny" or "Only while using the app".

Impact of disabling: by revoking background location permission, proximity alerts, geofences, community notifications, and automatic trip logging will stop working when the app is not visible. By revoking all location, map, navigation, and nearby points of interest features will not be available.

11.4 Other sensitive permissions

Camera: optionally used to take photos of incident reports, plate alerts, and documents.
Microphone: optionally used for voice commands and audio transcription.
Notifications: required to receive safety alerts, expirations, penalties, and community updates.
Motion sensors: accelerometer used for motion detection and battery consumption optimization.

12. Voice and AI processing

When you use voice command features, the audio or its transcription is sent to third-party AI providers (Google AI/Gemini, Groq, or xAI) to interpret your instruction and return a system action. These features are completely optional.

InAppBot does not persistently store audio recordings; they are processed and discarded.
AI providers have their own data retention policies (see the table in Section 6).
Avoid including sensitive personal data, passwords, or financial information in voice commands.
You can stop using voice features at any time without affecting other Service functionality.

13. Automated decision-making

DRI COPILOT uses automated processing in the following areas:

Penalty risk calculation: automated analysis of parking violations to determine penalty stages (30/60/90 days), vehicle immobilization (boot) risk, and registration suspension risk.
Alert prioritization: automatic urgency classification of alerts based on suspension status, upcoming expirations, and risk levels.
Regulatory change detection: automated comparison of government records to detect changes in license status, suspensions, or vehicle registrations.

These automated decisions are informational and do not produce legal effects or significantly affect your rights. The underlying data comes from public government sources. If you believe an automated result is incorrect, you can contact us to request a human review.

14. Your privacy rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: request information about what personal data we hold about you and obtain a copy.
Correction: request correction of inaccurate or incomplete personal data.
Deletion: request deletion of your personal data, subject to legal exceptions (such as retention obligations).
Restriction/Objection: restrict or object to certain processing of your data.
Portability: receive your data in a structured, commonly used, and machine-readable format.
Withdrawal of consent: withdraw consent granted (location, notifications, voice) at any time without affecting the lawfulness of prior processing.
Non-discrimination: you will not be discriminated against or penalized for exercising your privacy rights.
Authorized agent: you may designate an authorized agent to exercise rights on your behalf, with appropriate verification.

To exercise any right, send your request to team@dricopilot.ai with your name, contact method, and description of the right you wish to exercise. We will verify your identity before processing the request.

15. Notice for California residents (CCPA/CPRA)

If you reside in California, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section supplements the rest of the Policy.

15.1 Categories of personal information collected

CCPA category	Examples collected	Purposes of use
A. Identifiers	Name, email, phone, user ID, IP address, device identifiers, FCM tokens	Account, authentication, communications, security
B. Personal information (Cal. Civ. Code §1798.80(e))	Name, TLC license number, vehicle information (plate, VIN, make, model)	Regulatory verification, compliance monitoring
D. Commercial information	Marketplace purchase history, cart, wishlist, transaction records, Nitro Pro subscription status, in-app purchase history	Purchase processing, subscription management, customer service
F. Internet/electronic network activity	App usage logs, preferences, session events, error logs	Service operation, improvement, diagnostics
G. Geolocation data	Precise GPS location (latitude, longitude, altitude, speed, heading)	Navigation, proximity alerts, geofences, security
H. Sensory information	Audio recordings (optional voice commands), images (report photos)	AI command processing, community reports
I. Professional/employment information	TLC license number, driver status, for-hire vehicle type	Verification, driver tools, regulatory alerts
K. Inferences	Penalty risk level, alert urgency, driving patterns	Alert prioritization, informational penalty estimates

15.2 Sensitive personal information

Under CCPA/CPRA, we collect the following categories of sensitive personal information:

Precise geolocation: GPS coordinates with street-level or finer precision.
Government identification numbers: TLC license number, DMV data.

We use sensitive personal information exclusively for purposes necessary to provide the Service you requested (navigation, alerts, regulatory verification) and not for additional purposes that would require the right to limit under CCPA/CPRA.

15.3 CCPA/CPRA rights

Right to know: what personal information we collect, use, share, and sell.
Right to delete: request deletion of personal information.
Right to correct: request correction of inaccurate information.
Right to opt out of sale/sharing: We do not sell or share (for cross-context behavioral advertising) your personal information.
Right to limit use of sensitive personal information: We use sensitive information only for purposes necessary for the Service.
Non-discrimination: you will not receive different service or pricing for exercising your rights.

We will respond to verifiable requests within 45 calendar days, with the possibility of an additional 45-day extension if reasonably necessary, notifying you of the extension.

15.4 Disclosures for the past 12 months

Categories sold: None. We do not sell personal data.
Categories shared for cross-context behavioral advertising: None.
Categories disclosed to service providers: Identifiers, personal information, commercial information, internet activity, geolocation, sensory information, and professional information, disclosed to providers listed in Section 6 for the described operational purposes.

15.5 Privacy preference signals

We recognize Global Privacy Control (GPC) signals as a valid opt-out request under CCPA. If your browser or device transmits a GPC signal, we will process it in accordance with applicable law.

16. Additional state privacy notices

In addition to California, the following state laws may grant you additional rights:

16.1 New York (NY SHIELD Act)

We maintain a data security program in compliance with the NY SHIELD Act, including reasonable administrative, technical, and physical safeguards to protect the private information of New York residents. In the event of a security breach involving private information of NY residents, we will provide notification in accordance with SHIELD Act requirements.

16.2 Colorado (Colorado Privacy Act)

Colorado residents may exercise rights of access, correction, deletion, portability, and opt-out of processing for targeted advertising or data sale. You can appeal our decision on a request by contacting team@dricopilot.ai with subject "Colorado Privacy Appeal".

16.3 Connecticut (Connecticut Data Privacy Act)

Connecticut residents have rights similar to Colorado, including rights to access, correction, deletion, portability, and opt-out. This also includes the right to appeal.

16.4 Virginia (Virginia Consumer Data Protection Act)

Virginia residents may exercise rights of access, correction, deletion, portability, and opt-out of processing for targeted advertising, data sale, or profiling with significant legal effects.

16.5 Texas (Texas Data Privacy and Security Act)

Texas residents have rights of access, correction, deletion, portability, and opt-out. No revenue threshold is required.

16.6 Oregon, Montana, and other states

We respect privacy rights granted by applicable consumer data privacy laws in any U.S. state where you reside. Contact team@dricopilot.ai to exercise your rights under your state's applicable law.

17. Account deletion

You can request the deletion of your account and associated data in the following ways:

From the app settings (when available).
By sending an email to team@dricopilot.ai with subject "Account Deletion Request".

When deleting your account:

Your profile, preferences, registered vehicles, active alerts, and navigation data will be deleted.
Previously created community reports are unlinked from your identity.
Transaction data will be retained per tax and legal obligations (generally up to 7 years).
Security and audit logs will be retained as necessary for fraud prevention.

We will process deletion requests within applicable legal timeframes (generally 45 days for CCPA, 30 days for GDPR).

18. Minors

DRI COPILOT is not directed at individuals under 18 years of age. We do not knowingly collect data from individuals under 18 (nor under 13 under COPPA, nor under 16 under GDPR without parental consent). If we detect that data has been collected from a minor without valid legal authorization, we will take reasonable steps to delete it promptly. If you are a parent or guardian and believe your child has provided data to the Service, contact team@dricopilot.ai.

19. Changes to this Policy

We may update this Policy periodically to reflect changes in our practices, services, legal or regulatory requirements. When changes are material, we will notify you through reasonable means, which may include:

Prominent notice within the application.
Push or email notification.
Publication on our website.

The "Last updated" date at the beginning of this Policy reflects the current version. Your continued use of the Service after the effective date of changes implies acceptance of the updated version. If you do not agree with the changes, you should stop using the Service.

20. Privacy contact

InAppBot Inc.
DRI COPILOT Privacy Team
Email: team@dricopilot.ai
Website: dricopilot.ai

If you are in the European Union, United Kingdom, California, or another jurisdiction with specific privacy rights and wish to exercise your rights, include in your request: your full name, preferred contact method, jurisdiction of residence, and details of the right you wish to exercise. We will respond within applicable legal timeframes.

If you believe the processing of your data violates your data protection rights, you have the right to file a complaint with the competent data protection authority in your jurisdiction.