Privacy Policy (Version 1.0)
This document has been created by Naq Cyber and has been provided to Drive Inc. as part of their subscription to the Naq Cyber service. The contents of this document are strictly controlled by Naq Cyber to ensure accuracy and conformance to laws and regulations.
This document was prepared by Naq Cyber with the information provided to Naq Cyber by Drive Inc. at the time of production. It is the responsibility of Drive Inc. to ensure its accuracy and the implementation of this document into the organisation as a whole and each relevant business process. Drive Inc. trades as Sweep, Tradebid, and Nevo, and this policy pertains to processing activities carried out by each of those entities separately or as a whole. Where possible, this privacy policy will distinguish between the different entities.
| Date | Version | Reason for change | Author |
| 22/03/2022 | 1.0.0 | Initial release | Naq |
Drive Inc. respects the privacy of its customers, suppliers and partners. We have therefore formulated and implemented a policy on complete transparency regarding the processing of personal data, its purpose(s) and the possibilities to exercise your legal rights in the best possible way. For employees, we have formulated a separate privacy policy, available upon employment and upon request.
This privacy policy pertains to processing by Drive Inc. (trading as: Sweep; Tradebid and Nevo) by means other than through the use of cookies. We have formulated a separate cookie policy, which can be found on our websites:
Sweep
Identification information
User information
TradeBid
Identification information
Nevo
Identification information
Drive Inc. processes personal data for one or more of the following purposes:
The following business processes describe how we may collect, store or otherwise process the types of personal information set out in the table above:
We may have to share your data with third parties, including third-party service providers and other entities in the group. We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your Personal Data outside Ireland and the wider European Economic Area. If we do, you can expect a similar degree of protection in respect of your Personal Data.
We will only share your Personal Data with third parties in accordance with the GDPR and as outlined in the legal justification table above.
We share your personal data with the following enterprise third parties. We also share your data with SME third parties, details of which are available upon request. You will be notified when we have engaged with a new third party recipient of your personal data.
| What it's used for | Email provider, Document storage service, Office software |
| Part of the business process | Email, Digital storage of documents, Software tools and applications |
| Types of information shared | Identification, Financial, Date of birth, Location, Contracts, Business data, Technical data, Employment and educational history |
| Who the information is about | Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimised and regularly deleted according to national retention periods. |
| International data transfer? | Yes, Microsoft 365 retains the right to store and transfer data in and to the USA. This is based on Standard Contractual Clauses. |
| What it's used for | Emailing for marketing purposes |
| Part of the business process | Marketing |
| Types of information shared | Identification |
| Who the information is about | Customers |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimised and regularly deleted according to national retention periods. |
| International data transfer? | Yes, Mailchimp retains the right to store and transfer data in and to the USA. This is based on Standard Contractual Clauses. |
| What it's used for | Emailing for marketing purposes |
| Part of the business process | Marketing |
| Types of information shared | Identification |
| Who the information is about | Customers |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimised and regularly deleted according to national retention periods. |
| International data transfer? | Yes, Sendgrid retains the right to store and transfer data in and to the USA. This is based on Standard Contractual Clauses. |
| What it's used for | Payment processing |
| Part of the business process | Administration |
| Types of information shared | Identification, Financial, Date of Birth, Location |
| Who the information is about | Customers, Suppliers |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimised and regularly deleted according to national retention periods. |
| International data transfer? | Yes, Stripe retains the right to store and transfer data in and to the USA. This is based on Standard Contractual Clauses. |
| What it's used for | Password management |
| Part of the business process | Administration |
| Types of information shared | Identification |
| Who the information is about | Employees, Contractors, Suppliers |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimised and regularly deleted according to national retention periods. |
| International data transfer? | Yes, Zoho retains the right to store and transfer data in and to the USA. This is based on Standard Contractual Clauses. |
| What it's used for | Website hosting |
| Part of the business process | Website |
| Types of information shared | Identification, Financial, Date of Birth, Location |
| Who the information is about | Customers, Employees |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimised and regularly deleted according to national retention periods. |
| International data transfer? | No |
| What it's used for | Source Code Depository |
| Part of the business process | Administration |
| Types of information shared | Identification |
| Who the information is about | Employees, Contractors |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimised and regularly deleted according to national retention periods. |
| International data transfer? | Yes, Github retains the right to store and transfer data in and to the USA. This is based on Standard Contractual Clauses. |
| What it's used for | Website hosting |
| Part of the business process | Website |
| Types of information shared | Identification, Location |
| Who the information is about | Customers, Suppliers |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimised and regularly deleted according to national retention periods. |
| International data transfer? | No |
| What it's used for | Analytics |
| Part of the business process | Marketing |
| Types of information shared | Technical data |
| Who the information is about | Customers |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention ofunauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimised and regularly deleted according to national retention periods. |
| International data transfer? | Yes, Google retains the right to store and transfer data in and to the USA. This is based on Standard Contractual Clauses. |
Drive Inc. (trading as: Sweep; Tradebid and Nevo)’s third party processors take all necessary measures to ensure the confidentiality, availability and integrity of personal data and to comply with the GDPR with regards to international data transfers. The international nature of its compliance certifications, as well as far-reaching technical security measures (including but not limited to encryption of the personal data, making the data illegible to an unauthorised recipient) are sufficient to ensure that the data subjects continue to benefit from the fundamental rights they are entitled to under the GDPR.
Drive Inc. (trading as: Sweep; Tradebid and Nevo) relies on processing agreements with these sub-processors that include the model clauses (or “Standard Contractual Clauses”) which have been tested on the adequacy of its protection with regards to the specific sub-processing activities carried out in this particular subprocessing relationship.
Additional security measures are taken to safeguard the international data transfers:
Your data is protected by Drive Inc. and its processors in pursuance to all legal requirements set by the relevant data processing laws. Drive Inc. has taken technical and organisational security measures to protect your data and requires its data processors to meet the same requirements. Drive Inc. has signed processing agreements with its processors to ensure an adequate level of data protection.
The following security measures are taken by Drive Inc. to protect your personal data in the course of the listed business processes:
Drive Inc.’s staff members are required to conduct themselves in a manner consistent with guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. All staff members undergo appropriate background checks prior to hiring and sign a confidentiality agreement outlining their responsibility in protecting customer data.
We continuously train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers.
Drive Inc. maintains your data privacy by allowing only authorised individuals access to information when it is critical to complete tasks for you. Drive Inc. staff members will not process customer data without authorization.
As a rule, data is hosted within the EEA, but it is possible that we might transfer personal data to countries outside of this area. We ensure that we comply with the GDPR when sending data overseas by relying on data processing agreements containing standard contractual clauses with our sub processors or by taking additional measures to secure this data transfer, such as anonymisation.
The data centres on which personal data is hosted are secured and monitored 24/7 and physical access to facilities is strictly limited to select staff.
All devices which are used to access personal data for which we are responsible are secured with antivirus software, firewalls, encryption and access management. We regularly update operating systems and software to ensure vulnerabilities cannot be exploited.
We carry out regular vulnerability scanning of our website and have engaged credentialed external auditors to verify the adequacy of our security and privacy measures.
Each data subject has the right to information on and access to, and rectification, erasure and restriction of processing of his personal data, as well as the right to object to the processing and the right to data portability.
You can exercise these rights by contacting us at the following email address: hello@driveinc.ie. Each request must be accompanied by a copy of a valid ID, on which you put your signature and state the address where we can contact you. Ensure that you write “Data Request” in the subject line of your email.
Within one month of the submitted request, you will receive an answer from us. We will not charge you for submitting your request unless the request is manifestly unfounded or otherwise unreasonable in its nature. Depending on the complexity and the number of the requests this period may be extended to two months.
Marketing
The collected data are used and retained for the duration determined by law. You may, at any time, request your data to be deleted from any Drive Inc. (trading as: Sweep; Tradebid and Nevo) account, system or other data processing medium in accordance with the process described above.
These conditions are governed by the laws of England and Wales. The court in the district where the collector has its place of business has the sole jurisdiction if any dispute regarding these conditions may arise, save when a legal exception applies.
For questions about this privacy policy, product information or information about the website itself, please contact: hello@driveinc.ie.