Legal
Privacy Policy
Effective date: 2026-06-23
1. Who we are
Drive Top-Line (“Drive Top-Line”, “we”, “us”) is a search-engine optimization SaaS operated by [Founder Legal Entity TBD], based in Austin, Texas, United States. You can reach us with any privacy question at privacy@drivetopline.com.
2. What data we collect
We collect the minimum needed to run an SEO audit and keyword tracker:
- Account data: your email address, name, and a password hash. Authentication and password storage are handled by our auth provider, Google Firebase Authentication.
- Billing data: your name, email, and billing contact details. This service never stores or processes payment card details; invoicing and collection run on the separate Drive Top-Line booking platform.
- SEO audit results: the URLs you submit, the on-page signals we extract from those URLs, computed scores, fix suggestions, and the keyword candidates we generate.
- Connected Google Analytics 4 data: only if you connect a GA4 property: sessions, bounce rate, average engagement time, and your top page paths for the property you authorize. Read-only.
- Connected Google Search Console data: only if you connect a property: clicks, impressions, average position, and your top search queries for the site you authorize. Read-only.
- Connected Google Business Profile data: only if you connect a profile: calls, direction requests, website clicks, map and search views, and customer reviews for the location you authorize. We read this data only; we do not post, edit, or change your listing.
- Usage telemetry: IP address, user-agent string, and timestamps of audit runs. Used strictly for abuse prevention and rate-limiting.
- Lead-capture telemetry: when you submit a domain on our landing page we collect a per-browser visitor cookie (
dtl_visitor), a hashed IP, your device type, and the UTM attribution of how you arrived. This is used only for our own marketing analytics and is never sold or shared. The raw IP is never persisted. We store an HMAC-SHA256 hash of it. If you later sign up under the same browser, this anonymous activity gets linked to your account so we can credit the marketing campaign that brought you in.
3. What we don’t collect
- Payment card details. This service does not take payments at all; we never see or store card data.
- Email message contents. We send transactional and digest emails through Resend; we don’t scan or store your inbox.
- User-level data from connected Google accounts. Across Analytics, Search Console, and Business Profile we only request read-only, aggregated metrics. We do not pull individual user identifiers, client IDs, or event-level streams, and we never write to or modify any connected account.
- Gmail, Calendar, Drive, or Contacts. We never request access to these. Our Google permissions are limited to Analytics, Search Console, and Business Profile.
- Special-category personal data as defined by GDPR Art. 9. Don’t submit it. The service has no use for it.
4. How we use it
- To provide and improve the SEO audit and keyword-tracking service.
- To send transactional emails such as account confirmation, “audit ready” notifications, the weekly digest, and billing receipts.
- To enforce abuse-prevention rate limits and detect fraud.
- To respond when you contact support.
- To meet our legal obligations (tax records, lawful requests).
We do not use your data to train machine-learning models, and we do not sell it to advertisers.
5. Subprocessors
We share the minimum data needed with the vendors below so they can do their job. Each is contractually bound to protect your data.
- Google Firebase Authentication (US): user authentication and password storage.
- Google Cloud Platform (US, us-central1): hosting, database (Cloud SQL PostgreSQL), and secrets management.
- Google PageSpeed Insights: we send the URLs you submit so Google can return performance scores.
- Resend (US): transactional email delivery.
- OpenAI (US): we send your domain and page metadata for keyword research. We do not send full page content or user-identifying information.
A current subprocessor list is maintained at this URL; we’ll update it before adding a new vendor that processes personal data.
6. How we share data
We do not sell your personal data. We do not share it with marketers or data brokers. We share data only with the subprocessors above, or when required by a valid legal process. If we’re ever acquired, personal data may transfer to the acquirer, who will be bound by this policy until they publish their own.
7. How long we keep it
- Audit reports and tracked keywords: kept until you delete your account.
- GA4 daily metrics: 90 days rolling.
- Server and access logs: 30 days.
- Billing records: retained as long as US tax law requires (currently 7 years).
When you delete your account, we purge audit data, tracked keywords, and stored GA4 tokens within 30 days. Backups roll off within a further 90 days.
8. Your rights
You can, at any time:
- Access the data we hold about you.
- Correct anything that’s wrong.
- Export your data in a portable format.
- Delete your account and the personal data tied to it.
- Opt out of marketing email (transactional email is not optional while you have a paid subscription).
- Revoke our access to your Google data (Analytics, Search Console, Business Profile) from your Google Account permissions at any time.
Email privacy@drivetopline.com and we’ll respond within 30 days.
9. GDPR and CCPA
If you are in the European Economic Area, United Kingdom, or Switzerland, you have the rights above under the GDPR plus the right to lodge a complaint with your national data-protection authority. Our lawful basis is “performance of a contract” for paid customers, and “legitimate interest” for abuse prevention and security telemetry.
If you are a California resident, you have the rights above under the CCPA/CPRA, plus the right to know what we’ve collected in the last twelve months and the right to non-discrimination for exercising any of them. We do not sell personal information as defined by the CCPA.
B2B customers in the EU who need a Data Processing Addendum (DPA) can request one at privacy@drivetopline.com.
10. Children
Drive Top-Line is built for limo and black-car operators. It is not directed at children under 18, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has signed up, contact us and we’ll delete the account.
11. International data transfers
Our infrastructure runs in Google Cloud’s us-central1region. If you access the service from outside the United States, your data will be transferred to and processed in the US. For EU/UK customers, we rely on the EU–US Data Privacy Frameworkand Standard Contractual Clauses where applicable.
12. Security
- All data at rest is encrypted with Google Cloud’s default AES-256 envelope encryption.
- All data in transit uses TLS 1.2+.
- Google OAuth refresh tokens (Analytics, Search Console, Business Profile) are additionally encrypted with AES-256-GCM using a key held in Google Secret Manager.
- Passwords are stored as salted hashes by our auth provider, Google Firebase Authentication. We never see your plaintext password.
- We grant the minimum access needed inside the team and review access quarterly.
No system is unbreakable. If we discover a breach that affects you, we’ll notify you within the windows required by GDPR and applicable US state law.
13. Changes to this policy
We’ll post material changes here and email registered customers at least 14 days before they take effect. Continued use of the service after the effective date means you accept the updated policy.
14. Google API Services User Data Policy (Limited Use)
Drive Top-Line’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
- We request read-only access to Google Analytics (
analytics.readonly), Google Search Console (webmasters.readonly), and Google Business Profile (business.manage), plus your account email, for the sole purpose of displaying your own performance data inside your dashboard. - We use Google user data only to provide and improve these user-facing features. We do not use it for advertising, and we do not sell or transfer it to third parties except as needed to provide or improve the features, to comply with applicable law, or as part of a merger or acquisition.
- We do not allow humans to read your Google data except: with your explicit consent (for example, troubleshooting a support request), where necessary for security purposes, or to comply with applicable law.
- You can revoke our access at any time from the Connections page in your dashboard or at myaccount.google.com/permissions. We delete stored Google tokens within 30 days of disconnection.
15. Contact
Privacy questions: privacy@drivetopline.com
Legal notices: legal@drivetopline.com
Mailing address: Drive Top-Line, Austin, Texas, USA (full address provided on request).