Privacy Policy

1. Controller identity and contact

1. Data controller: International Automobile Authority LLC, a Florida limited liability company, operating the brand Drive Now Worldwide.
2. Registered address: 2125 Biscayne Boulevard, Ste 204 #20167, Miami, Florida 33137, USA.
3. Privacy contact: privacy@drivenowworldwide.com.
4. General contact: hello@drivenowworldwide.com.

1.1 EU / UK representative and Data Protection Officer — current posture

Drive Now Worldwide has assessed its obligations under GDPR Art. 27 (EU representative) and Art. 37 (Data Protection Officer). Given the current limited scale of processing, Drive Now Worldwide has concluded that neither a designated EU/UK representative nor a mandatory DPO is required at this time. Drive Now Worldwide will reassess and appoint these roles if the scale, scope, or nature of its processing changes materially. For any data-protection question, contact privacy@drivenowworldwide.com.

2. Categories of personal data we collect

1. Identity and contact data: full name, date of birth, sex, country of birth, country of residence, email address, phone number (WhatsApp preferred), shipping address.
2. Identity-verification data: photograph of your domestic driver's license (front and back); photograph of passport or government ID (where collected); passport-style selfie; electronic signature.
3. Order and transaction data: products purchased, format (digital only or print + digital), validity term, language, vehicle classes, payment method used (card data is processed by Stripe and never stored on our systems).
4. Technical and device data: IP address, device identifiers, browser type, operating system, referral URLs, cookie identifiers.
5. Communications data: email, live-chat, and support-ticket records (including transcripts of interactions with our AI support agent "Sam").

3. Sources of personal data

1. Directly from you at checkout and during order fulfillment (fields listed in § 2).
2. From your device and browser through cookies and similar technologies (see our Cookie Policy).
3. From payment processor Stripe (transaction-success indicators, fraud signals, chargeback notifications).
4. From shipping carriers (tracking events).

4. Purposes of processing and lawful bases (GDPR Art. 6)

5. Recipients and third-party processors

We share personal data with the following categories of recipients, each of which is subject to written data-processing commitments:

1. Stripe, Inc. — payment processing (PCI-DSS Level 1). Stripe Radar and OFAC screening operate at the payment layer.
2. Shipping carriers — FedEx (Express), local postal services (Standard), and, for certain routes, DHL and UPS.
3. Google LLC — Google Analytics (analytics), Google Ads (conversion measurement and advertising), Google Tag Manager (tag-container deployment).
4. Meta Platforms, Inc. — Meta Pixel (advertising and conversion measurement).
5. Microsoft Corporation — Microsoft Advertising / Bing Ads UET tag (advertising and conversion measurement).
6. Klaviyo, Inc. — transactional and marketing email platform (marketing only if you opt in).
7. Airtable, Inc. — back-office database used as our order-management and CRM system.
8. Intercom, Inc. — live-chat provider that powers our AI support agent "Sam." Interactions may be handled initially by Sam and escalated to a human reviewer.
9. Twilio, Inc. — transactional SMS delivery.
10. WhatsApp Business API via Meta Platforms, Inc. — transactional WhatsApp messaging.
11. Translation production — performed in-house by our trained expert reviewers; we do not use external translation subcontractors.
12. Legal, tax, and audit advisors — on a need-to-know basis.

We do not sell personal data for money. Our use of Meta Pixel, Google Ads, and Microsoft UET constitutes "sharing for cross-context behavioral advertising" under the California Consumer Privacy Act / California Privacy Rights Act (see the California section below). California residents can exercise the "Do Not Sell or Share My Personal Information" right described in § 10.

6. International transfers

Personal data is processed in the United States by IAA and by US-based service providers. When data is transferred from the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions with data-export controls, we rely on:

1. EU–US Data Privacy Framework for recipients that are certified (Stripe, Google, Meta, Microsoft);
2. Standard Contractual Clauses issued by the European Commission (Commission Implementing Decision (EU) 2021/914) for recipients not certified to the DPF;
3. UK International Data Transfer Addendum for UK transfers;
4. Swiss–US Data Privacy Framework for Swiss data, where applicable.

A copy of the relevant transfer mechanism is available on request to privacy@drivenowworldwide.com.

7. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected and as required by law, in accordance with GDPR Art. 5(1)(e) and LGPD Arts. 15–16. The following schedule applies; it is justified by the Replacement Guarantee, the Rejection Guarantee, fraud prevention, and statutory tax record-keeping.

We note that the lifetime-of-validity retention for identity documents is longer than typical e-commerce retention. We have retained it because shorter retention would defeat the Replacement Guarantee and our fraud-prevention controls. Customers may request earlier deletion under § 10 subject to legal-hold exceptions.

8. Automated decision-making (GDPR Art. 22)

Drive Now Worldwide does not make solely-automated decisions that produce legal effects or similarly significantly affect you, except as follows:

1. Sanctions screening at the payment layer. Stripe Radar and OFAC screening may decline a payment based on automated rules. If a transaction is declined, you may contact hello@drivenowworldwide.com for a human review.
2. Automated biometric processing described in § 11 is used to assist human reviewers — the final decision on identity verification and order fulfillment is always made by a human reviewer.
3. Analytics and advertising pixels described in § 5 involve profiling for statistical measurement and targeted advertising; these do not produce legal or similarly significant effects and operate subject to your cookie choices.

You may object to or request human review of any automated decision by contacting privacy@drivenowworldwide.com.

9. Security measures

We implement technical and organizational measures appropriate to the risk, including encryption in transit (TLS) and at rest, access controls, vendor assessments, incident-response procedures, Stripe's PCI-DSS tokenization for card data, and Airtable access logging. Card data is tokenized by Stripe under PCI DSS and never stored by Drive Now Worldwide. Sub-processors are reviewed for compliance with GDPR Art. 32 and LGPD Art. 46 equivalent controls. No method of transmission or storage is perfectly secure; we commit to notify affected individuals and regulators as required by applicable law in the event of a personal-data breach.

10. Your rights

You have the rights listed below, subject to local law. To exercise any right, contact privacy@drivenowworldwide.com. We do not charge for exercising rights and we will not discriminate against you for doing so.

Regardless of where you live, you can ask us what data we hold about you, ask us to correct it, or ask us to delete it. Email privacy@drivenowworldwide.com from the address you used at checkout. We will acknowledge within one business day and complete the request within 30 days, unless a law requires us to keep specific records for longer.

10.1 European Economic Area and United Kingdom (GDPR / UK-GDPR)

1. Access (Art. 15).
2. Rectification (Art. 16).
3. Erasure (Art. 17) — subject to legal-hold exceptions.
4. Restriction (Art. 18).
5. Portability (Art. 20).
6. Objection, including to direct marketing, which you may object to at any time and free of charge (Art. 21).
7. Not to be subject to solely automated decision-making (Art. 22) — see § 8.
8. Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
9. Lodge a complaint with your supervisory authority, including the UK Information Commissioner's Office (ICO) and the competent EU Member-State authority.

10.2 California (CCPA / CPRA)

1. Right to know what personal information we collect, use, disclose, and share.
2. Right to delete personal information, subject to statutory exceptions.
3. Right to correct inaccurate personal information.
4. Right to opt out of sale or sharing of personal information — we honor this via a "Do Not Sell or Share My Personal Information" link available on our website and through Global Privacy Control signals sent by your browser.
5. Right to limit use of sensitive personal information — we honor this via our privacy contact.
6. Right to non-discrimination for exercising any right.
7. Categories of sources, business purposes, and third parties to whom personal information is disclosed or shared are listed in §§ 3, 4, and 5. We use the following categories of personal information for cross-context behavioral advertising: identifiers, internet / network activity, and commercial information — shared with Google LLC, Meta Platforms, Inc., and Microsoft Corporation.

10.3 Brazil (LGPD)

1. Confirmation of processing and access (Art. 18(I)–(II)).
2. Correction, anonymization, blocking, or deletion (Art. 18(III)–(IV)).
3. Portability (Art. 18(V)).
4. Information about sharing (Art. 18(VII)).
5. Revocation of consent (Art. 18(IX)).
6. Our Data Protection Officer / "Encarregado" contact: privacy@drivenowworldwide.com.
7. You may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

10.4 Canada (PIPEDA + Quebec Law 25)

1. Access to your personal information and the right to challenge its accuracy (PIPEDA Principles 9 and 10).
2. Quebec residents: portability and automated-decision disclosure rights under Law 25.
3. Complaint path: Office of the Privacy Commissioner of Canada; Commission d'accès à l'information (Quebec).
4. Communications available in English or French on request.

10.5 Australia (Privacy Act 1988)

1. Access and correction rights under APP 12 and APP 13.
2. Complaint path: Office of the Australian Information Commissioner (OAIC).
3. Cross-border-disclosure countries are listed in § 6.

10.6 United Arab Emirates (PDPL)

1. Access, rectification, erasure, objection, portability, and objection to automated decisions under Arts. 13–17 of Federal Decree-Law No. 45 of 2021.
2. Complaint path: UAE Data Office.

10.7 Kingdom of Saudi Arabia (PDPL)

1. Right to be informed, access, correct, destroy, and limit processing under Art. 4.
2. Complaint path: Saudi Data and Artificial Intelligence Authority (SDAIA).

11. Sensitive and special-category data — automated biometric processing

Automated biometric processing is used to assist human reviewers for fraud prevention and identity verification. Our trained expert reviewers check uploaded documents with the assistance of AI tools to detect fraud and verify identity. The final decision on identity verification is always made by a human reviewer. Full details, including your Illinois BIPA written release, Texas CUBI notice, Washington MHMDA notice, and GDPR Art. 9(2)(a) explicit-consent mechanism, are set out in the Biometric Data section of this Privacy Policy (§ 18). We have conducted a Data Protection Impact Assessment under GDPR Art. 35.

We do not: run liveness detection; enroll your face in a facial-recognition database; compare your face against external watchlists; share your biometric data with advertising partners.

12. Children

Our service is intended for individuals 18 years of age or older. We do not knowingly collect personal data from minors. If we learn we have collected data from a person under 18, we will delete it. Contact privacy@drivenowworldwide.com to report such cases.

13. Cookies and similar technologies

Our use of cookies, pixels, SDKs, and similar technologies is described in our Cookie Policy. We use Google Analytics, Google Ads conversion tags, Google Tag Manager, Meta Pixel, and Microsoft Advertising / Bing Ads UET. We do not currently load TikTok, LinkedIn, Pinterest, or Snap tags.

Our Consent Management Platform (CMP) is Cookiebot, operated by Cybot A/S (Denmark). Cookiebot is being installed on our site. Until the Cookiebot script is live in production, non-essential cookies (analytics and marketing) are not loaded for visitors from the European Union, United Kingdom, and Brazil; essential cookies are always loaded. Once Cookiebot is live, visitors from those regions will see a consent banner and may accept, reject, or customize non-essential cookies.

14. Electronic communications

Transactional emails are sent as part of order fulfillment. Transactional SMS and WhatsApp messages are sent via Twilio and the WhatsApp Business API (via Meta). Marketing emails are sent only after you opt in. We do not send marketing SMS or WhatsApp at this time; if that ever changes, we will update this Policy and obtain appropriate prior express written consent. Full details on SMS and WhatsApp messaging — including opt-out mechanisms, legal frameworks, and platform disclosures — are set out in the Electronic Communications section of this Privacy Policy (§ 19).

15. Affiliate program

We operate an affiliate program with a 20 percent commission per sale. Affiliates are required to disclose material connections consistent with the FTC Endorsement Guides (16 CFR Part 255). See our Affiliate Program Terms. Affiliate-tracking cookies collect commercial and identifier data to attribute sales.

16. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through our website and, where required, by email. The last-updated date at the top of this Policy reflects the current version.

17. Complaint routes and contact

For any question, request, or complaint, contact privacy@drivenowworldwide.com. You also have the right to lodge a complaint with your local data-protection authority.

18. Biometric data

Drive Now Worldwide ("DNW"), operated by International Automobile Authority LLC, uses automated biometric processing to assist human reviewers in verifying identity and preventing fraud. This section satisfies the Illinois BIPA "publicly available written policy" requirement (740 ILCS 14/) and provides notice under other applicable state and international laws.

18.1 What we process and why

1. What we process. Photographs of your domestic driver's license (front and back) and a passport-style selfie that you upload at checkout. Automated tools derive image features that assist human reviewers in detecting fraud and confirming that the selfie matches the DL image.
2. Why we process. Identity verification and fraud prevention for the fulfillment of your DNW-DLT order.
3. How it works. Our trained expert reviewers check uploaded documents with the assistance of AI tools to detect fraud and verify identity. The final decision on identity verification and order fulfillment is always made by a human reviewer.

18.2 What we do NOT do

1. We do not perform a liveness check (we do not require you to move, blink, or record video).
2. We do not enroll your face in a facial-recognition database, build a persistent face-identity profile, or compare your face against external watchlists.
3. We do not share your biometric data with advertisers or marketing partners.
4. We do not name a vendor publicly at this time; our fraud-prevention controls are administered internally, and biometric images are held within the same secured environment as the rest of your application data.

18.3 Retention

1. Biometric-related images (DL photos, selfie) are retained for the lifetime of DNW-DLT validity + six (6) months, as documented in § 7 of this Policy. This duration is justified by the Replacement Guarantee, the Rejection Guarantee, and fraud prevention.
2. Electronic-signature records are retained for the lifetime of DNW-DLT validity plus seven (7) years for audit.
3. You may request earlier deletion under the rights in § 10, subject to our legal obligations and legitimate interests in defending claims and preventing fraud.

18.4 Consent and notice by jurisdiction

18.4.1 Illinois — BIPA (740 ILCS 14/)

1. Purpose of collection and storage. We capture, store, and use your selfie and DL images to verify your identity and to prevent fraud.
2. Length of time kept. See § 18.3 above.
3. Written release. We obtain your electronic written release at checkout via an unchecked-by-default, specific checkbox. Your electronic signature constitutes a written release under the 2024 amendments to BIPA (Illinois SB 2979).

18.4.2 Texas — CUBI (Tex. Bus. & Com. Code § 503.001)

We provide you with informed notice of our biometric processing before collection and obtain your consent at checkout.

18.4.3 Washington — biometric statute (RCW 19.375) and My Health My Data Act (RCW 19.373)

We provide notice and obtain consent before any "enrollment" in a biometric system (we do not enroll, but we treat identifier-template derivation conservatively). For Washington residents, a separate consent line is displayed at checkout in addition to the general consent.

18.4.4 European Union / EEA and United Kingdom — GDPR Art. 9(2)(a)

Biometric data used to uniquely identify a person is "special category" data under GDPR Art. 9 and UK-GDPR Art. 9. We process this category on the basis of your explicit consent, captured at checkout through a specific, informed, and unambiguous consent mechanism. You may withdraw consent at any time; see § 10.

18.4.5 Other US states and jurisdictions

Where applicable, we provide notice and honor rights under state privacy laws (California CCPA / CPRA, Colorado, Virginia, Connecticut, Utah, Texas, Oregon, and others). Notice of sensitive-information processing and the California "Limit Use of Sensitive Personal Information" right are available through § 10.2.

18.5 Your rights

You may at any time:

1. Withdraw consent for biometric processing;
2. Request access to the biometric-related data held about you;
3. Request correction of inaccurate data;
4. Request deletion, subject to legal-hold exceptions;
5. Request information about any disclosures.

To exercise any right, contact privacy@drivenowworldwide.com. If you withdraw consent before your order is produced, we may be unable to fulfill the order; in that case, we will refund your purchase.

18.6 Data Protection Impact Assessment

We have performed a Data Protection Impact Assessment under GDPR Art. 35 for this processing.

18.7 EU representative and DPO posture

Drive Now Worldwide has assessed its obligations under GDPR Art. 27 (EU representative) and Art. 37 (Data Protection Officer). As stated in § 1.1, given the current limited scale of processing, neither a designated EU/UK representative nor a mandatory DPO is required at this time. Drive Now Worldwide will reassess and appoint these roles if the scale, scope, or nature of its processing changes materially. For any data-protection question, contact privacy@drivenowworldwide.com.

18.8 Disclosures to third parties

1. Biometric-related images are not shared with advertising partners.
2. We may share images with Stripe or law-enforcement authorities only when strictly necessary for fraud investigation or when required by law.
3. Our processors (for example, Airtable as a storage layer) operate under written data-processing terms.

18.9 Security

Technical and organizational safeguards are described in § 9. Biometric-related images are stored with encryption in transit (TLS) and at rest, and access is restricted on a need-to-know basis.

19. Electronic communications

This section explains the SMS and WhatsApp messages that Drive Now Worldwide sends to customers in connection with their orders, how you can opt out, and the legal frameworks that apply.

19.1 Scope — transactional only

1. At launch, Drive Now Worldwide sends transactional SMS and WhatsApp messages only. We do not send marketing or promotional SMS or WhatsApp messages at this time.
2. Transactional messages are messages necessary to fulfill and support your order, including order confirmation, production-status updates, shipping dispatch and tracking updates, identity-verification prompts, and critical service notices.
3. If we ever decide to introduce marketing SMS or WhatsApp messages, we will first obtain a separate, clear, unchecked-by-default, prior-express-written-consent opt-in, update this section, and update this Policy.

19.2 Platforms

1. SMS delivery: Twilio, Inc.
2. WhatsApp delivery: WhatsApp Business API, operated through Meta Platforms, Inc.

Our use of these providers is described in § 5.

19.3 Consent mechanism

1. When you enter your phone number at checkout, you provide the information necessary for us to send transactional messages related to your order. Providing your phone number constitutes implicit consent to transactional communications to that number, including via WhatsApp where "WhatsApp preferred" is noted.
2. No separate marketing opt-in is collected at this time because no marketing messages are sent.

19.4 Frequency and charges

1. Message frequency depends on your order lifecycle and typically includes a small number of messages per order.
2. Standard message and data rates may apply depending on your mobile plan. Drive Now Worldwide does not charge for sending SMS or WhatsApp messages.

19.5 How to opt out

1. SMS: reply STOP to any SMS message to stop further messages. Reply HELP for help.
2. WhatsApp: reply STOP to any WhatsApp message, or block our sender number.
3. Alternative channels: email hello@drivenowworldwide.com from the address associated with your order with the word "UNSUBSCRIBE" and your phone number.
4. We honor opt-outs through any reasonable method, consistent with the FCC 2024 Opt-Out Rule (effective April 11, 2025). Opt-outs are honored within 10 business days.

Caveat. If you opt out of transactional messages, we may be unable to send you important order-fulfillment updates. We will still attempt to contact you by email.

19.6 Legal frameworks

19.6.1 United States — TCPA

The Telephone Consumer Protection Act, 47 U.S.C. § 227, and FCC rules at 47 CFR 64.1200 govern automated calls and texts. Transactional messages sent for order fulfillment generally do not require prior express written consent, but we honor opt-outs under the FCC 2024 Opt-Out Rule. No marketing SMS is sent; if we ever enable marketing SMS, TCPA requirements will apply and a separate, unchecked-by-default opt-in checkbox will be added before any marketing message is sent.

19.6.2 Canada — CASL

Canada's Anti-Spam Legislation, S.C. 2010, c. 23, applies to commercial electronic messages. Transactional messages for ordered goods or services fall within CASL's transactional-exemption framework. No marketing SMS or WhatsApp is sent to Canadian residents.

19.6.3 European Union / EEA — GDPR + ePrivacy

Under GDPR Art. 13 and the ePrivacy Directive Art. 13, we provide this notice so you know what messages we send and why. Transactional messages are sent on the basis of contract performance (GDPR Art. 6(1)(b)). No marketing SMS or WhatsApp is sent to EU / EEA residents.

19.6.4 United Kingdom — PECR

UK PECR Reg. 22 applies the same opt-in / soft-opt-in framework. No marketing SMS or WhatsApp is sent to UK residents.

19.6.5 Brazil — LGPD + CDC

No marketing SMS or WhatsApp is sent to Brazilian residents. If we ever enable marketing, specific opt-in consent will be collected under LGPD Art. 8.

19.6.6 Other jurisdictions

We comply with applicable electronic-communications rules in each customer's jurisdiction, including the Australian Spam Act 2003, UAE PDPL, and KSA PDPL. No marketing SMS or WhatsApp is sent.

19.7 WhatsApp-specific notes

1. WhatsApp Business API distinguishes between template messages (pre-approved, transactional) and session messages (free-form within a customer-initiated window).
2. All outbound transactional messages from Drive Now Worldwide use approved templates aligned with WhatsApp Business policy.

19.8 Security and privacy

1. Your phone number and message history are processed by Twilio (SMS) and WhatsApp / Meta (WhatsApp) as described in § 5. International transfers are handled under the mechanisms in § 6.
2. We retain message logs as part of our support-ticket retention (three (3) years from last contact) under § 7.

19.9 Contact

• Support and opt-out assistance: hello@drivenowworldwide.com
• Privacy questions: privacy@drivenowworldwide.com

20. Governing law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Florida, United States, without regard to its conflict-of-laws rules. This governing-law choice does not deprive you of any mandatory consumer protection afforded by the law of your country of residence.