DriveBoss Privacy Policy

DriveBoss LLC · Effective Date: April 21, 2026 · Last Updated: April 21, 2026

DriveBoss LLC ("DriveBoss," "we," "us," or "our") provides a software-as-a-service platform for non-emergency medical transportation operations. This Privacy Policy explains how we collect, use, disclose, retain, and protect information through our websites, applications, platform, communications, and related services.

1. Who We Are

DriveBoss LLC is a Delaware limited liability company with its registered corporate address at 254 Chapman Road, Suite 208 #703, Newark, Delaware 19702, United States. Contact: [email protected].

2. Information We Collect

We collect information from customers, users, brokers, facilities, drivers, patients or riders, payment processors, communications providers, integrations, and automated platform activity. Depending on how the Services are used, this may include:

• Account and business information: names, emails, phone numbers, job titles, company details, login credentials, user roles, and support contacts.
• NEMT operational data: trip requests, trip IDs, pickup and drop-off locations, appointment times, facility details, driver and vehicle assignments, routing, dispatch status, broker statuses, eligibility, service notes, and billing/reconciliation data.
• Patient or rider information: name, contact information, trip details, appointment-related transportation information, SMS/IVR interaction data, call metadata, and other information needed to coordinate transportation or related services.
• Driver and GPS information: driver identity, vehicle information, location data, route data, timestamps, status changes, and device or app telemetry.
• Broker and integration data: information received from or sent to ModivCare, MTM, Alivi, Access2Care, facilities, payers, transportation providers, and other authorized integrations.
• Communications data: SMS content, delivery status, opt-out signals, IVR prompts, call metadata, recordings or transcripts if enabled, emails, and support communications.
• Billing and payment data: subscription status, invoices, transaction metadata, payment method type, billing contact, and payment processor identifiers. We use Stripe for payment processing and do not intentionally store full card numbers in DriveBoss systems.
• Website and device data: IP address, browser, operating system, device identifiers, pages viewed, referrers, usage events, cookies, and analytics data.

3. PHI and HIPAA

Some information processed through the Services may be Protected Health Information ("PHI"). When DriveBoss creates, receives, maintains, or transmits PHI for or on behalf of a covered entity or business associate, DriveBoss acts as a Business Associate or subcontractor Business Associate as applicable, and the PHI is governed by the applicable Business Associate Agreement.

DriveBoss is not usually the healthcare provider, health plan, broker, or transportation provider that determines patient rights or treatment. Patients who want to access, amend, or restrict PHI should contact the healthcare provider, broker, transportation provider, facility, or other entity that arranged the transportation, unless DriveBoss has expressly been authorized to respond directly.

4. How We Use Information

We use information to:

• provide, operate, secure, maintain, and support the Services;
• ingest and process broker feeds and integrations;
• dispatch, route, schedule, track, and reconcile trips;
• send authorized patient SMS, IVR, and operational communications;
• support billing, payment, invoicing, disputes, and account administration;
• provide customer support and training;
• monitor security, prevent fraud, enforce agreements, and audit usage;
• improve reliability, features, and workflows;
• create aggregated or de-identified analytics where permitted by applicable law and the BAA;
• comply with legal, contractual, broker, payer, tax, accounting, audit, and regulatory obligations.

5. Cookies and Analytics

Our website and Services may use cookies and similar technologies for essential functionality, security, preferences, analytics, and performance. We currently use Google Analytics, including Google tag ID G-Y6PCCR476V, to understand website usage and improve the website. Google may process analytics information according to its own privacy terms. Users can manage cookies through browser settings and, where applicable, through consent or opt-out tools we provide.

6. How We Share Information

We may share information with:

• customers and authorized users within the applicable account;
• brokers, payers, facilities, transportation providers, drivers, and other parties involved in authorized NEMT operations;
• hosting, infrastructure, security, support, communications, SMS, IVR, email, analytics, and payment vendors;
• Stripe or another payment processor for subscription billing and transaction processing;
• Google Analytics for website analytics;
• AWS and other approved infrastructure providers;
• professional advisors, auditors, insurers, and legal counsel;
• regulators, law enforcement, courts, or government authorities when required by law or necessary to protect rights, safety, or security;
• successors in a merger, acquisition, financing, or sale of assets, subject to appropriate protections.

We do not sell PHI. We do not use PHI for advertising. We do not sell or share personal information for money or for cross-context behavioral advertising. We do not operate advertising pixels, retargeting tags, or ad-network integrations on our websites or within the Services.

7. Payment Processing

DriveBoss may process payments through Stripe or another payment processor. Our payment processor may collect payment card information, billing details, fraud-prevention signals, and transaction data directly through processor-hosted or processor-enabled payment flows. DriveBoss receives limited payment metadata needed to manage subscriptions, invoices, account status, receipts, disputes, and support. Card data is handled by the payment processor under its own terms and privacy policy; DriveBoss does not intentionally store full card numbers in its own systems.

8. Data Retention

We retain information only for as long as reasonably necessary to provide the Services, comply with our agreements, support customers, meet legal and regulatory obligations, resolve disputes, maintain security, and enforce agreements. Indicative retention practices:

• Account and billing records: retained during the life of the account and for up to seven (7) years after termination for tax, audit, and dispute purposes.
• Trip and billing records (including PHI): retained according to Customer instructions, broker and payer requirements, HIPAA-related obligations, and applicable transportation, healthcare, billing, audit, and legal requirements (generally at least six (6) years for HIPAA-regulated records).
• GPS and driver-location data: retained only for operational, support, compliance, audit, security, broker, payer, and legal windows configured for the applicable workflow, and then purged, reduced, aggregated, or archived only as required for legitimate business, legal, broker, payer, audit, or security needs.
• Patient SMS and IVR communications: retained only for the operational, support, compliance, audit, security, broker, payer, and legal windows configured for the applicable workflow and communications vendor. DriveBoss does not use patient SMS or IVR content for advertising or unrelated marketing.
• Dispatcher-to-broker and in-platform messaging: not retained as long-term archives; operational messages may be kept only briefly for dispatch continuity and then purged.
• Support and security logs: retained for up to one (1) year, or longer if required for security, audit, legal, or broker reasons.
• Website analytics: retained according to Google Analytics default settings (currently 14 months) or our configured retention setting.

Upon termination, Customer may download active-account reports and PDF/CSV exports from within the DriveBoss interface before access is suspended. DriveBoss does not provide bulk digital data extracts after termination.

9. Security

We use administrative, technical, and physical safeguards designed to protect information, including access controls, encryption in transit, encryption at rest where supported by the architecture, logging, monitoring, backup controls, workforce access restrictions, and vendor controls. No system is perfectly secure. Customers are responsible for managing their users, credentials, devices, broker access, and account permissions.

10. Your Privacy Rights

Depending on your location and relationship to DriveBoss, you may have rights to request access, deletion, correction, portability, restriction, objection, opt-out of sale/share, limitation of sensitive personal information use, or non-discrimination for exercising privacy rights. To make a request, contact [email protected].

If your request involves PHI controlled by a healthcare provider, broker, facility, or transportation provider, we may direct you to that entity or process the request under its instructions.

California residents may have rights under the CCPA/CPRA, including rights to know, access, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against. We will verify and respond to requests as required by applicable law.

EU/EEA/UK residents, where applicable, may have rights under GDPR or UK GDPR, including access, rectification, erasure, restriction, objection, portability, withdrawal of consent where processing is based on consent, and the right to complain to a supervisory authority. DriveBoss is based in the United States and does not intentionally target its website or Services to EU/EEA/UK consumers. If DriveBoss processes EU/EEA/UK personal data through a customer, broker, facility, or transportation workflow, DriveBoss will process that data under the applicable customer agreement, BAA or data-processing terms, and legally required transfer mechanism.

11. Children's Information

The Services are business services and are not directed to children. We do not knowingly collect children's personal information through the website for marketing purposes. Patient or rider information relating to minors may be processed only as needed for authorized NEMT operations and subject to the applicable customer, broker, healthcare, and legal requirements.

12. Changes

We may update this Privacy Policy from time to time. Material changes will be posted with a new "Last Updated" date and, where appropriate, additional notice.

13. Contact

Privacy requests and questions: [email protected]
Mailing address: DriveBoss LLC, 254 Chapman Road, Suite 208 #703, Newark, Delaware 19702, United States
Support: [email protected]