Data & Compliance
Effective date: 25 June 2026 ยท Last reviewed: 2 July 2026
This document describes PulaDrive's data processing architecture, the third-party infrastructure providers we rely on, our internal compliance practices, and the obligations of dealerships using our platform. It supplements our Privacy Policy.
1. Data Processing Principles
PulaDrive processes personal data in accordance with the Botswana Data Protection Act, 2018 and adopts internationally recognised principles aligned with GDPR best practices:
Lawfulness & Transparency
We collect data only with a valid legal basis and tell you clearly what we collect and why.
Purpose Limitation
Data collected for one purpose (e.g. personalisation) is not used for unrelated purposes (e.g. advertising).
Data Minimisation
We collect only what is necessary for the stated purpose โ no more.
Accuracy
We take reasonable steps to keep your data accurate and up to date.
Storage Limitation
Data is retained only as long as necessary and deleted promptly thereafter.
Integrity & Confidentiality
We implement appropriate technical and organisational security measures to protect data.
2. Infrastructure & Sub-Processors
PulaDrive relies on the following trusted, industry-standard sub-processors. Each has been evaluated for security and compliance:
Convex
Database & Real-time Backend
All application data โ vehicle listings, user profiles, telemetry events, search history โ is stored on Convex. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Convex operates under SOC 2 Type II controls.
Clerk
Authentication & Identity
User sign-in, session management, and organization management is handled by Clerk. Clerk stores credentials securely and does not share them with PulaDrive. Clerk is SOC 2 Type II certified and GDPR compliant.
Vercel
Web Hosting & Edge Network
PulaDrive's web application is hosted on Vercel's global edge network. Vercel does not process personal user data beyond standard HTTP request logs needed for operation.
Upstash
Redis Caching Layer
Upstash Redis is used to cache anonymised search query results (e.g. price ranges, vehicle categories) for up to 5 minutes, reducing latency for users. No personally identifiable information โ including names, emails, or account data โ is stored in Redis. All cached keys are automatically expired via Redis TTL mechanisms. Data is encrypted at rest and in transit (TLS 1.2+). Upstash is SOC 2 Type II certified.
Resend
Transactional Email
Dealer notification and billing reminder emails are dispatched via Resend. Resend processes the recipient email address and message content only. No user browsing data is shared with Resend.
3. Telemetry & Analytics Transparency
PulaDrive uses a first-party telemetry system (built on Convex) to track user behaviour. Here is exactly what we track and why:
| Event | Data Logged | Purpose |
|---|---|---|
| page_view | Session ID, page route, timestamp | Platform analytics |
| vehicle_view | Vehicle ID, session ID, timestamp | For You feed personalisation; dealer view counts |
| wishlist_add / remove | Vehicle ID, session ID | Wishlist feature; personalisation weight |
| search_query | Query text, category, price (no PII) | Search ranking improvements |
| ai_search | Filter parameters (budget, specs) | AI Deal Finder personalisation |
| contact_click | Vehicle ID, dealer ID | Dealer analytics dashboard |
* No third-party tracking scripts (Google Analytics, Meta Pixel, etc.) are loaded on PulaDrive. All telemetry is first-party only.
4. Dealer Data Obligations
Dealers who use PulaDrive to list vehicles take on specific data responsibilities:
- 1
Dealers must not upload or display personal data of third parties (e.g. previous owner names, ID numbers) in listings or images.
- 2
Dealers are solely responsible for obtaining consent from any individuals depicted in uploaded photos.
- 3
WhatsApp numbers submitted to PulaDrive are displayed to prospective buyers โ dealers must ensure these numbers are correct and that the number's owner consents to receiving vehicle enquiries.
- 4
Dealers may access anonymised analytics about their own listings only. Individual buyer identities are never disclosed to dealers.
- 5
Dealers must not attempt to use PulaDrive infrastructure to collect or aggregate buyer data for external marketing.
5. Security Measures
Encryption at Rest
All database records on Convex are encrypted using AES-256. Redis cache entries on Upstash are encrypted at rest. No plaintext personal data is persisted to any unencrypted storage.
Encryption in Transit
All data transmitted between your browser and our servers uses TLS 1.2 or higher. This applies to Convex, Upstash Redis, Clerk, and Vercel endpoints.
Authentication Security
Clerk enforces rate limiting, brute-force protection, and secure session management. Multi-factor authentication is available for all user accounts.
Access Controls
Dealer dashboards are protected by Clerk organization membership. Admin access requires explicit whitelisting via environment-variable-controlled lists. All sensitive mutations are guarded server-side.
Rate Limiting
All public-facing mutations (search saves, vehicle reports, uploads, featured applications, telemetry) are protected by sliding-window rate limits enforced at the server layer. This prevents abuse and protects service availability.
Input Validation & Sanitisation
All API parameters are validated server-side. Enum fields (fuel type, category, colour, transmission) are whitelisted. Free-text inputs (make/model search) are sanitised to strip non-printable characters and capped at 100 characters. Cache key injection is prevented by capping key length at 512 characters.
Webhook & API Security
Internal HTTP endpoints (telemetry export, analytics import) are protected using constant-time HMAC secret comparison to prevent timing oracle attacks. Payload sizes are capped at 1MB to prevent denial-of-service.
HTTP Security Headers
All responses include X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security (production), Referrer-Policy: no-referrer, Permissions-Policy, Content-Security-Policy, Cross-Origin-Resource-Policy, and X-Permitted-Cross-Domain-Policies headers.
Cache Data Isolation
Upstash Redis only ever stores anonymised, non-personal search filter parameters with automatic 5-minute TTL expiration. User identity data is never written to the cache layer.
Incident Response
In the event of a data breach, we will notify affected users within 72 hours of discovery, as required by applicable law.
No Password Storage
PulaDrive never stores passwords. Authentication is delegated entirely to Clerk.
6. Data Requests & DPO Contact
PulaDrive has designated a Data Protection Officer (DPO) as required under the Botswana Data Protection Act. All data subject requests, compliance enquiries, and breach notifications should be directed to:
PulaDrive Data Protection Officer
Email: [email protected]
General support: [email protected]
Response time: within 30 calendar days of receipt. For urgent security matters, mark your email subject line with [URGENT].
Related Legal Documents
Review our other policies for the full picture.