Privacy Policy

Last updated: August 2025

1. Introduction

Drava is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you use our mobile virtual card application and related services.

2. Biometric Data Protection

Key Privacy Principle

Drava never collects, stores, or processes biometric templates on our servers.

Our biometric privacy approach:

  • Device-bound credentials: All biometric authentication occurs locally on your device
  • No biometric templates: We never receive Face ID, Touch ID, or fingerprint data
  • Cryptographic assertions only: We only receive signed authentication proofs
  • Cannot reconstruct biometrics: Our data cannot be used to recreate biometric information

3. Data Categories We Collect

Account Information

  • Name, email address, and phone number
  • Identity verification documents (driver's license, passport)
  • Banking information for account funding
  • Device identifiers and app preferences

Transaction Data

  • Virtual card transaction history and amounts
  • Merchant information and transaction locations
  • Biometric authentication results (approval/denial only)
  • Spending patterns for fraud detection

App Usage Analytics

  • App usage patterns and feature interactions
  • Device type, operating system, and app version
  • Performance metrics and crash reports
  • Push notification engagement

4. How We Use Your Data

  • Provide virtual card services and transaction processing
  • Send real-time transaction approval notifications
  • Verify your identity and prevent fraudulent activity
  • Improve app performance, features, and user experience
  • Provide customer support and resolve account issues
  • Comply with financial regulations and legal obligations
  • Send important account and security updates

5. Data Retention

Transaction History

Retained for 7 years to comply with financial regulations

Account Information

Retained while your account is active plus 7 years after closure

App Analytics

Aggregated and anonymized data retained for up to 2 years

Identity Documents

Securely deleted 30 days after successful account verification

6. Data Sharing

We do not sell or rent your personal data. We may share data only in these circumstances:

  • With your explicit consent
  • To comply with legal obligations or court orders
  • With service providers who assist in operations (under strict confidentiality)
  • In connection with a business transfer or acquisition

7. Security Measures

  • End-to-end encryption for all data transmission
  • Regular security audits and penetration testing
  • Access controls and employee security training
  • SOC 2 Type II compliance (in progress)

8. Your Rights

You have the right to:

  • Access and review your personal data
  • Correct inaccurate information
  • Delete your account and associated data
  • Export your data in a portable format
  • Opt out of non-essential communications

9. International Transfers

Our services are hosted in the United States. By using our services, you consent to the transfer of your data to the US, where it will be protected under this Privacy Policy and applicable US laws.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email at least 30 days before taking effect.

11. Contact Us

For privacy-related questions or to exercise your rights, contact us at drava-support@gmail.com.