Privacy Notice
How Druma collects, uses, and protects personal data when you use the Druma TMS service.
Effective 10 July 2026 · Version 2026-07-10
This document is available in English only. The English version is the legally binding version.
Who we are
The Druma TMS service ("Druma", "we", "us") is operated by WESLEY DATA CONSULTING S.R.L., registered in Romania, Trade Register no. J29/511/2024, CUI 49645204, with registered office at 19 Mărgaritarilor Street, Bărcănești Village, Prahova County, 107055, Romania.
For any question about this notice or about how we handle your personal data, contact us at privacy@druma.io.
We are not legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR — we do not carry out large-scale systematic monitoring as a core activity, and we do not process special-category data at scale. The contact above is the dedicated channel for data-protection queries and is monitored within five business days.
Data we process
Depending on your role, we process the following categories of personal data:
- Account data — full name, email, phone, language, role, profile photo (if you upload one), company name, VAT number, billing address.
- Operational data — orders, stops, pickup/delivery addresses, goods descriptions, references, internal notes.
- Driver personal data — name, phone, current GPS position while on shift (single-row overwrite, no location history stored), status taps (assigned, at pickup, in transit, etc.), tachograph status and driving-time data sourced from telematics providers, pre-trip checklist completions, delay reports, waiting time and reason, photos uploaded with documents, eCMR digital signatures.
- Client and carrier contact data — names, phones, emails of your customers' and subcontractors' contact persons.
- Communications — order messages between planners and drivers, attachments, optional chat with our AI assistant.
- Document content — uploaded CMRs, PODs, eCMR signatures, invoices, fuel receipts, identity documents (where required by compliance flows).
- Billing data — Stripe customer ID, subscription level, payment status, invoice amounts. We do not store card numbers; Stripe holds those.
- Technical and security data — IP address (for authentication and rate limiting), app version, device type, error context (limited to what is needed to diagnose issues).
- AI input data — content of documents you submit to Smart Import, content of messages translated by our auto-translate feature, context fed to the AI assistant. When the optional Ask Druma data assistant is enabled, this also includes the operational records (orders, fleet, finance, driver hours) and order notes returned by the questions a user asks — limited in each case to data that user's role already permits them to see.
Purposes and legal basis
We rely on the following legal bases under Article 6 GDPR:
- Contract performance (Art. 6(1)(b)) — running your account, processing orders, generating invoices, eCMR creation, subscription billing through Stripe.
- Legal obligation (Art. 6(1)(c)) — submitting Romanian e-Transport (UIT) and e-Factura declarations, Peppol EU e-invoicing, retaining accounting records (10 years per Romanian Accounting Law 82/1991 Art. 25), cabotage compliance, EU driving-hours monitoring (Reg. 561/2006), tachograph data requirements (Reg. 165/2014).
- Legitimate interests (Art. 6(1)(f)) — preventing fraud and abuse, securing our infrastructure, maintaining audit logs, calculating ETAs and routing using GPS, improving our product based on aggregate usage patterns. We have run a balancing test for each of these and concluded that our interests are not overridden by your fundamental rights — but you can object at any time.
- Consent (Art. 6(1)(a)) — where required, for example optional cookies (none are currently set beyond strictly necessary). You can withdraw consent at any time.
For drivers employed by an operator using Druma: the operator (your employer) is the data controller. Druma processes your data as a processor on their behalf, under contract. Your employer is responsible for providing you the full Article 13 information notice; this notice describes only what Druma itself does with your data.
Sub-processors
We rely on the following sub-processors to deliver the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Cloudflare | CDN, hosting, DDoS protection | Global edge; EU termination preferred |
| Stripe | Subscription billing, payment processing | EU + US (SCCs) |
| Resend | Outbound transactional email | EU + US (SCCs) — will be replaced by an EU-only provider |
| Mailgun | Inbound email ingestion — order, invoice and payment emails sent to your Druma alias | EU + US (SCCs) |
| HERE Technologies | Routing, geocoding, ETA | EU |
| PTV Group | Primary routing and ETA engine — receives pickup/delivery coordinates | EU (Germany) |
| Google Cloud (Vertex AI) | Document AI extraction, AI assistant — Enterprise API, no model training | EU (europe-west1) |
| Google Cloud Translation | Driver↔planner message translation | Google Cloud infrastructure — no EU-residency guarantee for this API |
| Google LLC (Firebase Cloud Messaging) | Push notifications to driver devices — transient delivery only, no message content stored | EU infrastructure (SCCs) |
| Meta Platforms, Inc. (WhatsApp Business Cloud API) | Driver messaging over WhatsApp — only when a company enables WhatsApp driver channel | US (SCCs) — opt-in per company |
| Sentry, Inc. | Application error monitoring and crash reporting | EU (Sentry EU region) |
| e-invoice.be | Peppol Access Point for Belgian e-invoicing | EU (Belgium) |
| Timocom | Freight exchange search (lane-level only, no personal data forwarded) | EU (Germany) |
| Trans.eu | Market price API (OAuth token only) | EU |
| ANAF | Romanian e-Transport and e-Factura submissions (legal obligation) | EU (Romania) |
| Telematics/tacho provider (Webfleet, Geotab, Continental VDO, Frotcom, Webeye, or Scania rFMS) | GPS position and tachograph data — only the provider your company connects | Varies by provider (EU/US, SCCs where applicable) |
| Reefer telematics provider (Mapon, Orbcomm, or Thermo King TracKing) | Reefer temperature monitoring — only the provider your company connects | Varies by provider (EU/US, SCCs where applicable) |
We will give you 30 days' advance notice via email before we add a new sub-processor that materially changes how your data is handled. The current list is also reproduced in our DPA.
Optional Druma Copilot (bring your own AI): if a company administrator enables the opt-in, default-off Druma Copilot and connects their own OpenAI, Anthropic, or Google API key, the questions and operational data that user chooses to send are processed by that provider directly under the operator's own agreement with them — not under this Privacy Notice or our sub-processor list, and possibly outside the EU. See our AI Disclosure for detail.
International transfers
Wherever possible, your data stays inside the European Union. The following providers may receive data outside the EU:
- Stripe, Resend, Mailgun, Cloudflare, Google LLC (Firebase), Sentry — transfers covered by the European Commission's 2021 Standard Contractual Clauses (SCCs). Where applicable we also rely on the EU-US Data Privacy Framework adequacy decision.
- Google Cloud (Vertex AI) — configured for the
europe-west1region; data does not leave the EU during processing. Per Google's Vertex AI Enterprise terms, customer data is not used to train Google's foundation models. - Google Cloud Translation — runs on Google Cloud infrastructure; unlike Vertex AI, the Translation Basic API has no configured EU-residency guarantee, so translated message content may be processed outside the EU.
- Meta Platforms, Inc. (WhatsApp Business Cloud API) — only used for companies that opt in to the WhatsApp driver channel; message content and driver phone numbers may be processed in the US, covered by SCCs.
- Telematics and reefer telematics providers (Webfleet, Geotab, Continental VDO, Frotcom, Webeye, Scania, Mapon, Orbcomm, Thermo King) — location and vehicle-sensor data transfers depend on the specific provider your company connects; check that provider's own privacy terms for its data-residency commitments.
Retention periods
We keep personal data only as long as needed for the purposes above:
- Current GPS position — single-row overwrite per vehicle; no location history is stored in Druma beyond what is forwarded to mandatory government systems.
- Romanian e-Transport GPS log (ANAF forwarding buffer) — 30 days.
- Order messages after account deletion — 90 days, then purged.
- Audit log — 12 months, then purged automatically.
- Webhook event log (idempotency) — 30 days.
- Invoices and accounting records — 10 years from issue date, to comply with Romanian Accounting Law 82/1991 Art. 25 (annual accounts) and EU VAT Directive Art. 244.
- eCMR documents and eFTI consignment data — 7 years, covering the CMR Convention Art. 32 limitation period and eFTI authority-access requirements under Regulation (EU) 2020/1056.
- Account data — for the duration of your subscription. After deletion: a 90-day grace window during which the account can be restored, then full purge except for records subject to legal retention (invoices, audit log).
- Quotes — automatically expire on the validity date you set; archived data follows the same 5-year accounting retention.
Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you (Art. 15) — exercisable in-app via Settings → GDPR (data export ZIP).
- Rectification of inaccurate data (Art. 16) — directly editable in your profile and company settings.
- Erasure (Art. 17) — exercisable via Settings → GDPR (account deletion). Subject to legal retention exceptions for invoices and audit records.
- Restriction of processing (Art. 18) — request via privacy@druma.io.
- Data portability (Art. 20) — the export ZIP is machine-readable JSON + CSV.
- Object to processing based on legitimate interests (Art. 21).
- Information about automated decisions (Art. 22) — see "Automated processing & AI" below.
We respond within one month. We may extend by up to two further months for complex requests; we will tell you within the first month if so. We do not charge a fee, unless requests are manifestly unfounded or excessive.
Security
We protect your data with measures including:
- Encryption in transit (TLS 1.2+) and at rest (managed by Supabase).
- Row-level security on every database table — strict tenant isolation by company.
- JWT, HMAC, or service-role authentication on every server endpoint.
- Secrets stored in a managed vault, never in source code.
- Rate limiting on user-facing APIs that call paid third-party services.
- Comprehensive audit log of changes to sensitive records.
- Regular review of sub-processor security posture.
If a personal data breach affects you, we will notify the operator who controls your data within 72 hours of becoming aware, and where applicable we will notify you directly without undue delay.
Automated processing & AI
Druma's core AI features — document extraction (Smart Import, inbound invoice ingestion), driver-planner message translation, and the in-app AI assistant — run on Google Vertex AI in the EU (europe-west1); Vertex AI Enterprise terms prohibit using customer data to train Google's models.
Separately, a company administrator can opt in to the Druma Copilot (bring your own AI) — off by default. Once enabled and configured with the company's own OpenAI, Anthropic, or Google API key, the operational data a user chooses to query is sent to that provider under the operator's own agreement with them, and may leave the EU.
Every AI output is treated as a draft. A human user must review and confirm before any data is created, modified, or sent. There are no fully automated decisions producing legal or similarly significant effects (Art. 22). You can opt out of message auto-translation in your profile settings.
See our separate AI Disclosure for technical detail.
eFTI authority access
Druma has implemented readiness for the EU eFTI Regulation (EU) 2020/1056, which enables competent authorities (customs officers, transport enforcement) to access transport consignment data electronically from 9 July 2027. Where an eCMR or transport order is linked to an eFTI unique link (UIL), the consignment data corresponding to that UIL — including cargo description, route, and consignment parties — may be accessed by authorised authorities via the eFTI platform during a roadside inspection or port check.
This access is based on Article 6(1)(c) GDPR (legal obligation). No additional consent is required. Druma logs each authority-access event in the eFTI operation log as required by the Regulation.
Changes to this notice
We may update this notice from time to time. The version number and effective date at the top will be revised. For material changes we will notify registered users by email at least 30 days before the new version takes effect, and will request re-acceptance on next sign-in.
Contact
For privacy questions: privacy@druma.io. For general support: support@druma.io.