Privacy Policy

SYSTEM DRVN OS ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at systemdrvn.com, including the Franchise Market Audit and all associated services (the "Service").

By using the Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

When you complete the Franchise Market Audit, we collect:

• Full name
• Email address
• Phone number
• Company name and website
• Survey responses and self-reported business information
• Respondent type (e.g., franchise investor, brand owner, expo vendor)

1.2 Information Collected Automatically

When you access the Service, we automatically collect:

• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited and time spent on each page
• Referring URLs and navigation paths
• Session identifiers (stored in secure, httpOnly cookies)

1.3 AI-Generated Data

Based on your survey responses, our AI systems generate a market readiness grade, score, percentile ranking, and personalised recommendations. This derived data is stored alongside your submission and used to produce your audit report.

2. How We Use Your Information

We use the information we collect to:

• Generate and deliver your personalised AI Franchise Market Audit report
• Send your results and supporting materials (including PDF attachments) via email
• Facilitate follow-up communications and strategy call scheduling
• Operate and improve the Service, including training and refining AI models
• Detect, prevent, and respond to fraud, abuse, and security incidents
• Comply with applicable legal obligations and enforce our Terms of Service
• Analyse aggregate, anonymised usage patterns to improve the platform

We do not use your personal information for automated decision-making that produces legal or similarly significant effects without human review.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information with:

4. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law. Specifically:

• Survey submissions and audit reports are retained for 24 months from the date of submission
• Email communication records are retained for 12 months
• Security and audit logs are retained for 90 days
• Session data is purged upon logout or after 60 minutes of inactivity

You may request deletion of your data at any time by contacting us at [email protected]. We will process deletion requests within 30 days, subject to any legal retention obligations.

5. Security Measures

We implement technical and organisational security measures aligned with SOC 2 Trust Service Criteria, including:

• TLS 1.2+ encryption for all data in transit
• HTTP Strict Transport Security (HSTS) with a 1-year max-age and preload
• Content Security Policy (CSP) restricting script and resource origins
• Secure, httpOnly, SameSite=Strict session cookies
• Rate limiting on all public endpoints to prevent brute-force and spam
• Role-based access control (RBAC) — admin data is never accessible to public users
• Audit logging of all data access and administrative mutations
• Production builds with no source maps — compiled code is minified and obfuscated

6. Cookies and Tracking

We use strictly necessary cookies to maintain your authenticated session. These cookies are:

• Secure (transmitted only over HTTPS)
• HttpOnly (not accessible to JavaScript)
• SameSite=Strict (not sent with cross-site requests)
• Session-scoped or limited to 60 minutes of inactivity

We do not use third-party advertising cookies, tracking pixels, or behavioural analytics platforms. We do not participate in cross-site tracking.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data ("right to be forgotten")
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing of your data for direct marketing purposes
• Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly.

9. International Data Transfers

The Service is operated from the United States. If you are accessing the Service from outside the United States, your information may be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date at the top of this page and, where appropriate, by sending an email to the address associated with your submission. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

11. Contact Us

For privacy-related questions, data requests, or to report a concern, please contact our privacy team: