Draft for legal review

Privacy Policy and Notice at Collection

Hardin Secure DL Portal handles driver license images and related customer information for limited dealership business purposes.

View retention policy

Legal review required.

This draft is intended to help Melanie Cliff / legal review California privacy, DMV-related privacy, GLBA/FTC Privacy Rule, FTC Safeguards Rule, and FTC Disposal Rule alignment. It is not legal advice and should not be published as final without counsel approval.

What we collect

Customer name, store, purpose, capture timestamp, creator, and audit metadata.
Driver license front and back images, including visible license number, photo, address, date of birth, expiration date, and barcode data when present.
Information extracted locally from the uploaded license image or barcode and verified or corrected before submission.
Optional customer phone/email and non-sensitive notes entered by authorized staff.
Technical security information such as IP address, browser/user agent, and access logs.

Why we collect it

To document identity information for test drives, credit applications, deal jackets, trade appraisals, and service loaners.
To protect dealership vehicles, customers, and employees and to support fraud prevention and dispute handling.
To comply with dealership recordkeeping, financing, leasing, audit, and legal obligations.
To maintain security controls, audit logs, retention schedules, and incident response evidence.

How we limit use

This portal is not a DMV verification system and does not request DMV motor vehicle records.
Driver license data is not sold, shared for cross-context behavioral advertising, emailed, texted, or used for marketing.
Access is limited by Microsoft 365 sign-in, role, assigned store, audit logging, and business need.
Customer upload PINs are short-lived, one-time requests limited to upload, local scan, verification, and submit.
Sensitive fields and images are encrypted and stored outside the public web root.

When we disclose it

To service providers operating the portal, identity platform, hosting, backup, security, or legal/audit support under appropriate safeguards.
To lenders, finance/leasing partners, insurers, government agencies, law enforcement, courts, or regulators only when needed for the requested transaction, consented use, legal obligation, or permitted exception.
To authorized dealership personnel with assigned-store access and a job-related need.

California Notice at Collection

Category	Examples	Purpose	Retention target
Identifiers	Name, phone, email, driver license number visible on image.	Dealership transaction documentation, fraud prevention, audit.	By purpose; see retention policy.
Sensitive personal information	Driver license number, date of birth, address, license image, barcode data.	Requested dealership service, security, legal compliance; not used to infer unrelated characteristics.	Encrypted until scheduled deletion or legal hold.
Customer records information	Address, phone, email, signature or physical characteristics visible on the license image.	Identity documentation and business transaction recordkeeping.	By purpose; see retention policy.
Protected classification data that may appear on the ID	Age/date of birth or other visible ID attributes.	Confirm eligibility and support requested dealership purpose.	Not extracted unless required; image retained by purpose.
Internet or device activity	IP address, user agent, access timestamps.	Security monitoring, audit, incident response.	Audit/log retention as approved by legal.

Hardin should confirm whether its broader CCPA/CPRA privacy policy requires additional consumer request methods, authorized agent instructions, opt-out preference signal language, employee notice language, or metrics disclosures.

Consumer rights draft language

California residents may have rights to know, access, correct, delete, and limit certain uses or disclosures of personal information, subject to legal exceptions. Requests should be directed to the dealership privacy contact designated by Hardin legal. Some records may be retained when required for financing, leasing, deal jacket, warranty, audit, fraud prevention, litigation hold, or other legal obligations.

This portal does not provide a self-service consumer account. Identity verification for any request should be handled by the dealership privacy process approved by legal.