DRVN VHCLS Logo
Back to Home
Legal

Privacy Policy

Effective date: July 1, 2025 · Last updated: July 1, 2026

This Privacy Policy explains how DRVN VHCLS (“DRVN,” “we,” “our,” or “us”) collects, uses, and protects information when you use our platform at drvnvhcls.xyz.

01

Introduction

DRVN VHCLS is a community platform for automotive enthusiasts — drivers, organizers, vendors, and fans. We provide tools for discovering and listing car events, forming clubs, showcasing vehicles and vendor businesses, earning BOOST rewards, and connecting with the car culture community.

By creating an account or using any part of the platform you agree to the data practices described in this policy. If you do not agree, please do not use the platform.

02

Information We Collect

Account Registration

When you sign up we collect your email address, username, and password (stored as a bcrypt hash — never recoverable). First name, last name, and bio are optional at signup and can be added later in your profile.

Profile Data

  • Profile and banner images — uploaded to IPFS via Pinata (see Image Storage section)
  • Garage vehicles — year, make, model, and optional image for each vehicle you add
  • Social handles — Instagram, TikTok, Facebook, website URL (all optional)
  • Bio — a short free-text description of yourself

Wallet & Web3

Linking an EVM wallet is optional and required only for on-chain BOOST reward claims and live cruise GPS tracking. We store your wallet address (a public blockchain identifier). We never receive or store your private keys or seed phrase. On-chain transactions (BSTR reward claims) are recorded on the public Base blockchain and include the destination wallet and transaction hash.

X (Twitter) OAuth

If you connect your X account we store your X user ID, display name, X profile image URL, and encrypted OAuth access and refresh tokens. We use these tokens only to perform actions you authorize on X. You can disconnect at any time from your profile settings.

Session & Authentication Data

  • Session token — stored in an httpOnly cookie for up to 30 days to keep you logged in
  • Browser user-agent — recorded on your session and in admin audit logs for security monitoring
  • Login timestamps — to detect unusual activity

Support Tickets

When you open a support ticket we collect the subject line and message body you provide. All ticket content is encrypted at rest using AES-256-GCM and is accessible only to our support team for the purpose of resolving your issue.

Events, Clubs & Vendor Content

Events you create may include a contact email and phone number that you choose to display publicly. RSVP lists store a snapshot of your username and profile image. Club posts, vendor listings, and photos you upload are stored and displayed according to your visibility settings.

Technical & Device Data

  • IP address — captured server-side from HTTP headers on certain admin-audited operations
  • User-agent string — browser/device info stored on sessions and audit log entries
  • Cloudflare Turnstile token — verified server-side at signup and sign-in to block automated bots; not stored after verification

03

How We Use Your Information

  • Account management — creating and maintaining your account, verifying your email, resetting your password
  • Service delivery — displaying events on the map, managing RSVPs, running clubs and vendor listings, enabling live cruise GPS sharing
  • Subscription billing — processing payments through Stripe for Crew Member, Organizer, and Pro plans
  • BOOST rewards — tracking profile-completion milestones and facilitating on-chain BSTR token transfers when the feature is enabled
  • Newsletter — automatically subscribing you to the DRVN newsletter via Beehiiv at signup (you can unsubscribe at any time)
  • Transactional email — sending OTP verification codes for login, signup, and password reset via Resend
  • Safety & moderation — detecting abuse, reviewing flagged content, administering bans
  • Platform improvements — understanding aggregate usage patterns to improve features; we do not sell this data
  • Legal compliance — retaining records as required by applicable law

04

Third-Party Services We Use

We work with the following service providers. Each operates under their own privacy policy and is responsible for their own data practices.

MongoDB Atlas

Primary database hosting for all platform data.

Resend

Transactional email delivery for OTP verification codes.

Stripe

Subscription billing and payment processing. DRVN does not store full card details — these are handled entirely by Stripe.

Beehiiv

Newsletter management. Your email, name, username, and subscription tier are shared at signup. You can unsubscribe from your profile or via any newsletter email.

Pinata / IPFS

Decentralized image storage for profile photos, event images, club content, and vendor galleries. Images stored on IPFS are publicly accessible by anyone with the URL.

Amazon Location Service

Map tile rendering, address autocomplete, route calculation, and cruise GPS tracking. Cruise host GPS coordinates are stored in AWS Location Service, not in our primary database.

Cloudflare Turnstile

Bot and abuse prevention at signup and sign-in. No verification data is retained after the check completes.

Reown / WalletConnect

EVM wallet connection infrastructure. We never receive your private keys or seed phrase.

Base L2 / Alchemy RPC

On-chain BSTR token reward claims on the Base blockchain. Transactions are public and permanently recorded on-chain.

Vercel

Platform hosting, serverless functions, and scheduled cron jobs.

05

Cookies & Session Storage

We use only the minimum cookies necessary to operate the platform. We do not use advertising, analytics, or tracking cookies.

drvn_session

HttpOnly, Secure session cookie. Keeps you logged in for up to 30 days. Cleared on logout or when the session expires.

x_oauth_pkce

Temporary cookie used only during the X (Twitter) OAuth connection flow. Deleted immediately after the flow completes or fails.

06

Data Encryption

We take data security seriously. The following sensitive fields are encrypted at rest in our database using AES-256-GCM encryption:

  • Email address
  • First name and last name
  • Bio
  • Support ticket subject lines and message bodies
  • X OAuth access tokens and refresh tokens
  • Admin ticket closing notes

Passwords are hashed using bcrypt with a cost factor of 12 and are never stored in a recoverable form. Even DRVN staff cannot retrieve your password.

07

Your Rights & Choices

Update your information

You can update your name, bio, profile image, social handles, garage, and newsletter preference at any time from your Profile settings.

Disconnect wallet or X account

You can disconnect your EVM wallet or X account from your Profile settings. This removes stored OAuth tokens and wallet address from your account.

Newsletter opt-out

You are automatically subscribed to the DRVN newsletter at signup. You can unsubscribe at any time via your Profile settings or using the unsubscribe link in any newsletter email.

Delete your account

You can request account deletion from your Profile settings. A 30-day grace period applies during which you can cancel the deletion. After 30 days your account and personal data are permanently deleted from our database. Active Stripe subscriptions are cancelled automatically.

Data portability

To request a copy of your data, please open a support ticket at /support.

08

Image Storage & IPFS

Images you upload — including profile photos, banner images, event images, club post images, and vendor gallery photos — are stored on the InterPlanetary File System (IPFS) via Pinata, a decentralized storage provider.

IPFS is content-addressed: each file is identified by a unique hash of its content and is accessible via a public gateway URL to anyone who has that URL. Once uploaded, images cannot be guaranteed to be deleted from the IPFS network, even if you remove them from your DRVN profile. Please do not upload images containing sensitive personal information.

09

GPS & Location Data

User-entered addresses

Events, clubs, and vendor listings include addresses you enter using our address autocomplete (powered by Amazon Location Service). We store the street address, city, state, zip, country, and geographic coordinates you select. Your device GPS is not used for this feature.

Live cruise GPS tracking

If you are the host of a cruise-type event, you can choose to enable live GPS tracking by pressing “Start Cruise.” This uses your browser's Geolocation API and requires your explicit permission. Your GPS coordinates are sent to Amazon Location Serviceand are visible to event attendees in real time during the cruise. Coordinates are not stored in DRVN's primary database. Tracking stops automatically when you end the cruise or close the browser tab.

Map display

The events map is powered by Amazon Location Service map tiles. Browsing the map does not send your device location to DRVN or Amazon.

10

Children's Privacy

DRVN VHCLS is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we become aware that a user under 18 has created an account, we will delete that account and its associated data promptly. If you believe a minor has registered, please contact us via a support ticket.

11

Data Retention

  • Active accounts — data retained for the lifetime of your account
  • Deleted accounts — personal data removed after a 30-day grace period; anonymized references may remain in audit logs and event records
  • Support tickets — retained for 12 months after the ticket is closed to support quality review and dispute resolution
  • Admin audit logs — retained indefinitely for platform safety, fraud prevention, and legal compliance
  • Session data — expires after 30 days of inactivity or on logout
  • Stripe billing records — retained as required by financial regulations (typically 7 years)

12

Policy Changes

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and post an in-app announcement to notify registered users. Your continued use of the platform after a policy update constitutes your acceptance of the revised policy.

For material changes that significantly affect how we handle your data, we will make reasonable efforts to provide more prominent notice.

13

Contact Us

If you have any questions about this Privacy Policy or want to exercise your data rights, please contact us through our support system:

Also read our Terms & Conditions.