Privacy Policy
Effective date: July 1, 2025 · Last updated: July 1, 2026
This Privacy Policy explains how DRVN VHCLS (“DRVN,” “we,” “our,” or “us”) collects, uses, and protects information when you use our platform at drvnvhcls.xyz.
01
Introduction
DRVN VHCLS is a community platform for automotive enthusiasts — drivers, organizers, vendors, and fans. We provide tools for discovering and listing car events, forming clubs, showcasing vehicles and vendor businesses, earning BOOST rewards, and connecting with the car culture community.
By creating an account or using any part of the platform you agree to the data practices described in this policy. If you do not agree, please do not use the platform.
02
Information We Collect
Account Registration
When you sign up we collect your email address, username, and password (stored as a bcrypt hash — never recoverable). First name, last name, and bio are optional at signup and can be added later in your profile.
Profile Data
- Profile and banner images — uploaded to IPFS via Pinata (see Image Storage section)
- Garage vehicles — year, make, model, and optional image for each vehicle you add
- Social handles — Instagram, TikTok, Facebook, website URL (all optional)
- Bio — a short free-text description of yourself
Wallet & Web3
Linking an EVM wallet is optional and required only for on-chain BOOST reward claims and live cruise GPS tracking. We store your wallet address (a public blockchain identifier). We never receive or store your private keys or seed phrase. On-chain transactions (BSTR reward claims) are recorded on the public Base blockchain and include the destination wallet and transaction hash.
X (Twitter) OAuth
If you connect your X account we store your X user ID, display name, X profile image URL, and encrypted OAuth access and refresh tokens. We use these tokens only to perform actions you authorize on X. You can disconnect at any time from your profile settings.
Session & Authentication Data
- Session token — stored in an httpOnly cookie for up to 30 days to keep you logged in
- Browser user-agent — recorded on your session and in admin audit logs for security monitoring
- Login timestamps — to detect unusual activity
Support Tickets
When you open a support ticket we collect the subject line and message body you provide. All ticket content is encrypted at rest using AES-256-GCM and is accessible only to our support team for the purpose of resolving your issue.
Events, Clubs & Vendor Content
Events you create may include a contact email and phone number that you choose to display publicly. RSVP lists store a snapshot of your username and profile image. Club posts, vendor listings, and photos you upload are stored and displayed according to your visibility settings.
Technical & Device Data
- IP address — captured server-side from HTTP headers on certain admin-audited operations
- User-agent string — browser/device info stored on sessions and audit log entries
- Cloudflare Turnstile token — verified server-side at signup and sign-in to block automated bots; not stored after verification
03
How We Use Your Information
- Account management — creating and maintaining your account, verifying your email, resetting your password
- Service delivery — displaying events on the map, managing RSVPs, running clubs and vendor listings, enabling live cruise GPS sharing
- Subscription billing — processing payments through Stripe for Crew Member, Organizer, and Pro plans
- BOOST rewards — tracking profile-completion milestones and facilitating on-chain BSTR token transfers when the feature is enabled
- Newsletter — automatically subscribing you to the DRVN newsletter via Beehiiv at signup (you can unsubscribe at any time)
- Transactional email — sending OTP verification codes for login, signup, and password reset via Resend
- Safety & moderation — detecting abuse, reviewing flagged content, administering bans
- Platform improvements — understanding aggregate usage patterns to improve features; we do not sell this data
- Legal compliance — retaining records as required by applicable law
04
Third-Party Services We Use
We work with the following service providers. Each operates under their own privacy policy and is responsible for their own data practices.
Primary database hosting for all platform data.
Transactional email delivery for OTP verification codes.
Subscription billing and payment processing. DRVN does not store full card details — these are handled entirely by Stripe.
Newsletter management. Your email, name, username, and subscription tier are shared at signup. You can unsubscribe from your profile or via any newsletter email.
Decentralized image storage for profile photos, event images, club content, and vendor galleries. Images stored on IPFS are publicly accessible by anyone with the URL.
Map tile rendering, address autocomplete, route calculation, and cruise GPS tracking. Cruise host GPS coordinates are stored in AWS Location Service, not in our primary database.
Bot and abuse prevention at signup and sign-in. No verification data is retained after the check completes.
EVM wallet connection infrastructure. We never receive your private keys or seed phrase.
On-chain BSTR token reward claims on the Base blockchain. Transactions are public and permanently recorded on-chain.
Platform hosting, serverless functions, and scheduled cron jobs.
06
Data Encryption
We take data security seriously. The following sensitive fields are encrypted at rest in our database using AES-256-GCM encryption:
- Email address
- First name and last name
- Bio
- Support ticket subject lines and message bodies
- X OAuth access tokens and refresh tokens
- Admin ticket closing notes
Passwords are hashed using bcrypt with a cost factor of 12 and are never stored in a recoverable form. Even DRVN staff cannot retrieve your password.
07
Your Rights & Choices
Update your information
You can update your name, bio, profile image, social handles, garage, and newsletter preference at any time from your Profile settings.
Disconnect wallet or X account
You can disconnect your EVM wallet or X account from your Profile settings. This removes stored OAuth tokens and wallet address from your account.
Newsletter opt-out
You are automatically subscribed to the DRVN newsletter at signup. You can unsubscribe at any time via your Profile settings or using the unsubscribe link in any newsletter email.
Delete your account
You can request account deletion from your Profile settings. A 30-day grace period applies during which you can cancel the deletion. After 30 days your account and personal data are permanently deleted from our database. Active Stripe subscriptions are cancelled automatically.
Data portability
To request a copy of your data, please open a support ticket at /support.
08
Image Storage & IPFS
Images you upload — including profile photos, banner images, event images, club post images, and vendor gallery photos — are stored on the InterPlanetary File System (IPFS) via Pinata, a decentralized storage provider.
IPFS is content-addressed: each file is identified by a unique hash of its content and is accessible via a public gateway URL to anyone who has that URL. Once uploaded, images cannot be guaranteed to be deleted from the IPFS network, even if you remove them from your DRVN profile. Please do not upload images containing sensitive personal information.
09
GPS & Location Data
User-entered addresses
Events, clubs, and vendor listings include addresses you enter using our address autocomplete (powered by Amazon Location Service). We store the street address, city, state, zip, country, and geographic coordinates you select. Your device GPS is not used for this feature.
Live cruise GPS tracking
If you are the host of a cruise-type event, you can choose to enable live GPS tracking by pressing “Start Cruise.” This uses your browser's Geolocation API and requires your explicit permission. Your GPS coordinates are sent to Amazon Location Serviceand are visible to event attendees in real time during the cruise. Coordinates are not stored in DRVN's primary database. Tracking stops automatically when you end the cruise or close the browser tab.
Map display
The events map is powered by Amazon Location Service map tiles. Browsing the map does not send your device location to DRVN or Amazon.
10
Children's Privacy
DRVN VHCLS is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we become aware that a user under 18 has created an account, we will delete that account and its associated data promptly. If you believe a minor has registered, please contact us via a support ticket.
11
Data Retention
- Active accounts — data retained for the lifetime of your account
- Deleted accounts — personal data removed after a 30-day grace period; anonymized references may remain in audit logs and event records
- Support tickets — retained for 12 months after the ticket is closed to support quality review and dispute resolution
- Admin audit logs — retained indefinitely for platform safety, fraud prevention, and legal compliance
- Session data — expires after 30 days of inactivity or on logout
- Stripe billing records — retained as required by financial regulations (typically 7 years)
12
Policy Changes
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and post an in-app announcement to notify registered users. Your continued use of the platform after a policy update constitutes your acceptance of the revised policy.
For material changes that significantly affect how we handle your data, we will make reasonable efforts to provide more prominent notice.
13
Contact Us
If you have any questions about this Privacy Policy or want to exercise your data rights, please contact us through our support system:
Also read our Terms & Conditions.
