Privacy Policy

Last updated: April 20, 2026

This Privacy Policy describes how Foreverized, LLC, doing business as Dr. Vin ("we", "us"), collects, uses, and protects your information.

1. Information We Collect

• Photos you upload: Vehicle photographs submitted for assessment.
• Vehicle information: VIN (optional), mileage (optional), ZIP code (optional).
• Payment information: Processed directly by Stripe. We do not store credit card numbers.
• Email address: Only when you request an assessment report by email.
• Technical data: IP address, browser type, and timestamp - collected for security and consent verification.
• License plates: License plate text is not stored or retained. Bounding-box coordinates of detected plates are retained internally for audit and redaction quality review. The redacted plate region is preserved as image metadata so shared report versions remain redacted.

2. How We Use Your Information

• Provide the Service: Your photos are sent to third-party AI vision services (which may include Google Cloud, Anthropic, OpenAI, or other providers) for analysis.
• Process payments: Through Stripe's embedded checkout.
• Report verification: Photos are stored so buyers can verify seller report authenticity.
• Service improvement: Aggregate, de-identified assessment statistics (such as average condition scores by vehicle type) may be used to improve service quality. Individual photos and personal information are never used for AI model training.
• Legal compliance: Consent records and IP addresses are stored for liability protection.

3. Third-Party Services

We share data with:

• Stripe: Payment processing. See Stripe's privacy policy.
• Cloudflare (R2 storage): Photo storage. See Cloudflare's privacy policy.
• NHTSA (National Highway Traffic Safety Administration): VIN lookups for vehicle identification. VINs are sent to the public NHTSA vPIC API.
• PostHog (product analytics and error tracking): When you accept analytics cookies, PostHog records page views, clicks, form interactions, and JavaScript errors. Data is proxied through our domain before reaching PostHog. PostHog receives your IP address and a random device identifier; session recording is not enabled. Consent-gated for EEA/UK visitors. See PostHog's privacy policy.
• Sentry (error monitoring and crash reporting): When an error occurs, Sentry may record a replay of up to 60 seconds preceding the error to help us debug. Session data is masked to hide text inputs and sensitive content. No replay data is captured for normal, non-error sessions. Sentry receives your IP address and a random session identifier; it does not receive your email or account information. See Sentry's privacy policy.
• Google Analytics: Website traffic analytics (consent-gated). See Google's privacy policy.
• Meta (Facebook Pixel): Conversion tracking for advertising (consent-gated). See Meta's privacy policy.
• PlateToVin: License plate to VIN resolution for vehicle identification. Detected plate text may be sent to this service for lookup. Data is not stored after resolution.
• SendGrid: Transactional email delivery for assessment reports and account flows. Email address is the only PII transmitted.
• Gemini API / Google: AI vision analysis provider. Image data is processed under Google's enterprise data handling terms.
• Google Search Grounding: Real-time vehicle valuation queries. No PII is transmitted in grounded queries.

We do not sell your personal information to any third party.

Infrastructure

• Cloudflare: CDN, edge caching, DDoS protection, image storage via R2.
• Railway: Application hosting.
• Turso / LibSQL: Application database.

Strictly Necessary Cookies

We set two small cookies that do not track you and cannot be disabled without breaking the Service:

• drvin_region: stores your approximate region (EU or non-EU) so we can apply the correct consent experience. Set from your IP address at first visit. Retained 12 months.
• drvin_consent: records whether you have accepted or rejected analytics cookies. Set only if you interact with the consent banner. Retained 12 months.

Neither cookie is shared with third parties.

4. Data Retention

Photo Retention

Uploaded photos are automatically deleted from our storage 90 days after upload via a storage-layer lifecycle policy. After deletion, we retain only the derived analysis output (make, model, condition findings) associated with your report, never the original images.

Assessment Report Retention

Assessment reports and their derived analysis remain associated with your account until you delete them or request account deletion. We do not currently apply an automatic time-based purge to report records. We may introduce one in the future; if so, we will give 30 days' notice before the first scheduled purge.

Consent Records

Records of your consent choices (cookie preferences, email marketing opt-ins) are retained for the life of your account and for up to 36 months after account closure to demonstrate compliance with applicable laws. Consent records cannot be deleted through the standard data-deletion flow.

Payment Records

Retained as required by law and Stripe's policies.

5. Your Rights

Depending on your state of residence, you may have the following rights:

• California (CCPA/CPRA): Right to know, delete, correct, and opt out of sale/sharing of personal information. Right to non-discrimination.
• Virginia (VCDPA): Right to access, delete, correct, and opt out of targeted advertising or sale of personal data.
• Colorado (CPA): Right to access, delete, correct, and opt out. We honor Global Privacy Control (GPC) signals.
• Connecticut (CTDPA): Right to access, delete, correct, and opt out of targeted advertising or sale of personal data.

To exercise these rights, contact privacy@drvin.ai with your assessment ID (displayed after each assessment). We will respond within 45 days.

6. GDPR (for EEA/UK Residents)

If you are in the European Economic Area or United Kingdom:

• Legal Basis: We process your data based on contractual necessity (to provide the assessment you requested) and legitimate interest (service improvement, fraud prevention).
• Consent: For non-essential analytics cookies (PostHog, Google Analytics, Meta Pixel), we rely on your explicit consent, which you can grant or withdraw via the cookie banner.
• International Transfers: Your data is processed in the United States. We rely on Standard Contractual Clauses (SCCs) for transfers from the EEA/UK.
• Your Rights: You have the right to access, rectify, erase, restrict processing, data portability, and object to processing. Contact privacy@drvin.ai.
• Data Protection Authority: You have the right to lodge a complaint with your local data protection authority.

7. Do Not Sell My Personal Information

We do not sell your personal information. If photos are shared with third-party AI services for analysis, this may constitute "sharing" under CCPA's broad definition. You can opt out by contacting privacy@drvin.ai.

8. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected individuals within 72 hours of becoming aware of the breach, as required by applicable law.

9. Security

We use industry-standard security measures including encrypted data transmission (TLS), access-controlled cloud storage, and rate limiting. However, no system is 100% secure.

10. Children

The Service is not intended for use by anyone under 16 years of age.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify users of material changes by updating the "Last updated" date at the top of this page.

12. Contact Us

privacy@drvin.ai