Privacy Policy

Last updated: May 30, 2026

This Privacy Policy describes how Foreverized, LLC, doing business as Dr. Vin ("we", "us"), collects, uses, and protects your information.

1. Information We Collect

• Photos you upload: Vehicle photographs submitted for assessment.
• Vehicle information: VIN (optional), mileage (optional), ZIP code (optional).
• Payment information: Processed directly by Stripe. We do not store credit card numbers.
• Email address: Only when you request an assessment report by email.
• Technical data: IP address, browser type, and timestamp - collected for security and consent verification.
• License plates: License plate text is not stored. Detected plate regions are permanently obscured in the stored photo before upload, and only their location coordinates are kept internally for redaction-quality audit, so every shared version of a report stays redacted.

2. How We Use Your Information

• Provide the Service: Your photos are sent to third-party AI vision services (which may include Google Cloud, Anthropic, OpenAI, or other providers) for analysis.
• Process payments: Through Stripe's embedded checkout.
• Report verification: Photos are stored so buyers can verify seller report authenticity.
• Service improvement: Aggregate, de-identified assessment statistics (such as average condition scores by vehicle type) may be used to improve service quality. Individual photos and personal information are never used for AI model training.
• Legal compliance: Consent records and IP addresses are stored for liability protection.

3. Third-Party Services

We share data with:

• Stripe: Payment processing. See Stripe's privacy policy.
• Cloudflare (R2 storage): Photo storage. See Cloudflare's privacy policy.
• NHTSA (National Highway Traffic Safety Administration): VIN lookups for vehicle identification. VINs are sent to the public NHTSA vPIC API.
• PostHog (product analytics and error tracking): When you accept analytics cookies, PostHog records page views, clicks, form interactions, and JavaScript errors. Data is proxied through our domain before reaching PostHog. PostHog receives your IP address and a random device identifier; session recording is not enabled. Consent-gated for EEA/UK visitors. See PostHog's privacy policy.
• Sentry (error monitoring and crash reporting): When an error occurs, Sentry may record a replay of up to 60 seconds preceding the error to help us debug. Session data is masked to hide text inputs and sensitive content. No replay data is captured for normal, non-error sessions. Sentry receives your IP address and a random session identifier; it does not receive your email or account information. See Sentry's privacy policy.
• Google Analytics: Website traffic analytics (consent-gated). See Google's privacy policy.
• Meta (Facebook Pixel): Conversion tracking for advertising (consent-gated). See Meta's privacy policy.
• PlateToVin: License plate to VIN resolution for vehicle identification. Detected plate text may be sent to this service for lookup. Data is not stored after resolution.
• SendGrid: Transactional email delivery for assessment reports and account flows. Email address is the only PII transmitted.
• Gemini API / Google: AI vision analysis provider. Image data is processed under Google's enterprise data handling terms.
• Google Search Grounding: Real-time vehicle valuation queries. No PII is transmitted in grounded queries.

We do not sell your personal information to any third party.

Infrastructure

• Cloudflare: CDN, edge caching, DDoS protection, image storage via R2.
• Railway: Application hosting.
• Turso / LibSQL: Application database.

Strictly Necessary Cookies

We set two small cookies that do not track you and cannot be disabled without breaking the Service:

• drvin_region: stores your approximate region (EU or non-EU) so we can apply the correct consent experience. Set from your IP address at first visit. Retained 12 months.
• drvin_consent: records whether you have accepted or rejected analytics cookies. Set only if you interact with the consent banner. Retained 12 months.

Neither cookie is shared with third parties.

4. Data Retention

Photo Retention

Uploaded photos are automatically deleted from our storage 90 days after upload via a storage-layer lifecycle policy. After deletion, we retain only the derived analysis output (make, model, condition findings) associated with your report, never the original images.

Certified Listing Retention

If you purchase a Dr. Vin certification for a vehicle, the photos captured for that certification are kept only for the life of the certification badge, so a buyer can verify it while the listing is live. A condition certification is time-sensitive, so each badge expires 12 months after the vehicle is captured; if you re-list later, you re-certify. We delete the certification photos as soon as the badge expires or you withdraw it, whichever comes first. We hold these photos for exactly as long as the claim is live, and no longer. Before storage they are redacted: license plate regions are obscured and location metadata is stripped. You can withdraw a certification at any time by emailing privacy@drvin.ai, which deletes the photos and stops the public badge from resolving.

Capture Working Media

The plate redaction described above applies to the photos we publish on a certification page. To produce a certification, the Dr. Vin capture app also handles two kinds of working media we never publish. The original full-resolution photos you capture are deleted as soon as their redacted, plate-obscured copies are stored, and only those redacted copies appear on a published certification. A short continuous walk-around video is recorded to confirm the capture was live and in person; it is accessible only to Dr. Vin, is never shown on any public page, and is used solely for that verification. Both may show license plates and are held only as long as needed for these purposes.

Assessment Report Retention

Paid reports become inaccessible 30 days after they are generated; after that the report can no longer be viewed or verified. We retain the derived analysis (make, model, condition findings) tied to a report only for internal quality and audit purposes, never the original images. Free instant grades are not stored for later retrieval.

Consent Records

Records of your consent choices (cookie preferences, email marketing opt-ins) are retained for up to 36 months from the date you provide them to demonstrate compliance with applicable laws. Consent records cannot be deleted through the standard data-deletion flow.

Payment Records

Retained as required by law and Stripe's policies.

5. Your Rights

Depending on your state of residence, you may have the following rights:

• California (CCPA/CPRA): Right to know, delete, correct, and opt out of sale/sharing of personal information. Right to non-discrimination.
• Virginia (VCDPA): Right to access, delete, correct, and opt out of targeted advertising or sale of personal data.
• Colorado (CPA): Right to access, delete, correct, and opt out. We honor Global Privacy Control (GPC) signals.
• Connecticut (CTDPA): Right to access, delete, correct, and opt out of targeted advertising or sale of personal data.

To exercise these rights, contact privacy@drvin.ai with your assessment ID (displayed after each assessment). We will respond within 45 days.

6. GDPR (for EEA/UK Residents)

If you are in the European Economic Area or United Kingdom:

• Legal Basis: We process your data based on contractual necessity (to provide the assessment you requested) and legitimate interest (service improvement, fraud prevention).
• Consent: For non-essential analytics cookies (PostHog, Google Analytics, Meta Pixel), we rely on your explicit consent, which you can grant or withdraw via the cookie banner.
• International Transfers: Your data is processed in the United States. We rely on Standard Contractual Clauses (SCCs) for transfers from the EEA/UK.
• Your Rights: You have the right to access, rectify, erase, restrict processing, data portability, and object to processing. Contact privacy@drvin.ai.
• Data Protection Authority: You have the right to lodge a complaint with your local data protection authority.

7. Do Not Sell My Personal Information

We do not sell your personal information. If photos are shared with third-party AI services for analysis, this may constitute "sharing" under CCPA's broad definition. You can opt out by contacting privacy@drvin.ai.

8. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected individuals within 72 hours of becoming aware of the breach, as required by applicable law.

9. Security

We use industry-standard security measures including encrypted data transmission (TLS), access-controlled cloud storage, and rate limiting. However, no system is 100% secure.

10. Children

The Service is not intended for use by anyone under 16 years of age.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify users of material changes by updating the "Last updated" date at the top of this page.

12. Contact Us

privacy@drvin.ai