DriveHunt is a location-based mobile game in which you use your phone's camera to spot real-world vehicles and collect original, illustrated Ride Cards. Because the game uses the camera and location, we hold ourselves to the strictest global privacy standard. This policy explains, in plain language, exactly what we collect, why, how we protect it, and the rights you have. Our practices are built to satisfy the EU/EEA GDPR, Türkiye's KVKK, California's CCPA/CPRA, and children's privacy rules including COPPA and age-appropriate design codes.
The short version: Vehicle detection runs on your device, and most captures never leave your phone. Faces, pedestrians, license plates, and house numbers are blurred on-device before any upload. We never store raw license-plate images or plate text. We use coarse (rounded) location for gameplay. We do not sell your data, and you can access, export, or delete your data at any time.
DriveHunt is operated by Appouse ("Appouse", "we", "us", or "our"), established in Türkiye. Appouse is the data controller responsible for the personal data processed through the DriveHunt app and this website (drivehunt.appouse.com).
For any privacy question or to reach our Data Protection Officer (DPO), contact privacy@appouse.com. General enquiries: hello@appouse.com.
We collect only what the game needs. The categories below reflect our actual data flows.
| Category | Examples | How it is collected |
|---|---|---|
| Account & identity | A user identifier, the subject identifier from your social login, and (if provided) your email and display name. | When you sign in with Sign in with Apple or Google. We prefer passwordless/social sign-in so we do not hold passwords. |
| Coarse location | A rounded location "bucket" used for the map and gameplay. | From your device, with your consent, while you play. |
| Precise location (spot moment only) | The coordinates at the instant you Spot a vehicle. | Captured only at the moment of a Spot, used briefly for anti-cheat/duplicate checks, then coarsened or dropped. |
| Capture-derived signals | Generic, non-branded visual attributes (e.g. vehicle type, body style, coarse size/segment, dominant color) and capture quality/liveness scores. | Computed on your device from the camera; only these derived signals are typically sent to us, not raw photos. |
| Gameplay data | Your Sightings, owned Ride Cards, Garage, progression (Collector Level, Discovery Points), currencies, trades, races, missions, and achievements. | Generated as you play. |
| Dedup hashes | A short-lived, irreversible keyed hash plus a coarse geobucket — see Section 5. | Computed on-device to prevent duplicate-farming; the raw input is destroyed immediately. |
| Device & integrity | Device/session identifiers, app version, OS, and app-attestation results (Apple App Attest / DeviceCheck). | To secure your account and detect cheating and tampered clients. |
| Analytics (optional) | Privacy-first usage events. Analytics payloads carry no direct identifiers and no precise location. | Only if you consent; separately toggleable and revocable. |
| Push tokens (optional) | An APNs (iOS) or FCM (Android) push token. | Only if you enable notifications. |
| Support & reports | Messages you send us, and reports you file (content, behavior, or restricted-zone reports). | When you contact us or use in-app reporting. |
| Purchase records | In-app purchase receipts and transaction records (no card numbers — payments are handled by the app store). | If you make a purchase through Apple/Google billing. |
The camera is used only for on-device vehicle detection during play. We ask for camera permission just-in-time — the first time you try to Spot — not at install.
Camera-based play can incidentally capture bystanders, plates, and homes, so we protect against that on the device, before anything is uploaded:
DriveHunt does not identify the make, model, or brand of real vehicles, and it never shows you a real brand. It reads only generic visual attributes on-device and maps them to its own original, fictional Archetypes.
We never store raw license-plate images or OCR'd plate text — anywhere.
To stop players from "farming" the same parked vehicle over and over, we need a way to tell whether two Sightings are the same vehicle. We do this without building any plate database:
Because the salt rotates and the hash expires quickly, the same plate produces different hashes over time. This means no persistent, cross-time registry of vehicles or people can be built from what we store. This design gives us just enough signal to prevent farming while making it impossible to reconstruct a surveillance dataset.
Under the GDPR/KVKK, every processing activity has a lawful basis. We use your data to:
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the game — accounts, Spotting, Ride Cards, Garage, racing, trading, progression. | Account, gameplay, capture-derived signals, coarse location. | Performance of a contract (Art. 6(1)(b)). |
| Camera-based Spotting and on-device redaction. | Camera (on-device), capture-derived signals. | Consent (Art. 6(1)(a)) for camera access; contract for the resulting gameplay. |
| Precise location at the Spot moment. | Precise coordinates (transient). | Consent, and legitimate interest in anti-cheat/fairness (Art. 6(1)(f)). |
| Prevent farming, cheating, fraud, and abuse; keep the economy fair. | Dedup hashes, device/integrity signals, precise location (transient). | Legitimate interest (Art. 6(1)(f)). |
| Safety — restricted-zone and speed enforcement. | Location. | Legitimate interest in player safety; legal/ethical obligation. |
| Product analytics and improvement. | Privacy-first analytics events (no PII, no precise location). | Consent (Art. 6(1)(a)). |
| Notifications. | Push token. | Consent (Art. 6(1)(a)). |
| Support, moderation, and dispute resolution. | Reports, messages, audit logs. | Legitimate interest; legal obligation where applicable. |
| Purchases and financial records. | IAP receipts, transactions. | Contract; legal obligation (tax/finance). |
We practice purpose limitation: data collected for one purpose (for example, anti-cheat) is not repurposed for another (for example, marketing) without a new, appropriate legal basis.
Consent in DriveHunt is granular and unbundled. Camera, location, analytics, and notifications are each requested separately, with plain-language purpose text, and none are pre-checked. We ask contextually — for example, camera permission the first time you Spot.
Each consent is as easy to withdraw as it is to give, and withdrawal takes effect immediately (for example, withdrawing analytics consent stops event collection). We keep a record of your consent choices — including the policy version you saw and when — to honor GDPR/KVKK's demonstrable-consent requirement. Declining optional consents (analytics, notifications) never degrades the core game.
DriveHunt is intended for players aged 13 and over. At signup we present a neutral age gate (a date-of-birth / age prompt that does not nudge you toward a higher age).
Where a market or age requires it, accounts for minors require verifiable parental consent before processing, and get child-safe defaults: no open chat, no free-form trading with strangers, restricted social features, no behavioral advertising, tightened data minimization, and shorter retention. Parents or guardians can review a child's data, disable social/trade/location features, set play-time boundaries, and request access or deletion on the child's behalf. We do not knowingly collect personal data from children under 13; if we learn we have, we delete it. To make such a request, contact privacy@appouse.com.
We do not sell your personal data, and we do not "share" it for cross-context behavioral advertising (as those terms are used under CCPA/CPRA). We disclose data only to service providers ("processors") who help us run DriveHunt, under contracts that restrict them to our instructions:
| Recipient type | Purpose | Data involved |
|---|---|---|
| Push providers — Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM). | Deliver notifications you opt into. | Push token, message content. |
| Sign-in providers — Apple, Google. | Authenticate you (Sign in with Apple / Google). | Login subject identifier; email if you share it. |
| App stores — Apple, Google. | Process in-app purchases and app distribution. | Purchase/receipt data (handled by the store). |
| Analytics processor. | Privacy-first product analytics, if you consent. | Usage events with no direct identifiers and no precise location. |
| Cloud hosting, storage & security (infrastructure, CDN/WAF). | Run and protect the service. | Data described in this policy, encrypted in transit and at rest. |
We may also disclose data where required by law, to protect our rights or user safety, or in connection with a corporate transaction (in which case this policy continues to govern your data). Children's data is never subject to "sale"/"sharing" and no third-party advertising SDKs run in the minor experience.
DriveHunt is a global service, and our providers may process data in countries other than yours. Where personal data is transferred out of the EEA, UK, or Türkiye, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and equivalent mechanisms under KVKK), together with technical protections like encryption in transit and at rest. You may request a copy of the relevant safeguards via privacy@appouse.com.
Every category of data has a defined retention window, enforced by automated deletion processes. Short-lived data expires quickly by design.
| Data | Retention |
|---|---|
| Account & identity | For the life of your account; deleted on request (minus any legal-hold exceptions). |
| Auth tokens / sessions | Access tokens are short-lived; refresh tokens rotate and are revoked on logout or deletion. |
| Consent records | Life of account plus an audit window. |
| Capture-derived signals | Kept only as needed for gameplay; minimized/aggregated. |
| Uploaded (redacted) capture media, if any | Short TTL; deleted after validation. |
| Dedup hashes | 24–72 hours; the salt is rotated. |
| Precise location | Minimal — coarsened or dropped after anti-cheat checks. |
| Analytics events | Time-boxed and aggregated. |
| Anti-cheat / integrity signals | Time-boxed for trust scoring. |
| Moderation & audit logs | Retained per legal and safety needs. |
| Purchase / financial records | Retained for the statutory financial-record period. |
We protect your data with defense-in-depth: TLS 1.3 in transit with certificate pinning in the app; AES-256 encryption at rest for databases, object storage, and backups; secrets and keys held in a managed key store with scheduled rotation (including the dedup HMAC salt and signing keys); secure on-device storage via the iOS Keychain / Android Keystore; device attestation; rate limiting; and server-authoritative game logic so a client can never fabricate rewards. No system is perfectly secure, but we design to minimize what we hold and to contain the impact of any incident. If a breach affecting your personal data occurs, we will notify the relevant authorities and affected users as required by law (for example, within 72 hours under the GDPR where feasible).
We provide the following rights to all users globally, regardless of where you live:
You can export your data and delete your account directly in the app (account deletion is available in-app, as required by Apple and Google). You can also email privacy@appouse.com. We verify the identity of the requester before acting, and we fulfill requests within the statutory windows (for example, within one month under the GDPR and within 45 days under the CCPA, each extendable where permitted). Parents and guardians may exercise these rights on a child's behalf.
We may update this policy as the product and the law evolve. When we make a material change, we will update the effective date above and, where the change affects how we process your data, prompt you in-app to re-consent to the new version. The app tracks which policy version you have accepted.
Questions, requests, or concerns about privacy:
This Privacy Policy is designed to be accurate to how DriveHunt actually works and to serve as the App Store "Privacy Policy URL" for the app.