DriveHunt
Features Privacy Terms Get the app
Back to home

Privacy Policy

Effective date: 9 July 2026  ·  Version: 1.0  ·  Applies to the DriveHunt mobile app and this website.

On this page

  1. Who we are
  2. Privacy at a glance
  3. Data we collect
  4. Camera, captures & PII redaction
  5. License plates & dedup
  6. Location & geofencing
  7. How we use data & legal bases
  8. Consent
  9. Children & age
  10. Sharing & third parties
  11. International transfers
  12. Data retention
  13. Security
  14. Your rights
  15. Exercising your rights
  16. Changes
  17. Contact

DriveHunt is a location-based mobile game in which you use your phone's camera to spot real-world vehicles and collect original, illustrated Ride Cards. Because the game uses the camera and location, we hold ourselves to the strictest global privacy standard. This policy explains, in plain language, exactly what we collect, why, how we protect it, and the rights you have. Our practices are built to satisfy the EU/EEA GDPR, Türkiye's KVKK, California's CCPA/CPRA, and children's privacy rules including COPPA and age-appropriate design codes.

The short version: Vehicle detection runs on your device, and most captures never leave your phone. Faces, pedestrians, license plates, and house numbers are blurred on-device before any upload. We never store raw license-plate images or plate text. We use coarse (rounded) location for gameplay. We do not sell your data, and you can access, export, or delete your data at any time.

1. Who we are

DriveHunt is operated by Appouse ("Appouse", "we", "us", or "our"), established in Türkiye. Appouse is the data controller responsible for the personal data processed through the DriveHunt app and this website (drivehunt.appouse.com).

For any privacy question or to reach our Data Protection Officer (DPO), contact privacy@appouse.com. General enquiries: hello@appouse.com.

2. Privacy at a glance

  • Data minimization first. We collect the least data needed to run the game, prefer on-device processing, and delete early.
  • On-device by default. Camera and vision inference run on the device; the server usually receives only derived signals (generic attributes, quality scores, irreversible hashes, coarse location) — not your raw imagery.
  • One global standard. We apply GDPR/KVKK-grade privacy and rights to everyone, not just users in a particular region.
  • No sale, no behavioral ads. We do not sell or "share" (as defined by CCPA/CPRA) your personal information, and DriveHunt does not run behavioral advertising.
  • You are in control. Camera, location, analytics, and notifications are each independently consented, and every consent is revocable.

3. Data we collect

We collect only what the game needs. The categories below reflect our actual data flows.

CategoryExamplesHow it is collected
Account & identity A user identifier, the subject identifier from your social login, and (if provided) your email and display name. When you sign in with Sign in with Apple or Google. We prefer passwordless/social sign-in so we do not hold passwords.
Coarse location A rounded location "bucket" used for the map and gameplay. From your device, with your consent, while you play.
Precise location (spot moment only) The coordinates at the instant you Spot a vehicle. Captured only at the moment of a Spot, used briefly for anti-cheat/duplicate checks, then coarsened or dropped.
Capture-derived signals Generic, non-branded visual attributes (e.g. vehicle type, body style, coarse size/segment, dominant color) and capture quality/liveness scores. Computed on your device from the camera; only these derived signals are typically sent to us, not raw photos.
Gameplay data Your Sightings, owned Ride Cards, Garage, progression (Collector Level, Discovery Points), currencies, trades, races, missions, and achievements. Generated as you play.
Dedup hashes A short-lived, irreversible keyed hash plus a coarse geobucket — see Section 5. Computed on-device to prevent duplicate-farming; the raw input is destroyed immediately.
Device & integrity Device/session identifiers, app version, OS, and app-attestation results (Apple App Attest / DeviceCheck). To secure your account and detect cheating and tampered clients.
Analytics (optional) Privacy-first usage events. Analytics payloads carry no direct identifiers and no precise location. Only if you consent; separately toggleable and revocable.
Push tokens (optional) An APNs (iOS) or FCM (Android) push token. Only if you enable notifications.
Support & reports Messages you send us, and reports you file (content, behavior, or restricted-zone reports). When you contact us or use in-app reporting.
Purchase records In-app purchase receipts and transaction records (no card numbers — payments are handled by the app store). If you make a purchase through Apple/Google billing.

4. Camera, captures & on-device PII redaction

The camera is used only for on-device vehicle detection during play. We ask for camera permission just-in-time — the first time you try to Spot — not at install.

Camera-based play can incidentally capture bystanders, plates, and homes, so we protect against that on the device, before anything is uploaded:

  • We blur or mask faces, pedestrians, license plates, and house/building numbers (and other detected PII) on-device before any frame could ever leave your phone.
  • Most captures are processed entirely on-device and are never uploaded. When a redacted image is uploaded for selective server verification (or if you opt in to donate data), a server-side re-scan runs as a second layer of protection before storage, and the media is kept only for a short time and deleted after validation.
  • Moderators only ever see redacted media and derived signals — never raw PII.

DriveHunt does not identify the make, model, or brand of real vehicles, and it never shows you a real brand. It reads only generic visual attributes on-device and maps them to its own original, fictional Archetypes.

5. License plates & duplicate detection

We never store raw license-plate images or OCR'd plate text — anywhere.

To stop players from "farming" the same parked vehicle over and over, we need a way to tell whether two Sightings are the same vehicle. We do this without building any plate database:

  • On your device, the app computes an HMAC (keyed hash) of a normalized plate token using a server-rotated secret salt.
  • Only the irreversible hash — plus a coarse geobucket — is transmitted, with a short time-to-live of roughly 24–72 hours.
  • The raw plate token is destroyed in device memory immediately; it is never written to storage or transmitted.

Because the salt rotates and the hash expires quickly, the same plate produces different hashes over time. This means no persistent, cross-time registry of vehicles or people can be built from what we store. This design gives us just enough signal to prevent farming while making it impossible to reconstruct a surveillance dataset.

6. Location & geofencing

  • Coarse by default. General gameplay and the map use rounded, coarse location.
  • Precise only at the Spot moment. We capture precise coordinates only at the instant you Spot a vehicle, use them briefly for anti-cheat and duplicate checks, and then coarsen or drop them.
  • Restricted Zones. Spotting is disabled inside sensitive areas — including military zones, government/defense buildings, embassies and consulates, places of worship, schools, hospitals, prisons, critical infrastructure, and other private or restricted areas. This is enforced on the server, so it cannot be bypassed by a modified app.
  • Don't play & drive. Above driving speeds, spotting is limited or disabled, and a "I am not the driver" passenger confirmation is required before play resumes. Spotting at vehicular speed earns nothing.
  • No background tracking by default. We do not use background location unless a specific feature truly requires it; if that ever changes, it will be separately disclosed and consented, and justified to the app stores.

7. How we use data, and our legal bases

Under the GDPR/KVKK, every processing activity has a lawful basis. We use your data to:

PurposeData usedLegal basis (GDPR)
Provide the game — accounts, Spotting, Ride Cards, Garage, racing, trading, progression.Account, gameplay, capture-derived signals, coarse location.Performance of a contract (Art. 6(1)(b)).
Camera-based Spotting and on-device redaction.Camera (on-device), capture-derived signals.Consent (Art. 6(1)(a)) for camera access; contract for the resulting gameplay.
Precise location at the Spot moment.Precise coordinates (transient).Consent, and legitimate interest in anti-cheat/fairness (Art. 6(1)(f)).
Prevent farming, cheating, fraud, and abuse; keep the economy fair.Dedup hashes, device/integrity signals, precise location (transient).Legitimate interest (Art. 6(1)(f)).
Safety — restricted-zone and speed enforcement.Location.Legitimate interest in player safety; legal/ethical obligation.
Product analytics and improvement.Privacy-first analytics events (no PII, no precise location).Consent (Art. 6(1)(a)).
Notifications.Push token.Consent (Art. 6(1)(a)).
Support, moderation, and dispute resolution.Reports, messages, audit logs.Legitimate interest; legal obligation where applicable.
Purchases and financial records.IAP receipts, transactions.Contract; legal obligation (tax/finance).

We practice purpose limitation: data collected for one purpose (for example, anti-cheat) is not repurposed for another (for example, marketing) without a new, appropriate legal basis.

8. Consent

Consent in DriveHunt is granular and unbundled. Camera, location, analytics, and notifications are each requested separately, with plain-language purpose text, and none are pre-checked. We ask contextually — for example, camera permission the first time you Spot.

Each consent is as easy to withdraw as it is to give, and withdrawal takes effect immediately (for example, withdrawing analytics consent stops event collection). We keep a record of your consent choices — including the policy version you saw and when — to honor GDPR/KVKK's demonstrable-consent requirement. Declining optional consents (analytics, notifications) never degrades the core game.

9. Children & age

DriveHunt is intended for players aged 13 and over. At signup we present a neutral age gate (a date-of-birth / age prompt that does not nudge you toward a higher age).

Where a market or age requires it, accounts for minors require verifiable parental consent before processing, and get child-safe defaults: no open chat, no free-form trading with strangers, restricted social features, no behavioral advertising, tightened data minimization, and shorter retention. Parents or guardians can review a child's data, disable social/trade/location features, set play-time boundaries, and request access or deletion on the child's behalf. We do not knowingly collect personal data from children under 13; if we learn we have, we delete it. To make such a request, contact privacy@appouse.com.

10. Sharing & third parties

We do not sell your personal data, and we do not "share" it for cross-context behavioral advertising (as those terms are used under CCPA/CPRA). We disclose data only to service providers ("processors") who help us run DriveHunt, under contracts that restrict them to our instructions:

Recipient typePurposeData involved
Push providers — Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM).Deliver notifications you opt into.Push token, message content.
Sign-in providers — Apple, Google.Authenticate you (Sign in with Apple / Google).Login subject identifier; email if you share it.
App stores — Apple, Google.Process in-app purchases and app distribution.Purchase/receipt data (handled by the store).
Analytics processor.Privacy-first product analytics, if you consent.Usage events with no direct identifiers and no precise location.
Cloud hosting, storage & security (infrastructure, CDN/WAF).Run and protect the service.Data described in this policy, encrypted in transit and at rest.

We may also disclose data where required by law, to protect our rights or user safety, or in connection with a corporate transaction (in which case this policy continues to govern your data). Children's data is never subject to "sale"/"sharing" and no third-party advertising SDKs run in the minor experience.

11. International data transfers

DriveHunt is a global service, and our providers may process data in countries other than yours. Where personal data is transferred out of the EEA, UK, or Türkiye, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and equivalent mechanisms under KVKK), together with technical protections like encryption in transit and at rest. You may request a copy of the relevant safeguards via privacy@appouse.com.

12. Data retention

Every category of data has a defined retention window, enforced by automated deletion processes. Short-lived data expires quickly by design.

DataRetention
Account & identityFor the life of your account; deleted on request (minus any legal-hold exceptions).
Auth tokens / sessionsAccess tokens are short-lived; refresh tokens rotate and are revoked on logout or deletion.
Consent recordsLife of account plus an audit window.
Capture-derived signalsKept only as needed for gameplay; minimized/aggregated.
Uploaded (redacted) capture media, if anyShort TTL; deleted after validation.
Dedup hashes24–72 hours; the salt is rotated.
Precise locationMinimal — coarsened or dropped after anti-cheat checks.
Analytics eventsTime-boxed and aggregated.
Anti-cheat / integrity signalsTime-boxed for trust scoring.
Moderation & audit logsRetained per legal and safety needs.
Purchase / financial recordsRetained for the statutory financial-record period.

13. Security

We protect your data with defense-in-depth: TLS 1.3 in transit with certificate pinning in the app; AES-256 encryption at rest for databases, object storage, and backups; secrets and keys held in a managed key store with scheduled rotation (including the dedup HMAC salt and signing keys); secure on-device storage via the iOS Keychain / Android Keystore; device attestation; rate limiting; and server-authoritative game logic so a client can never fabricate rewards. No system is perfectly secure, but we design to minimize what we hold and to contain the impact of any incident. If a breach affecting your personal data occurs, we will notify the relevant authorities and affected users as required by law (for example, within 72 hours under the GDPR where feasible).

14. Your rights

We provide the following rights to all users globally, regardless of where you live:

  • Access — know what personal data we hold about you.
  • Portability / export — receive your data in a portable format.
  • Rectification — correct inaccurate data.
  • Deletion / right to be forgotten — delete your account and data (subject to limited legal-hold exceptions such as financial records).
  • Restriction & objection — restrict or object to certain processing based on legitimate interests.
  • Withdraw consent — at any time, for any consent-based processing, without affecting prior lawful processing.
  • Opt out of "sale"/"sharing" (CCPA/CPRA) — we do not sell or share your data, and we honor this right regardless.
  • Non-discrimination — we will not penalize you for exercising your rights.
  • Complain — you may lodge a complaint with your data protection authority, including Türkiye's KVKK Board or your EU/EEA supervisory authority.

15. How to exercise your rights

You can export your data and delete your account directly in the app (account deletion is available in-app, as required by Apple and Google). You can also email privacy@appouse.com. We verify the identity of the requester before acting, and we fulfill requests within the statutory windows (for example, within one month under the GDPR and within 45 days under the CCPA, each extendable where permitted). Parents and guardians may exercise these rights on a child's behalf.

16. Changes to this policy

We may update this policy as the product and the law evolve. When we make a material change, we will update the effective date above and, where the change affects how we process your data, prompt you in-app to re-consent to the new version. The app tracks which policy version you have accepted.

17. Contact us

Questions, requests, or concerns about privacy:

  • Privacy & Data Protection Officer: privacy@appouse.com
  • General enquiries: hello@appouse.com
  • Controller: Appouse, Türkiye.

This Privacy Policy is designed to be accurate to how DriveHunt actually works and to serve as the App Store "Privacy Policy URL" for the app.

DriveHunt

Spot real-world vehicles and collect original Ride Cards. A privacy-first, brand-safe discovery game. Coming to iOS.

Product

  • Features
  • How it works
  • Privacy & safety

Legal & contact

  • Privacy Policy
  • Terms of Service
  • hello@appouse.com
© 2026 Appouse · DriveHunt. All rights reserved. DriveHunt is not affiliated with, endorsed by, or sponsored by any real automotive manufacturer or brand. All vehicle names and artwork are original fiction.