Privacy Policy

Who We Are

Rivian Is Driven is a community experience platform operated by Jeff Jack, based in California, United States. This platform is an independent project and is not affiliated with, endorsed by, or sponsored by Rivian Automotive, Inc.

This Privacy Policy describes how we collect, use, protect, and share your personal information when you use the Rivian Is Driven platform (“rivianisdriven.com” and all associated services, collectively the “Service”). We are committed to protecting your privacy and handling your data with transparency and care.

Information We Collect

Information you provide directly: Account registration data (name, email address); profile information (phone number, vehicle ownership details, archetype results); camp registration details (emergency contact, dietary restrictions, vehicle identification); vehicle build configurations (model, pack, color, accessory selections); community content (messages, photos, event feedback); and communications with our team.

Information collected automatically: Usage data (pages visited, features used, quiz interactions, time spent on pages); device information (browser type, operating system, screen resolution); network information (IP address for approximate geographic region — not precise location); referral source (how you found the platform); and performance data (page load times, errors encountered).

Quiz data processing: Your archetype quiz responses are processed primarily client-side in your browser. The quiz engine calculates your archetype match locally. We store your final result (archetype assignment and category scores) if you create an account, but individual question responses are not retained on our servers unless you opt in to help improve the quiz system.

What we do NOT collect: Social Security numbers or government-issued ID numbers; banking credentials, credit card numbers, or financial account details (payment processing is handled entirely by our payment provider); biometric data; precise geolocation (GPS coordinates) without explicit consent; data from other apps on your device; contacts or address books; or any data from children under 13.

How We Use Your Information

Core service delivery: Deliver archetype quiz results and vehicle configuration recommendations; manage camp event registrations, communications, and logistics; enable convoy trip coordination and real-time status features; maintain your profile, saved builds, and community interactions; and send transactional communications (registration confirmations, event updates, account notifications).

Service improvement: Analyze anonymized, aggregated usage patterns to improve the platform experience; identify and fix technical issues; develop new features based on how the community uses the Service; and refine archetype accuracy through anonymized quiz completion data.

Communications: Send event-related updates you have opted into (camp announcements, new archetype content, community highlights); deliver transactional emails (password resets, registration confirmations, safety notices); and notify you of material changes to our Terms or Privacy Policy.

How we do NOT use your data: We never use your data for advertising or ad targeting; we never sell, rent, or trade your personal information to any third party; we never use your data to train machine learning models outside of our Service; we never share your data with data brokers or marketing partners; and we never use your archetype results or vehicle preferences to influence recommendations based on financial arrangements with any vehicle manufacturer or dealer.

Cookies & Tracking Technologies

Essential cookies (required, cannot be disabled): Authentication session cookies that maintain your logged-in state; CSRF protection tokens that prevent cross-site request forgery; cookie consent preference (your choice is stored in localStorage with a versioned schema including choice, timestamp, and version number); and theme preference (dark/light mode selection).

Analytics cookies (optional, require your consent): When you choose “Accept All” on our cookie banner, we use privacy-focused analytics to understand how the platform is used. Analytics data is aggregated and not personally identifiable. You can change your preference at any time by clearing your browser’s localStorage for our domain.

What we do NOT use: Third-party advertising cookies or tracking pixels; cross-site tracking or retargeting; social media tracking scripts or share buttons that transmit data; browser fingerprinting beyond standard cookies; any form of supercookie, evercookie, or persistent tracking mechanism; or hidden iframes, web beacons, or pixel tags for third-party data collection.

Data Sharing & Third Parties

We do not sell your personal information. We will never sell your data. This is a core commitment, not a legal formality.

Service providers who help us operate the platform (all bound by data processing agreements requiring confidentiality, security, and data deletion upon termination): Vercel (hosting and deployment — United States); Supabase (database, authentication, and real-time features — United States, AWS infrastructure); Resend (transactional email delivery — United States); Cloudinary (image optimization and delivery — United States); and QR code generation is performed client-side and does not transmit data to any third party.

We may disclose your information if required to do so by law, subpoena, court order, or legal process; if we believe disclosure is necessary to protect our rights, your safety, or the safety of others; or in connection with an investigation of fraud, intellectual property infringement, or other illegal activity.

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service prior to any such transfer and any changes to this Privacy Policy.

Data Security

Encryption: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). Data at rest in our database is encrypted using AES-256 encryption provided by our infrastructure partner (Supabase/AWS).

Authentication: User authentication is handled through Supabase Auth with secure session management. Password-based accounts use bcrypt hashing. Magic link tokens are single-use and expire within 1 hour. All authentication events are logged for security monitoring.

Infrastructure: Our application is hosted on Vercel’s enterprise infrastructure with built-in DDoS protection, automatic SSL certificate management, and edge network distribution. Our database runs on Supabase’s managed PostgreSQL service with automated daily backups and point-in-time recovery capabilities.

Application security: All API endpoints validate input using schema validation. File uploads are restricted by type and size. Role-based access control (RBAC) enforces the principle of least privilege across 6 permission tiers (Owner, Admin, Crew Lead, Driver, Volunteer, Viewer). Cross-site request forgery (CSRF) protection is enabled on all state-changing operations.

Incident response: We monitor for security incidents and unauthorized access attempts. In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of discovery via email, with details of what data was affected, what we are doing to address it, and what steps you can take to protect yourself.

Your Rights

Regardless of your location, you have the right to: Access the personal data we hold about you; export your data in a portable format (JSON or CSV); request correction of inaccurate data; request deletion of your data; opt out of non-essential communications at any time; withdraw cookie consent at any time; and request information about what data we share and with whom.

California residents (CCPA/CPRA): You have the right to know what personal information we collect, use, and disclose; the right to delete your personal information; the right to opt out of the sale of personal information (we never sell your data); and the right to non-discrimination for exercising your privacy rights. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.

European residents (GDPR): You have the right to access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and objection. Our legal bases for processing are: contractual necessity (providing the Service you signed up for), legitimate interest (improving the Service and preventing fraud), and consent (for optional analytics and marketing communications). You may lodge a complaint with your local data protection authority.

To exercise any of these rights, contact: privacy@rivianisdriven.com. We will respond to all requests within 30 days. Complex requests may require up to 60 additional days, in which case we will notify you of the extension and the reason.

Data Retention

Active accounts: Your data is retained for as long as your account is active and the Service is operational, or as needed to provide you with the Service features you use.

Deleted accounts: Upon account deletion, your personal data is removed from active database systems within 30 days. Encrypted backups containing your data are purged within an additional 30 days. Anonymized, aggregated analytics data (which cannot be used to identify you) may be retained indefinitely.

Camp event data: Records of Camp registrations, attendance, and safety incidents may be retained for up to 7 years for liability and insurance purposes, even after account deletion. This data will be minimized to what is legally necessary.

Legal requirements: We may retain certain data beyond the standard retention periods if required by law (e.g., tax records, legal proceedings) or to resolve disputes.

Inactive accounts: Free accounts that have been inactive for 12 months will receive a notification. If no activity occurs within 30 days of notification, the account and associated data will be deleted.

Children’s Privacy

The Service is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. Camp events are designed for adult Rivian owners, though family members (including minors) may attend certain Camp events under the supervision and responsibility of their parent or legal guardian.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at privacy@rivianisdriven.com and we will promptly delete such information.

International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States where our servers and service providers are located.

For users in the European Economic Area, United Kingdom, or Switzerland: We rely on Standard Contractual Clauses approved by the European Commission for the transfer of personal data to the United States. Our service providers maintain appropriate certifications and data protection agreements.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be communicated through: prominent notice on the Service, email notification to registered users, and at least 30 days’ advance notice before the changes take effect.

The “Last updated” date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.

Contact Us

For privacy inquiries and data subject requests: privacy@rivianisdriven.com

For general legal questions: legal@rivianisdriven.com

For security concerns or vulnerability reports: security@rivianisdriven.com

Mailing address: Rivian Is Driven, Inglewood, California, United States.

We aim to respond to all inquiries within 5 business days.