Privacy Policy
Daily Adventure Box, Inc.
This Privacy Policy describes how DailyAdventureBox Inc. ("DAB," "we," "us," or "our") collects, uses, protects, and shares personal data when you access our mobile app, website (www.dailyadventurebox.com), Fund Adventure Portal, self-service lockers, or any related services (collectively, the "Services").
This policy is designed to comply with all applicable U.S. federal and state privacy laws, including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and all other current and future state data privacy laws. This policy also meets Apple App Store and Google Play Store requirements for data transparency, user consent, and third-party sharing disclosures. Because DAB operates self-service lockers on U.S. military installations under federal contract, this policy also describes additional practices applicable to federal-installation rentals.
We collect precise geolocation only with your explicit permission and only when you actively use the locker-finder feature in the app. We do not track your location in the background. We do not maintain a continuous history of your physical movements. The only location data we retain in connection with your account is the locker you interacted with and the timestamp of that interaction. You may revoke geolocation permission at any time through your device settings; the core rental flow remains available by entering a locker ID manually.
DAB collects only the approximate Locker location data necessary to provide the Service. DAB applies operational-security (OPSEC) controls to personnel, contractor, and venue-specific information that may involve military or otherwise sensitive installations. DAB does not publish real-time location data and does not disclose any information prohibited from disclosure by a venue contract (including DAB's concession agreement with Marine Corps Community Services).
Payment processing is handled exclusively by Stripe, Inc., a PCI DSS Level 1 compliant processor. We do not store full credit card numbers, CVV codes, or bank account details. We receive payment metadata (last 4 digits, card type, expiration) and transaction records from Stripe.
If you use Face ID, Touch ID, or similar device biometrics to log in, the biometric template remains on your device. DAB does not receive, transmit, or store any biometric data.
We do not collect or display military rank, unit, duty station, security clearance, or other military-affiliation data unless you voluntarily provide it. We do not request or store Social Security Numbers from patrons. We do not collect data from children under 13.
We share limited data with the following service providers under data processing agreements (DPAs) and confidentiality terms:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, payment method, transaction amounts |
| Supabase, Inc. | Database, authentication, data storage (US region) | Account data, rental/ownership records, transactions, logs |
| Google LLC / Firebase | Analytics, social login, push notifications | Device info, usage metrics, auth tokens |
| Apple Inc. / Meta Platforms | Social login (optional) | Auth tokens, name, email (as authorized by you) |
| GitHub, Inc. | Public website and Fund Adventure Portal hosting (static) | No personal data stored |
We may also disclose personal data if required by law, court order, subpoena, or government investigation, or to protect the rights, property, or safety of DAB, our users, or the public.
Subprocessor changes: We will provide notice via in-app alert, email, or website notice before adding or changing a subprocessor that materially affects how your data is processed. The list above will be kept up to date.
DAB complies with all applicable state privacy laws nationwide, including those of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Nebraska, Kentucky, Maryland, Minnesota, and any state enacting privacy legislation hereafter. Rights generally include:
Contact support@dailyadventurebox.com to exercise any right. We respond within forty-five (45) days. If additional time is needed (up to 45 additional days), we will notify you of the extension and reason.
Our app may request access to camera, location, storage, notifications, and Bluetooth. These are used solely for locker access, rental tracking, and user experience. You may modify permissions in device settings at any time. Denying permissions may limit certain features but will not prevent use of core rental services.
We do not use advertising trackers or sell data to advertisers. Our Services do not currently respond to Do Not Track (DNT) browser signals, as no uniform standard exists.
We implement layered, industry-standard security measures designed to protect your information:
No system is fully immune to threats. We continuously test, monitor, and update our practices.
For your security and ours, we maintain logs of significant account events including: account creation, login, password and payment-method changes, data exports, account deletion requests, rental transactions, locker access events, and acceptance of legal documents (Terms, Privacy Policy, Safety and Liability Waiver). Each log entry includes a timestamp, the action taken, and identifying metadata (such as IP address and device identifier). Acceptance of legal documents is recorded with the version hash of the accepted document so we can prove which version you agreed to.
These logs are used to: detect and investigate fraud or unauthorized access, resolve disputes, comply with our contractual obligations on federal installations, and produce records in response to legitimate legal process. Logs are retained as described in Section 10.
In the event of a data breach affecting your personal information, DAB will: (a) notify affected users via email within seventy-two (72) hours of confirming the breach, or as otherwise required by applicable state or federal law; (b) notify applicable state authorities as required; (c) where applicable, notify our federal-installation contracting officer per our contractual obligations; and (d) provide information about the breach scope, data affected, and steps taken to mitigate harm.
North Carolina Identity Theft Protection Act. DAB complies with the North Carolina Identity Theft Protection Act, NCGS § 75-60 et seq. In the event of a security breach involving unencrypted personal information of a North Carolina resident, DAB shall provide notice to affected individuals and to the North Carolina Attorney General in the manner and within the timeframes required by NCGS § 75-65, in addition to any other state or federal notification obligation that applies.
If you opt in to SMS notifications, we may send transactional messages (rental confirmations, return reminders, late notices, account verification) and, if you separately opt in, occasional service updates. Message and data rates may apply. Reply STOP to unsubscribe at any time. Reply HELP for support. Push notifications use your device's native permission system; you may disable them at any time in device settings. We do not share your phone number with third parties for their marketing purposes.
When you rent equipment from a Daily Adventure Box locker located on a U.S. military installation, additional considerations apply:
The DAB Service is not directed to children under thirteen (13). DAB does not knowingly collect personal information from children under thirteen (13) within the meaning of the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq., and its implementing regulations at 16 CFR Part 312.
When a parent or legal guardian rents Equipment for use by a minor, DAB collects information only from the renting adult. Information about the minor (for example, size or age range for equipment fit) is voluntarily supplied by the adult and is treated as information of the adult User of record, not of the minor.
If DAB becomes aware that it has inadvertently collected personal information from a child under thirteen (13), DAB shall delete such information promptly. Parents and legal guardians may contact support@dailyadventurebox.com to request removal. Adults who rent on behalf of minors remain responsible for compliance with all applicable child-safety, personal flotation device (PFD), and supervision requirements as described in our Terms and Conditions of Use.
Our Services are operated from and intended for use within the United States. Data will be transferred to and processed in the United States. By using our Services from outside the U.S., you consent to this transfer.
Verified data requests will be responded to within forty-five (45) days. If additional time is needed (up to 45 additional days), we will notify you of the extension and reason.
To report a suspected security vulnerability, suspicious account activity, or potential data exposure, please email support@dailyadventurebox.com with a subject line beginning "SECURITY:" so we can route it appropriately. We acknowledge verified vulnerability reports within five (5) business days and investigate promptly. We do not pursue legal action against researchers who follow good-faith responsible disclosure practices, including: limiting testing to your own accounts, not accessing or modifying other users' data, not degrading service availability, and giving us a reasonable opportunity to remediate before public disclosure.
Information supplied by independent Field Technicians through the DAB Contractor Portal (including vehicle information, insurance certificates, route and work-order data, and identity verification data) is processed under this Privacy Policy and under the Contractor Portal Terms.
Information supplied by investors through the DAB Fund Adventure Portal (including accredited-status representations, bank and tax information, and identity-verification data) is processed under this Privacy Policy and under the Fund Adventure Portal Terms. Investor bank and tax information is transmitted through PCI DSS and SOC 2 compliant processors and is not retained by DAB in plaintext beyond the minimum period required for tax, payment, and compliance purposes described in Section 10.
This Privacy Policy is available in accessible format upon request under the Americans with Disabilities Act, 42 U.S.C. § 12101 et seq. Contact DAB at the address in Section 15 to request an accessible copy, an alternative-format version, or any other reasonable accommodation needed to review, understand, or exercise your rights under this Privacy Policy.
You consent to the use of electronic signatures and electronic records for this Privacy Policy, any privacy-related consent you provide to DAB, and any data-subject request you submit, pursuant to the federal Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. § 7001 et seq., and the North Carolina Uniform Electronic Transactions Act (UETA), NCGS § 66-311 et seq. Electronic assent via click-through, tap-to-accept, or a digital-signature platform constitutes a signed writing for all purposes under this Privacy Policy. You may withdraw this consent by contacting support@dailyadventurebox.com; withdrawal does not affect the legal validity of records executed electronically prior to withdrawal.
We may update this policy by revising the "Last Updated" date. Material changes require advance notice via app alert, email, or prominent website notice. Continued use after notice constitutes acceptance.