Dashlight Fuel LLC (“Dashlight Fuel,” “we,” “our”) operates an on-demand fuel delivery service in the Collierville, TN area. This policy explains what information we collect when you use the website (dashlightfuel.com), the customer app (Dashlight Fuel), the driver app (Dashlight Driver), and our backend services, and how we use and protect that information.
1. Information we collect
1.1 Account information
When you create an account we collect your name, email, phone number, and a password (stored only as a bcrypt hash, never in plain text). Drivers also provide a driver’s license number, which we verify and retain for regulatory and insurance purposes. Account data is encrypted at rest in our database.
1.2 Vehicles and addresses
Customers add the vehicles they want fueled (year, make, model, color, license plate, fuel grade) and the addresses where deliveries take place. Addresses are geocoded via Amazon Location Service so we can confirm they fall inside our service area and route drivers to them.
1.3 Location data (driver app only)
The driver app collects GPS location only while a driver is on an active delivery, so the customer can see the driver’s position on a live map. Location updates are broadcast every 30 seconds, cached for 120 seconds in our backend, and stop the moment the driver marks the delivery complete or cancels. The customer app does not collect device location at all. iOS Background App Refresh for the driver app is used solely for this delivery-time tracking.
1.4 Push notification tokens
When you grant push permission, we receive a push token from Apple (APNs) or Google (FCM, via Firebase Cloud Messaging). We use this token to send transactional notifications about your order. We do not use it for marketing.
1.5 Biometric authentication
If you opt in to Face ID, Touch ID, or fingerprint unlock, the biometric template never leaves your device. We only see a yes/no result of the local match. The encrypted refresh token stays inside the device’s secure enclave until the local biometric check passes.
1.6 Payment and subscription information
Card numbers and CVVs are handled exclusively by Stripe, our PCI-compliant payment processor. We never store card numbers on our servers. For each customer we store a Stripe Customer ID and, for each saved card, a tokenized payment-method reference plus the card brand, last four digits, expiration month and year, optional nickname, and optional billing ZIP. This is what lets you recognize the card on the payment screen.
Membership is billed through Stripe Billing on a recurring monthly subscription. We store the Stripe Subscription ID, the current billing period, the subscription status (active, past due, canceled, etc.), the number of vehicles on the plan, and a reference to your most recent invoices. Invoice line items and PDFs are hosted by Stripe; we link to them from the app and the admin dashboard but do not host them ourselves.
1.7 Delivery photos
When a driver completes a delivery, the driver app captures two photos: the open fuel door on the vehicle and the pump display showing gallons delivered. These photos are stored in Amazon S3 (encrypted at rest, private bucket, signed-URL access only) and attached to the order. You can view them on your order receipt. They are used for delivery verification, dispute resolution, and internal training. Photos are deleted when the underlying order record is deleted (see section 4 on retention).
1.8 Operational data
We log every order action (create, cancel, status change, payment intent) along with the IP address and user-agent of the device that made the request. We use this for security, fraud prevention, and customer support.
2. How we use your information
- To deliver the service: confirm orders, dispatch drivers, route to your address, charge your card on completion.
- To send transactional notifications: order confirmation, driver-on-the-way push, delivery complete receipt.
- To prevent fraud and abuse: log unusual sign-ins, detect failed payment loops, enforce service-area boundaries.
- To improve the service: analyze aggregated usage patterns, debug crashes (via Sentry, see below).
- To comply with legal obligations: tax records, fuel-handling regulations, lawful requests.
3. Who we share information with
We share only the minimum necessary with these processors:
- Stripe: payment processing for one-time orders and Stripe Billing for the monthly membership subscription. Stripe receives your card details directly through their iOS/Android SDK; we never see them. Stripe also stores your invoice history and subscription record.
- Twilio: outbound SMS notifications.
- AWS SES: outbound transactional email (registration, password reset, order receipts, account-deletion confirmation).
- Expo Push / Apple APNs / Google FCM: push notification delivery to your device.
- Amazon Location Service: address geocoding, autocomplete, and route calculation. We send the address string or driver / destination coordinates; AWS returns coordinates, suggestions, or a route.
- Amazon S3: storage of delivery photos (fuel door and pump display) captured by the driver at completion.
- Apple MapKit (iOS) and Google Maps SDK (Android): tile rendering for the in-app map. The map provider receives the tile coordinates needed to render the visible area. The customer app does not send your device location; only the address you have selected is shown.
- Sentry: crash and error reports from the apps. Reports include a stack trace, app version, device model, OS version, and the screen you were on. We disable Sentry’s automatic PII collection and never attach your name, email, phone, address, or card details to a report.
- Drivers: when a driver is assigned to your delivery, they see your name, vehicle, and the delivery address until the order is complete or cancelled.
We do not sell your information. We do not share it with advertisers. We do not run third-party analytics SDKs in the apps.
4. Data retention
Account and order records are retained for the life of your account plus seven years for tax and legal compliance. Operational logs (IP addresses, user-agents, location pings) are retained for 13 months and then deleted. Push tokens are deleted when you log out or deny notification permission.
5. Security
Passwords are hashed with bcrypt. Refresh tokens stored on-device are protected by the platform secure enclave (iOS Keychain with Face/Touch ID, Android Keystore with biometric). All API traffic is TLS 1.2+ over HTTPS. Database backups are encrypted at rest. We follow the principle of least privilege for internal access.
6. Your rights
- Access: see a copy of the information we hold about you. Email us.
- Correct: update name, email, phone, vehicles, and addresses directly in the app at any time.
- Delete: see Account Deletion for the request flow and timeline.
- Portability: request a machine-readable export of your account data.
Residents of California (CCPA / CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and the EU/UK (GDPR) have additional rights including the right to opt out of any sale of personal information (we do not sell), object to processing, and lodge a complaint with your supervisory authority. To exercise any of these rights, email us at privacy@dashlightfuel.com.
7. Children’s privacy
Dashlight Fuel is not directed to children under 13. We do not knowingly collect information from children under 13. If you believe we have, contact us and we will delete the data promptly. Separately, our Terms of Service require all account holders to be at least 18 years old.
8. Changes to this policy
We will update the date at the top of this page when we make material changes and, where required, notify you in the app or by email before the changes take effect.
9. Contact
Privacy questions and rights requests: privacy@dashlightfuel.com
General support: support@dashlightfuel.com
Mailing address: Dashlight Fuel LLC, Collierville, TN 38017