This Privacy Policy explains how What's Rolling?™ ("we", "us", or "our") collects, uses, and protects information when you use our platform at whatsrolling.com (the "Service"). By using the Service you agree to the practices described here.
We are not a data broker. We collect only what we need to operate the Service. We do not sell your personal information to third parties, and we do not use your personal information for targeted advertising.
Account information. When you create an account we collect your email address and a password (stored as a secure hash). Vendors additionally provide a business name, tagline, description, phone number, cuisine tags, home base, and optional website and social media links. If you sign up with Google, we receive your email address from Google but never your password.
Precise location. If you tap the GPS button on the Discover page or grant browser geolocation when prompted, we store your most recent latitude and longitude on your account, along with a timestamp. We use this to (a) show you nearby trucks on Discover, (b) send "a truck just rolled up near you" push notifications within the radius you choose in your notification settings, and (c) resolve a city when you haven't typed one. You can clear your stored location at any time via the "Clear location" action on Discover, or withdraw browser permission through your device settings. Vendors provide location data when they post a stop — these coordinates are the public stop location.
Neighborhood. Customers can optionally provide a neighborhood or subdivision name in their account settings. We use this text string only to match you when a truck rolls into a neighborhood you've opted in to. It is not shared publicly and is not precise coordinates.
Wave Me Down — street name only. When a customer uses the Wave Me Down feature, only the street name is shared with the vendor (e.g. "Oak St"). Your house number and full address are never collected or transmitted.
Booking requests. When you submit a booking request to a vendor, the name, email, phone number, event name, event date/time, venue or address, expected attendance, budget, and notes you provide are stored on the booking and shared with the selected vendor so they can accept, decline, reschedule, or contact you about the event. Vendors receive this information by email and through their vendor dashboard.
Push notification subscription. If you opt in to push notifications we store a push subscription token issued by your browser. We use it solely to deliver notifications you have requested. Quiet hours and per-category preferences you set are also stored on your account. You can revoke this at any time in your account settings.
Follows, reviews, and flags. When you follow a vendor, leave a review, or use Wave Me Down, we store that interaction on your account. Reviews are public; follows are counted but the list of your followed vendors is private.
Profile photos. Vendor-uploaded company logos, truck photos, and cover photos are stored in Amazon S3 via our ActiveStorage integration. These images are public content shown on your vendor page.
Account security metadata. To protect against unauthorized access we store standard authentication metadata on your account: sign-in count, last-sign-in IP address, failed-login counts (for account lockout), and timestamps for session events. This is retained while your account is active.
Usage data. We collect standard server logs (IP address, browser type, pages visited, timestamps) for security, performance monitoring, and debugging. These are retained for up to 90 days and are not used for advertising or profiling.
Cookies and local storage. We use cookies to maintain your signed-in session and for CSRF protection. We use browser localStorage and sessionStorage to remember small UI preferences (e.g. dismissed prompts, most recent truck selection). We do not use third-party tracking cookies, cross-site advertising pixels, or behavioral targeting.
We do not use your data for targeted advertising and we do not share it with advertisers.
Vendors can see: their total follower count (not the list); the public content of reviews left under your account; the name, email, phone, and details you provide on a booking request; and — if you use Wave Me Down — only your street name.
Other customers can see: your public profile photo (if any) and any reviews you post. Your email, phone, precise location, and followed-vendor list are never shown to other customers.
We use a small number of third-party services to operate the platform. These services act as processors for specific functions and do not receive your full profile:
We do not use Facebook Pixel, TikTok pixel, or any other behavioral-advertising tracking service.
We retain your account data for as long as your account is active. If you delete your account, we remove your personal information from our database within 30 days — this includes your stored location, neighborhood, push subscription, follows, reviews, flag-downs, bookings, and notifications. Exceptions: we may retain minimal data required for legal, tax, accounting, or fraud-prevention purposes.
Server logs (IP, request metadata) are retained for up to 90 days. Third-party services (Cloudflare, Resend, AWS, Google Analytics) retain their own records per their respective retention policies, which are not governed by this document.
Depending on where you live you may have the right to:
California residents (CCPA/CPRA). You have the right to know what personal information we collect, to request deletion, and to opt out of any sale or sharing of personal information for cross-context behavioral advertising. We do not sell personal information and we do not share it for cross-context advertising. To exercise your rights, contact us at the email below.
To submit a data request, email us at [email protected]. We will respond within 30 days.
The Service is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information please contact us and we will delete it promptly.
We use HTTPS encryption for all data in transit and store passwords using industry-standard hashing (bcrypt). We use account lockout after repeated failed login attempts. No method of transmission or storage over the internet is 100% secure, and we cannot guarantee absolute security.
We may update this policy from time to time. We will notify registered users of material changes by email or by a notice on the Service. The effective date at the top of this page will always reflect the current version.
Questions or requests about this policy:
[email protected]
What's Rolling?
Josephine, TX
This policy should be reviewed by a qualified attorney before relying on it as legal compliance. Links to third-party policies are provided for convenience and we are not responsible for their content.