1 Purpose & Scope
These Policies establish binding obligations that govern every aspect of the sale, fulfillment, transport, and delivery of alcoholic beverages through the “Drify” mobile and web applications (collectively, the “Platform”) operated by Drify LLC, a California limited‑liability company headquartered at 555 Alvarado St., Suite 300, Union City, CA 94587.
Unless otherwise stated, these Policies apply to:
- Corporate Personnel — W‑2 employees, officers, and managers of Drify;
- Drivers — independent contractor couriers accessing the Platform;
- Merchants — licensed retailers, restaurants, or manufacturers listing products; and
- Customers — end‑users purchasing alcohol via the Platform.
Hierarchy of Authority: Where a conflict exists, (i) federal law supersedes state law; (ii) state law supersedes local ordinances; (iii) the stricter legal provision or contractual term prevails; and (iv) these Policies prevail over any conflicting internal guideline or FAQ.
2 Definitions
| Term | Definition |
|---|---|
| Alcohol | Any beverage containing ≥ 0.5% alcohol by volume (ABV) including beer, wine, cider, spirits, premixed cocktails, and ready‑to‑drink (RTD) products. |
| Legal Age | Twenty‑one (21) years of age or older under 27 U.S.C. § 214 and Cal. Bus. & Prof. Code § 25658. |
| Valid ID | Unexpired, government‑issued identification bearing photograph, name, and Date‑of‑Birth (“DOB”) or a California DMV Mobile Driver’s License (mDL) accepted under Cal. Veh. Code § 12800.15. |
| RBS Certification | Responsible Beverage Service training mandated by Cal. Bus. & Prof. Code §§ 25680‑25686. |
| “Type 77” License | California ABC “Non‑storefront Retail”/Delivery Network permit authorizing third‑party alcohol deliveries. |
| Sensitive Data | Personally identifiable information (“PII”), payment card data subject to PCI‑DSS, scanned ID images, geolocation logs, or any data protected by CCPA/CPRA. |
| Force Majeure Event | Acts of God, war, civil commotion, labor strike, pandemic, earthquake, wildfire, or governmental order rendering performance illegal or impossible. |
3 Legal & Regulatory Hierarchy
Federal
- 27 U.S.C. Chapter 8 (Federal Alcohol Administration Act).
- 49 C.F.R. Part 392 (alcohol transport in commercial vehicles).
California State
- California ABC Act (Cal. Bus. & Prof. Code §§ 23000‑25762).
- Cal. Code Regs. Title 4.
- SB 389 (2021), AB 1554 (2024) governing third‑party delivery & digital ID.
Local
Union City Municipal Code Chapter 5.40, plus any county zoning laws.
Contractual
Merchant Agreement, Driver Agreement, and Customer Terms of Service.
Drify’s Legal Department maintains a “RegMap” matrix that cross‑references statutory sections to each policy control (available to regulators upon written request).
4 Corporate Licenses & Permits
| License | Issuer | Number | Expiration | Renewal Lead Time |
|---|---|---|---|---|
| Type 77 Delivery Network | CA ABC | 77‑DN‑94587 | 12‑Dec‑2025 | 90 days |
| Seller’s Permit | CA Dept. of Tax & Fee Admin | SP‑103‑887123 | Continuous | N/A |
| Federal EIN | IRS | 92‑1234567 | N/A | N/A |
| DOT Motor Carrier | FMCSA | MC‑141415 | 30‑Jun‑2026 | 120 days |
Compliance maintains digital copies in the GRC (Governance‑Risk‑Compliance) system with automated renewal reminders to Legal and Finance.
5 Merchant Onboarding & Ongoing License Management
Pre‑Onboarding Review
- Automated ingestion of license data via CA ABC API; manual cross‑check by Compliance Analyst Level II.
- Verification of zoning compliance via county GIS overlay.
- Execution of Drify Merchant Agreement containing indemnity, insurance, and data security clauses (§§ 15‑19 of Merchant Agreement Template v3).
Continuous Monitoring
- Daily automated scrape of CA ABC disciplinary actions list; any “Revoked,” “Suspended,” or “Under Protest” status triggers immediate merchant suspension.
- Quarterly certification questionnaire requiring merchants to confirm: (i) license remains active; (ii) no undisclosed investigations; (iii) compliance with Prop 65 labeling.
Termination
Drify reserves unilateral right to deactivate a merchant for material breach with 24‑hour notice, or immediately if public health/safety is at risk.
6 Driver (Courier) Eligibility & Compliance
| Requirement | Threshold | Verification Frequency |
|---|---|---|
| Age | ≥ 21 years | Onboarding & Annual |
| Driver’s License | Valid CA or state‑equivalent | Quarterly API check |
| Auto Insurance | ≥ $100K/$300K/$50K liability | Monthly proof upload |
| Background Check | No felony in last 7 years; no DUI in last 5 years | Annual (Checkr) |
| RBS Certification | Certified & listed in CA ABC RBS Portal | Annual |
| Device Security | Mobile OS supported + biometric lock enabled | At login |
Zero‑Tolerance: Drivers who consume alcohol or controlled substances within 8 hours of shift receive immediate deactivation and reporting to CA DMV.
7 Platform Controls — Ordering, Age Gating & Payment
- Age Confirmation: Users must enter their Date‑of‑Birth (“DOB”) at account creation and again at checkout. If the DOB indicates the user is under 21, the transaction is blocked.
- Time‑of‑Sale Block: Alcohol checkout is automatically disabled between 2:00 a.m. and 6:00 a.m. Pacific Time as required by Cal. Bus. & Prof. Code § 25631.
- Payment Processing: All payments are processed through a third‑party PCI‑compliant provider. Drify does not store raw card data.
- Additional Security: Drify may, but is not obligated to, deploy further safeguards (e.g., address validation, fraud scoring) at its sole discretion.
8 Delivery Chain‑of‑Custody Protocols
Delivery Verification Protocols
- Sealed Container: The Merchant provides the order in a manufacturer‑sealed container or closed bag. Drivers are not required to apply tamper seals or use special storage equipment.
- ID Verification: At hand‑off, the Driver visually inspects the recipient’s Valid ID to confirm (i) age ≥ 21 and (ii) likeness.
- Proof Photo: The Driver captures a single photograph in the Driver App showing (a) the unopened container and (b) a partial view of the ID (photo and DOB visible, ID number masked).
- No Porch Drops: Alcohol must be delivered directly to a person. If no eligible recipient is present, the Driver follows the Refusal procedure in § 9.
- Optional Enhancements: Drify may enable additional verification tools (barcode scan, geotag, signature) at its discretion, but such features are not mandatory for a valid delivery.
Delivery Chain‑of‑Custody Protocols
- Pickup Validation: Merchant scans QR code to release items; Driver countersigns digital manifest.
- Transport: Driver must secure alcohol in trunk or locked rear container; dashcam required for high‑value loads.
- Drop‑Off: Driver scans Recipient’s ID and captures encrypted facial image for one‑way hash matching (deleted after 30 days).
- Proof‑of‑Delivery (POD): Requires (i) timestamp, (ii) geo‑tag within 30 m, (iii) recipient signature, (iv) photo of sealed package open‑status.
- No Contact/Porch Drop Prohibition: Alcohol orders cannot be left unattended; any violation results in first‑strike under Sanctions Matrix (see § 22).
9 Refusal, Return, and Restocking Procedures
| Scenario | Driver Action | Merchant Action | Customer Outcome |
|---|---|---|---|
| Under‑Age Recipient | Mark “UA‑REFUSE,” return goods | Decide restock/destroy | Refund – $15 Refusal Fee |
| Intoxicated Recipient | Mark “INT‑REFUSE,” photo evidence | Same | Refund – $15 Refusal Fee |
| No Valid ID | Mark “ID‑FAIL,” return goods | Same | Refund – $15 Refusal Fee |
| No Show (> 10 min) | Mark “NO‑SHOW,” return goods | Same | Refund – $15 Refusal Fee + new delivery fee |
Returned product must be logged and stored by the merchant for 48 hours pending Compliance review; destruction per CA ABC Rule 67 thereafter.
10 Geographic & Temporal Restrictions
- Service Area: California counties where Type 77 is recognized and municipal code permits third‑party delivery. Platform geofences via Mapbox polygons.
- Temporary Blackouts: Wildfire, earthquake, or law‑enforcement incident may trigger region blackout; orders auto‑canceled with full refund and push notifications to customers.
11 Packaging, Labeling & Tamper Evidencing
- Orders must be handed to Drivers in sealed retail packaging (e.g., closed six‑pack ring, corked bottle, capped can, or stapled paper bag).
- The package must display the Merchant’s trade name and a statement such as “CONTAINS ALCOHOL — 21+.” Drify does not require serialized holographic seals or specific font sizes.
- Drify does not independently re‑package or label products and bears no responsibility for labeling defects originating with the Merchant.
12 Advertising & Promotional Restrictions
- No depiction of drinking before/while driving.
- Audience age gating: 85%+ of ad‑impression audience must be 21+.
- Discounts capped at 25% to avoid “inducement” (Cal. Code Regs. § 106).
- Sweepstakes prize pool ≤ $5,000 or obtain ABC marketing permit.
- All creatives routed through Brandwatch‑powered compliance workflow; Legal sign‑off required.
13 Data Privacy, Cybersecurity & Breach Response
- Compliance Frameworks: CCPA/CPRA, PCI‑DSS v4.0, NIST 800‑53 Rev. 5.
- Encryption: Data in transit via TLS 1.3; at rest via AES‑256‑GCM.
- Access Controls: Role‑based (RBAC) + MFA for privileged users.
- Retention: ID scans retained 7 years unless litigation hold; customer PII retained 3 years post‑account deletion.
- Breach Notification: Notify CA AG and affected individuals within 72 hours of discovery per Cal. Civ. Code § 1798.82.
- Pen‑Testing: Annual external penetration test and quarterly vulnerability scan; summary report stored in GRC.
14 Recordkeeping, Audit & Regulatory Cooperation
- Maintain order, POD, refusal, and training logs for ≥ 7 years.
- Provide “audit kit” to CA ABC within 48 hours of subpoena.
- Undercover decoy sting results shared with Drify Legal within 2 hours of notification.
15 Insurance Requirements
| Party | Coverage Type | Minimum Limits | Evidence |
|---|---|---|---|
| Drify | Commercial General Liability | $2 M per occurrence / $4 M aggregate | Certificates on file |
| Drify | Cyber Liability | $5 M each claim | Certificates on file |
| Merchant | Liquor Liability | $1 M / $2 M | Uploaded annually |
| Driver | Auto Liability | $100 K / $300 K / $50 K | Real‑time DMV API |
All policies must name Drify LLC, its affiliates and officers as Additional Insured and provide 30‑day notice of cancellation.
16 Indemnification & Hold Harmless
Merchants and Drivers shall indemnify, defend, and hold harmless Drify LLC, its parents, subsidiaries, officers, directors, employees, and agents from any and all claims, losses, damages, liabilities, fines, penalties, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to:
- Violation of any alcohol, health, safety, or transport law;
- Bodily injury, death, or property damage caused by their negligence, willful misconduct, or breach of these Policies;
- Allegations of improper sale or furnishing of alcohol to a minor or intoxicated person;
- Data breaches attributable to their systems or negligence.
Indemnitor’s duty to defend is immediate upon written demand and independent of ultimate liability.
17 Limitation of Liability
Except for (i) indemnity obligations, (ii) gross negligence, or (iii) willful misconduct, Drify’s aggregate liability to any Merchant, Driver, or Customer under these Policies shall not exceed USD $1000 or the total fees paid by such party to Drify in the six (6) months preceding the event, whichever is less. In no event shall Drify be liable for indirect, special, consequential, or punitive damages, including lost profits or goodwill.
18 Dispute Resolution & Mandatory Arbitration
All disputes arising out of or relating to these Policies shall be resolved exclusively by binding arbitration administered by JAMS under its Streamlined Rules. Seat of arbitration: San Francisco, CA. Each party bears its own costs; arbitrator may award fees to prevailing party. Class actions and jury trials are waived. Judgment on the award may be entered in any court of competent jurisdiction.
19 Confidentiality & Intellectual Property
- All non‑public information disclosed by Drify—including APIs, software, business processes, and audit results—is “Confidential Information.”
- Recipient shall use Confidential Information solely to perform obligations under these Policies and shall not disclose to any third party without Drify’s written consent.
- Drify retains all right, title, and interest in its trademarks, copyrights, patents, and trade secrets.
20 Business Continuity & Disaster Recovery
Drify maintains commercially reasonable business‑continuity and disaster‑recovery capabilities commensurate with its size and resources. Specific technical architectures, recovery‑point objectives, testing cadences, and disclosures are subject to change at Drify’s sole discretion and may be modified, reduced, or suspended without notice.
21 Compliance with Forced Labor & Anti‑Trafficking
Drify and its counterparties must comply with all applicable laws prohibiting the use of forced labor, human trafficking, and child labor, including 19 U.S.C. § 1307 and the California Transparency in Supply Chains Act. Merchants and suppliers must certify, upon request, that materials incorporated into products supplied through the Platform were produced without forced labor or human trafficking. Drify reserves the right to audit suppliers and immediately terminate relationships for any credible violation.
22 Policy Enforcement & Sanctions Matrix
| Violator | Minor Offense (Warning) | Major Offense (Strike) | Critical Offense (Immediate Termination & Report) |
|---|---|---|---|
| Driver | Late delivery < 15 min | Untended porch drop | Under‑age hand‑off, DUI arrest |
| Merchant | Missing tamper seal | Repeated labeling errors | Selling without valid license |
| Customer | 1 failed ID | 2 failed IDs | Fraudulent ID, violent threat |
Three (3) Major Offenses within twelve (12) months → termination.
23 Training, Certification & Acknowledgment
- Drivers: Initial 2‑hour RBS course + annual refresher (online).
- Merchants: 60‑min onboarding webinar + quarterly compliance bulletin.
- Digital acknowledgment captured via DocuSign; stored 7 years.
24 Review, Amendment & Change Control
- Compliance Officer reviews Policies semi‑annually.
- Material changes require (i) Legal sign‑off, (ii) CEO approval, (iii) 30‑day public notice to merchants and drivers.
- Version control managed in Git‑based repository; diff logs retained.
25 Disclaimer
These Policies are internal guidelines that describe Drify’s present compliance framework. They do not create, and shall not be construed to create, any enforceable obligation, warranty, representation, or promise by Drify LLC to any third party. Drify may amend, deviate from, or discontinue any policy herein at its sole discretion, except to the extent expressly required by applicable law or a written contract executed by an authorized officer of Drify LLC.
Appendix A — Reference Statutes & Rules
- 27 U.S.C. § 122, § 214;
- California Bus. & Prof. Code §§ 23000‑25762;
- Cal. Code Regs. Title 4 §§ 67, 106;
- Union City Municipal Code Ch. 5.40;
- AB 1554 (2024); SB 389 (2021).
Appendix B — Incident Report Templates
Available forms (download via Compliance Portal):
- Form IR‑01: Age Verification Failure
- Form IR‑02: Intoxicated Recipient
- Form IR‑03: Vehicle Accident / Cargo Damage
- Form IR‑04: Data Breach Notice
Appendix C — Cybersecurity Minimums
- Mobile app hardening via App‑Shield SDK.
- OWASP MASVS Level 2 compliance.
- Drivers’ devices must run iOS 16+ or Android 13+.
- Mandatory device attestation; jailbroken/rooted devices blocked.