VLTA mobile application for EV owners ("User App")
Effective Date: March 19, 2026 | Last Updated: March 19, 2026
Table of Contents
- Introduction
- Information We Collect
- How We Use Your Information
- How We Share Your Information
- Third-Party Services
- Tesla Account & Vehicle Data
- Data Retention & Deletion
- Data Security
- Your Rights & Choices
- Your State Privacy Rights
- Children's Privacy
- Data Breach Notification
- Do Not Track Signals
- Data Storage Location
- Changes to This Privacy Policy
- Contact Us
1. Introduction
VLTA Inc. ("VLTA," "we," "us," or "our") operates the VLTA User App (the "App"), a mobile application that enables electric vehicle ("EV") owners to discover, book, and pay for charging sessions at privately hosted residential EV chargers. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the App.
By creating an account or using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the App.
2. Information We Collect
2.1 Information You Provide Directly
| Data Category | Specific Data | Purpose |
|---|---|---|
| Account Information | Name, email address, phone number, password (hashed), profile photo or avatar | Account creation, authentication, SMS phone number verification via Twilio, communication, and identification to hosts |
| Vehicle Information | Vehicle model, color, license plate number, connector type | Charger compatibility matching, vehicle identification at host locations |
| Payment Information | Payment card details (processed and stored by Stripe; we do not store full card numbers) | Processing payments for charging sessions |
| Tesla Account Credentials | Tesla OAuth tokens (access & refresh tokens) obtained through Tesla Fleet API authorization | Accessing your Tesla vehicle data for charging session monitoring |
2.2 Information Collected from Your Tesla Vehicle
When you link your Tesla account, we access the following categories of data from your vehicle via the Tesla Fleet API, using the scopes you authorize (openid, offline_access, vehicle_device_data, vehicle_location):
| Data Category | Specific Data | Purpose |
|---|---|---|
| Vehicle Identification | Vehicle Identification Number (VIN), car type, color, wheel type, charge port type | Identifying your vehicle and ensuring charger compatibility |
| Battery & Charging Status | Battery percentage, usable battery percentage, estimated/ideal/rated range, charging state, charge rate (kW), voltage, current, energy added (kWh), minutes to full charge, charge limit percentage, charge port status, cable type | Monitoring charging sessions, displaying real-time progress, calculating session costs |
| Vehicle Location | Latitude, longitude, heading, speed, GPS timestamp | Navigation to chargers, confirming vehicle arrival at charging location |
| Vehicle State | Door/window/trunk status, lock status, sentry mode status, odometer reading, software version, tire pressure | Providing vehicle status during charging sessions |
| Climate State | Inside/outside temperature, climate control status, seat heater status | Displaying vehicle comfort information during sessions |
| Session Evidence Logs | Fleet API polling data, charge state transitions, energy delivery measurements, timestamped events | Confirming effective charging session |
2.3 Information Collected Automatically
| Data Category | Specific Data | Purpose |
|---|---|---|
| Location Data | Real-time GPS coordinates from your mobile device (when you grant location permission) | Discovering nearby chargers, providing navigation, displaying distance to chargers |
| Device Information | Device type, operating system and version, unique device identifiers | App functionality, troubleshooting, and push notification delivery |
| Push Notification Tokens | Device push notification tokens (APNs for iOS, FCM for Android) | Sending booking confirmations, charging status updates, and other service notifications |
| Usage Data | Booking history, charging session records, transaction history, reviews and ratings you submit | Providing booking management, receipts, community trust and quality feedback, and customer support. Note: Reviews you submit are publicly visible on the Host's listing and can be viewed by all users of the Platform. |
| Browsing & Interaction Data | Listing views, search queries, charger availability checks, browsing frequency and patterns, time spent on listings | Improving charger discovery, detecting platform abuse (including scouting or unauthorized use of charger location data), and enforcing access requirements |
| Device & Network Signals | Device fingerprint identifiers, IP address, network connection type | Fraud prevention, multi-account detection, security monitoring, and preventing unauthorized access |
| Payment & Webhook Logs | Stripe webhook event logs (payment capture results, refund events, dispute notifications) | Ensuring prompt payment, refunds, and resolution of disputes |
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service: Creating and managing your account, enabling you to discover and book chargers, processing charging sessions, and facilitating payments.
- Tesla Vehicle Integration: Connecting to your Tesla vehicle to monitor charging status, battery level, and display real-time vehicle data during sessions.
- Location-Based Features: Showing nearby available chargers, calculating distances, and providing navigation assistance.
- Communications: Sending transactional notifications (booking confirmations, charging updates, payment receipts) and service-related announcements.
- Safety & Security: Detecting and preventing fraud, unauthorized access, and other harmful activities; verifying vehicle presence at host locations.
- Vehicle Identity Validation: Using Tesla Fleet API data at session initiation to verify the vehicle connected to the charger matches the Tesla vehicle linked to your account, preventing unauthorized use and account sharing.
- Fraud & Abuse Detection: Monitoring account activity patterns — including refund request frequency, booking and cancellation behavior, browsing patterns, and device/network signals — to detect and prevent fraudulent activity, platform scouting, account farming, and policy violations. Accounts that trigger fraud or abuse thresholds may be flagged for manual review or restricted.
- Payment Pre-Authorization: Placing pre-authorization holds on your payment method at booking confirmation to reserve funds for the estimated session cost, with final charges captured upon session completion.
- Payment Recovery & Webhook Logging: If a post-session payment capture fails, automatically retrying the charge and, if all retries are exhausted, suspending your account until the outstanding balance is resolved. We receive and log Stripe webhook event notifications related to your payments, including payment success, failure, refund, and dispute events. These logs are used for payment processing, failure diagnosis, automated retry scheduling, and dispute resolution.
- Review Moderation: Automated screening and manual review of user-submitted reviews on your listing to detect retaliatory, fraudulent, or policy-violating content. Review moderation data includes review timing, content analysis, and associated session and fee records.
- Dispute Resolution: Using session records and transaction data to resolve disputes between users and hosts.
- Session Evidence Logs: Maintaining detailed server-side logs of charging sessions — including Tesla Fleet API polling data, charge state transitions, energy delivery measurements, and timestamped events — for use in payment disputes, Stripe chargeback responses, and fraud investigations.
- Improving the Service: Analyzing aggregated, anonymized usage patterns to improve App functionality, reliability, and user experience.
- Legal Compliance: Complying with applicable laws, regulations, and legal processes.
We do not: Sell your personal information to third parties, use your data for targeted advertising, or share your Tesla vehicle data with advertisers or data brokers.
4. How We Share Your Information
We share your information only in the following circumstances:
4.1 With Hosts
When you book a charging session, we share the following information with the host to facilitate the booking: your first name, profile photo or avatar, user rating, total bookings count, member-since date, vehicle model, connector type, verified status, and booking details (date, time, duration). We do not share your full name (last name), email address, payment details, license plate number, vehicle color, Vehicle Identification Number (VIN), or Tesla credentials with hosts.
This data minimization approach is designed to provide hosts with only the information necessary to manage the booking while protecting your personal and vehicle information. All communication between users and hosts should take place through the VLTA in-app messaging system.
Safety disclosure: VLTA does not perform background checks on Hosts. While Hosts may be required to complete identity verification through Stripe as part of payout onboarding, identity verification is not a background check and does not screen for criminal history or other background information. You should exercise your own judgment when visiting a Host's property.
4.2 With Service Providers
We share data with third-party service providers who help us operate the App. These providers are contractually obligated to use your data only to provide services to us and in accordance with this Privacy Policy. See Section 5 for details.
4.3 For Legal Reasons
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
4.4 Business Transfers
If VLTA is involved in a merger, acquisition, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice in the App of any change in ownership or uses of your personal information.
5. Third-Party Services
The App integrates with the following third-party services, each of which has its own privacy policy governing data it processes:
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Database hosting, user authentication, photo and file storage | Account information, profile photos, booking data, session data | supabase.com/privacy |
| Stripe | Payment processing | Payment card details, transaction amounts, billing information | stripe.com/privacy |
| Google Maps Platform | Map display, charger location, navigation | Device location, map interaction data | policies.google.com/privacy |
| Tesla Fleet API | Vehicle data access (read-only) | Tesla OAuth tokens; vehicle data is retrieved from Tesla's servers | tesla.com/legal/privacy |
| Apple Push Notification Service (APNs) | Push notifications on iOS | Device push token, notification content | apple.com/legal/privacy |
| Firebase Cloud Messaging (FCM) | Push notifications on Android, notification delivery receipt logging | Device push token, notification content, delivery status and failure logs | policies.google.com/privacy |
| Twilio | SMS phone number verification during account registration | Phone number, SMS verification code, delivery status | twilio.com/legal/privacy |
6. Tesla Account & Vehicle Data
Given the sensitive nature of Tesla vehicle data, we want to be especially transparent about our practices:
- Authorization: We access your Tesla data only after you explicitly authorize our application through Tesla's OAuth flow. You may review the specific scopes (permissions) during the authorization process.
- Scopes Requested: openid, offline_access, vehicle_device_data, vehicle_location.
- Read-Only Access: Our integration with the Tesla Fleet API is read-only. We poll your vehicle for data (battery level, charging status, location, vehicle state) but do not send commands to your vehicle. You remain in full control of your vehicle at all times.
- Token Storage: Your Tesla OAuth tokens (access and refresh tokens) are stored securely in our database. We never store your Tesla account password.
- Unlinking: You may unlink your Tesla account at any time through the App settings. When you unlink, we immediately and permanently delete your Tesla OAuth tokens from our servers. Historical charging session data (energy delivered, duration, cost) is retained for transaction records.
- No Secondary Use: We do not sell, license, or share your Tesla vehicle data with third parties for their own purposes. Vehicle data is used solely to provide the VLTA charging service.
- Tesla API Compliance: Our access to and use of Tesla vehicle data is subject to Tesla's Fleet API terms of service. We comply with Tesla's developer requirements, including data usage restrictions and rate limits.
7. Data Retention & Deletion
We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specific retention practices include:
- Active Accounts: Data is retained for the duration of your account's active status.
- Account Deletion: When you request account deletion, we deactivate your account and begin the deletion process. Your personal information will be permanently purged from our systems within 90 days of your deletion request, except as noted below. When we deactivate your account, we direct third-party services to delete your personal information, except where those third-party services are required to retain certain personal information by law.
- Tesla Tokens: Deleted immediately upon account deletion or Tesla account unlinking.
- Payment Methods: Cleared immediately upon account deletion. Payment card data held by Stripe is removed per Stripe's data retention policies. As noted above, we direct third-party services to delete your personal information when we deactivate your account.
- Push Notification Tokens: Automatically deleted after 30 days of inactivity.
- Browsing & Interaction Data: Listing views, search queries, and browsing pattern data are retained for the duration of your account's active status. Aggregated, non-identifiable browsing data may be retained beyond account deletion for platform improvement purposes. Identifiable browsing data is deleted in accordance with the standard 90-day deletion process.
- Device & Network Signals: Device fingerprint identifiers and IP address logs used for fraud detection are retained for the duration of your account's active status and are deleted in accordance with the standard 90-day deletion process upon account deletion.
- Session Evidence Logs: Detailed server-side session logs (including Fleet API polling data, charge state transitions, and timestamped events) are retained for a minimum of 18 months after the associated session to support dispute resolution, chargeback responses, and compliance obligations. Full log payloads are trimmed to essential fields after 3 months; remaining summary records are purged at 18 months unless required for an active dispute or legal obligation.
- Payment & Webhook Logs: Stripe webhook event logs (including payment capture results, refund events, and dispute notifications) are retained for 18 months to support chargeback resolution within applicable card network dispute windows. Full webhook payloads are trimmed after 3 months to retain only event type, status, amount, and timestamp. All payment log data is purged at 18 months unless required for an active dispute or legal obligation.
- Transaction Records: We may retain anonymized or aggregated transaction records (session dates, amounts, energy delivered) beyond the 90-day deletion period as required for financial reporting, tax compliance, and dispute resolution obligations.
- Legal Obligations: We may retain certain data beyond the standard retention period where required by law, regulation, court order, or to resolve disputes or enforce our agreements.
8. Data Security
We implement commercially reasonable technical and organizational security measures designed to protect your personal information, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure storage of authentication credentials (passwords are hashed; Tesla tokens are stored securely)
- Row-level security policies in our database to ensure users can only access their own data
- Payment card data is handled entirely by Stripe and is never stored on our servers
- Regular review of data access controls
No method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security.
9. Your Rights & Choices
You have the following rights and choices regarding your data:
- Access & Portability: You may request a copy of the personal information we hold about you by contacting us at support@vlta.io.
- Correction: You may update your account information directly in the App or by contacting us.
- Deletion: You may request deletion of your account and personal information through the App or by emailing us. See Section 7 for details on our deletion process.
- Tesla Unlinking: You may unlink your Tesla account at any time in the App settings, which immediately deletes your Tesla tokens.
- Location Permissions: You may disable location access through your device's operating system settings. Note that this will limit the App's ability to show nearby chargers and provide navigation.
- Push Notifications: You may disable push notifications through your device's settings.
- Payment Methods: You may add, update, or remove payment methods in the App. Payment data is managed by Stripe.
10. Your State Privacy Rights
Depending on your state of residence, you may have additional rights under applicable state privacy laws, including but not limited to the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and other state privacy legislation. These rights may include:
- Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it. You have the right to request this disclosure in a common file format.
- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising purposes. We do share personal information with a service provider for a business purpose, and by using the Service you direct us to interact with one or more third parties in order to provide the Service. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
- Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (such as precise geolocation and financial data) only for purposes necessary to provide the Service. No limitation request is necessary, as we do not use sensitive personal information for purposes beyond what is needed to deliver the Service. By using the Service, you opt-in to the processing of your sensitive personal information as necessary to provide the Service.
- Right not to be Subject to Automated Decisionmaking. We use automated systems to verify continued account eligibility and access. This includes the use of algorithms that detect fraudulent activity, payment non-recovery, and validate the identity of your vehicle. Users may request human review of any automated decision that materially affects their account by contacting support@vlta.io.
To exercise these rights, please contact us at support@vlta.io. We will respond to verifiable consumer requests within 45 days.
Categories of Personal Information Collected (CCPA Disclosures)
| CCPA Category | Collected? | Sold? | Shared for Advertising? |
|---|---|---|---|
| Identifiers (name, email, phone number, license plate) | Yes | No | No |
| Financial Information (payment details via Stripe) | Yes | No | No |
| Geolocation Data | Yes | No | No |
| Internet/Electronic Activity (device info, usage data) | Yes | No | No |
| Sensory Data (Tesla vehicle sensor data) | Yes | No | No |
| Visual Information (profile photo) | Yes | No | No |
| Browsing & Interaction Data (listing views, search queries, browsing patterns) | Yes | No | No |
| Device & Network Identifiers (device fingerprints, IP address) | Yes | No | No |
| Payment & Webhook Logs | Yes | No | No |
| Session Evidence Logs | Yes | No | No |
11. Children's Privacy
The App is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. By using the App, you represent and warrant that you are at least 18 years old. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as soon as possible. If you believe a child under 18 has provided us with personal information, please contact us at support@vlta.io.
12. Data Breach Notification
In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify you as required by applicable law. Notification will be provided via email to the address associated with your account and through a prominent notice in the App, or by other means as required by law. We will also notify relevant regulatory authorities where required.
13. Do Not Track Signals
Our Service does not respond to "Do Not Track" browser signals. We do not track users across third-party websites or services, and we do not use any advertising or cross-site tracking technologies.
14. Data Storage Location
Your data is stored on servers located in the United States, managed by our infrastructure providers (including Supabase and Amazon Web Services). By using the App, you consent to your data being transferred to and processed in the United States.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy in the App and updating the "Last Updated" date above. For significant changes, we may also notify you via email or through a prominent in-app notice. Your continued use of the App after any changes constitutes your acceptance of the updated Privacy Policy.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
VLTA Inc.
Email: support@vlta.io