Privacy Policy

Effective Date: March 10, 2026
Company: Todd Houle
Contact Email: [email protected]
Business Address: Norfolk County, Massachusetts

This Privacy Policy describes how Todd Houle ("Company," "we," "us," or "our") collects, uses, stores, and discloses information in connection with the GuestKeyTS mobile application and related services (the "Service").

1. Overview

The Service enables vehicle owners to connect compatible vehicles and grant limited vehicle access and comfort controls to authorized users.

The Service integrates with third-party systems and APIs provided by Tesla and is hosted using infrastructure provided by Google, including Firebase.

This Privacy Policy explains what information we collect, how we use it, and your rights.

2. Information We Collect

A. Information Obtained Through Tesla Authentication

When you connect a vehicle through Tesla's authentication system, we may receive:

• Tesla account identifier
• Vehicle identification number (VIN)
• Vehicle ID
• Vehicle configuration data
• Vehicle state data (e.g., climate status, online/sleep status)
• OAuth access and refresh tokens issued by Tesla

We do not collect, process, or store your Tesla password.

B. Vehicle Information

To provide the Service, we store vehicle-related information, which may include:

• Vehicle ID and VIN
• Vehicle model and configuration
• Vehicle command state history (limited to functionality required to operate the Service)
• Permission settings granted by vehicle owners

C. Proximity Data

GuestKeyTS verifies that guests are physically near the vehicle before allowing certain commands. The method used depends on the platform:

iOS App (Bluetooth)

The iOS application uses Bluetooth Low Energy (BLE) to verify that a vehicle owner's device is nearby. When this feature is active:

• The app broadcasts and scans for BLE signals to determine proximity between devices
• Proximity status (nearby or not nearby) is used in real time to authorize or deny commands
• No location data is derived from BLE signals
• No Bluetooth data is transmitted to our servers or stored beyond the active session

Bluetooth proximity verification is used for rideshare mode and for any guest where the owner has enabled the proximity requirement. The app will request Bluetooth permission on your device; you may decline, but proximity-gated features will be unavailable.

Web Guest Client (GPS Location)

When a vehicle owner enables the proximity requirement for a guest, the web guest client uses GPS location to verify that the guest is physically near the vehicle before commands are allowed. When this feature is active:

• The guest's browser requests location permission and obtains GPS coordinates
• The guest's GPS coordinates are sent to our server with each command request for proximity comparison
• Guest location data is used only for real-time proximity verification and is not stored on our servers beyond the command request
• No guest location history is recorded or retained

The web client will request location permission through the browser. If permission is denied, proximity-gated commands will not be available.

Vehicle Location Data

To support proximity verification for web guests, we retrieve the vehicle's location from the Tesla API. Vehicle location (latitude, longitude, heading, and speed) is temporarily cached on our servers for up to two minutes to reduce repeated requests to the Tesla API. This cached location is used solely to compare against the guest's reported GPS position for proximity checks. Vehicle location data is not used for tracking and is not shared with guests.

D. Device Information

When you use the iOS application, we may collect:

• Device identifiers
• App version
• Operating system version
• Diagnostic and crash data
• Basic usage metrics

E. Command Logs

When commands are sent through the Service, we record:

• Pseudonymous user identifier
• Vehicle identifier
• Command type (e.g., climate, seat heater, media)
• Timestamp and command result

This data is used for security auditing, abuse prevention, and service reliability.

3. How We Use Information

We use collected information to:

• Authenticate vehicle connections through Tesla APIs
• Send authorized commands to vehicles
• Enable guest access permissions
• Check vehicle state (online, asleep, offline) and wake vehicles when authorized
• Maintain backend synchronization with Tesla systems
• Determine feature availability and enforce usage policies
• Verify device proximity using Bluetooth Low Energy (iOS app) or GPS location comparison (web guest client) for proximity-gated features
• Improve Service reliability and performance
• Provide customer support

We do not sell personal information.

4. Storage and Infrastructure

The Service is hosted using cloud infrastructure provided by Google, including Firebase.

Information stored may include:

• Tesla-issued OAuth tokens
• Vehicle identifiers
• Permission mappings
• Operational metadata

Data is stored on secure cloud servers and protected using industry-standard security controls, including encryption in transit and at rest where supported.

5. Data Sharing

We may share information:

A. With Tesla

To facilitate vehicle authentication and command execution through Tesla APIs.

B. With Service Providers

With cloud hosting and infrastructure providers necessary to operate the Service, including Google LLC (Firebase Authentication, Cloud Firestore, Cloud Functions, and Cloud Run). These providers act as service providers under the CCPA and process data only as necessary to provide the Service on our behalf.

C. For Legal Compliance

If required by law, subpoena, court order, or regulatory request.

D. With Co-Owners

If multiple users authenticate via Tesla for the same vehicle, each co-owner may see vehicle data, guest permissions, and command history associated with that vehicle. By connecting a vehicle that has been connected by another user, you acknowledge that your vehicle-related data may be visible to other authenticated users of that vehicle.

We do not sell, share, or rent user data to third parties for advertising or marketing purposes. We have not sold or shared personal information in the preceding 12 months and have no plans to do so.

6. Data Retention

We retain information:

• For as long as a vehicle remains connected to the Service
• As necessary to provide the Service and its features
• As required to comply with legal obligations

Specific retention periods:

• Authentication tokens: Deleted within 30 days of vehicle disconnection.
• Command logs: Retained for 90 days, then automatically deleted.
• Permission records: Retained while a vehicle is connected; deleted when the vehicle is removed from the Service.

The Service does not respond to Do Not Track (DNT) browser signals. As described in this policy, we do not track users across third-party websites.

7. Security

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect stored information.

However, no system can guarantee absolute security. You are responsible for maintaining the security of your Tesla account credentials.

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities as required by applicable law, including Massachusetts General Laws Chapter 93H. We maintain reasonable procedures designed to detect and respond to security incidents.

8. Children's Privacy

The Service is not intended for children under 13 (or under 16 in jurisdictions where the digital age of consent is higher, including most European Economic Area countries). By using the Service, you confirm that you meet the minimum age requirement for your jurisdiction, or that your parent or legal guardian has authorized your use.

If a vehicle owner authorizes a guest under the age of 13, the vehicle owner represents and warrants that they have obtained consent from the child's parent or legal guardian and assumes full responsibility for that authorization.

We do not knowingly collect personal information directly from children.

9. International Users

If you access the Service outside the United States, your information may be transferred to and processed in the United States or other jurisdictions where our service providers operate.

10. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access information we hold about you
• Request correction
• Request deletion
• Restrict processing
• Object to processing based on legitimate interest

Requests may be submitted to: [email protected]

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete personal information we have collected from you, subject to certain legal exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to Limit Use of Sensitive Personal Information: We do not collect most categories of sensitive personal information as defined under the CPRA (such as Social Security numbers or financial account numbers). When a vehicle owner enables proximity verification for a web guest, precise geolocation is collected from the guest's browser solely for real-time proximity checks and is not stored beyond the active session.

To exercise these rights, contact us at [email protected]. We will verify your identity before fulfilling your request. You may also designate an authorized agent to make a request on your behalf. Authorized agents must provide written authorization from the consumer and we may require the consumer to verify their identity directly.

We will respond to verifiable consumer requests within 45 days of receipt.

12. European Economic Area (EEA) Users

If you access the Service from the European Economic Area (EEA), the United Kingdom, or Switzerland, the following provisions apply in addition to the rights described in Section 10:

Legal Basis for Processing: We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you have requested, including authenticating vehicle connections, sending authorized commands, and managing guest permissions.
• Legitimate interest: Processing necessary for our legitimate interests, including security auditing, abuse prevention, service reliability, and command logging, where those interests are not overridden by your rights.
• Consent: Where required by applicable law, we will obtain your consent before processing.

Your Additional Rights: In addition to the rights listed in Section 10, you have the right to:

• Data portability — receive your personal data in a structured, commonly used, machine-readable format
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with your local data protection supervisory authority

International Data Transfers: Your data is processed in the United States using infrastructure provided by Google LLC. These transfers are governed by Google's Data Processing Amendment and Standard Contractual Clauses approved by the European Commission.

Data Retention: We retain your data only as long as necessary for the purposes described in this policy. Authentication tokens are deleted within 30 days of vehicle disconnection. Command logs are retained for 90 days.

EU Representative: We have not yet appointed a representative in the EU pursuant to Article 27 of the GDPR. If you are an EEA user and require assistance, please contact us directly at [email protected]. We will appoint a representative if required as our user base in the EEA grows.

Contact: For data protection inquiries from EEA users, contact [email protected].

We will respond to requests from EEA users within 30 days of receipt.

13. Third-Party Services

The Service relies on systems operated by Tesla and Google.

Their data practices are governed by their respective privacy policies. We are not responsible for third-party data handling practices.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification at least 30 days before taking effect. Updates will be posted within the Service and reflected by a revised Effective Date.

Continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Contact Information

If you have questions regarding this Privacy Policy, contact:

Todd Houle
[email protected]
Norfolk County, Massachusetts