Teslita
← Back to Teslita

Privacy Policy

How we handle your personal data — in plain English.

Teslita is a service that connects to your Tesla account so you can see your trips, charging, and battery health in one place. To do that we have to collect some data about you and your car. This page explains what, why, and for how long — and what you can ask us to do about it. If anything here is unclear, just email hello@teslita.com.

You can download a complete ZIP of everything we hold about you any time from Settings → Data & privacy in the app — no email required (details).
On this page
  1. Who we are
  2. What we collect
  3. Why we collect it
  4. How long we keep it
  5. Who we share it with
  6. Cookies & storage
  7. Connecting your Tesla
  8. International transfers
  9. Your rights
  10. Security
  11. Children
  12. Changes to this policy
  13. Contact & complaints

1. Who we are

Teslita is operated by:

Casora GmbH
Twedter Strandweg 33
24944 Flensburg, Germany
Email: hello@teslita.com
Managing Director: Steffan Sondermark
Commercial Register: HRB 13681 FL (Amtsgericht Flensburg)
VAT ID: DE325207556

For the purposes of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), Casora GmbH is the data controller for the personal data described on this page.

We have not appointed a Data Protection Officer because we are below the legal threshold. You can still reach our privacy contact at the address above.

2. What we collect

We try to collect as little as we need to make Teslita work. Here is everything we store, grouped by what it’s for.

2.1 Account data

  • Email address — to log you in and contact you about your account.
  • Display name — shown in the app; you choose what it is.
  • Password (hashed) — never stored in readable form; we use bcrypt.
  • Profile picture URL — only if you signed in with a social login that provided one.
  • Preferences — language, theme, units (km/mi, °C/°F, kWh price, currency, country, time zone).
  • Account state — created-at timestamp, whether onboarding is complete.

2.2 Vehicle & trip data (from Tesla)

Once you connect your Tesla account, we receive and store:

  • Vehicle identification — VIN, model, color, name you gave the car.
  • Live state — battery level, charging state, gear, speed, odometer, location coordinates.
  • Trips — start/end time, start/end location, route waypoints, distance, energy used, max speed.
  • Charging sessions — location, start/end time, energy added, cost, charger type, per-minute power samples.
  • Battery health — pack-level voltages, temperatures, balance, tire pressures.
  • Trip metadata you type in — trip purpose (private/business), driver name, license plate, business partner, notes — only if you choose to fill these fields.
Location is sensitive. Teslita necessarily records where your car drives and charges. That data stays in your account, is not sold, and is not used to advertise to you. It is shared with the processors listed in section 5 only as needed to run the service.

2.3 Technical data

  • Session record — when you log in we store a session ID, your IP address, and your browser’s User-Agent string. This is used to keep you logged in and to detect session hijacking.
  • Server logs — the web server records request paths, status codes, and IP addresses for security and debugging.
  • Error logs — if something breaks we log enough to fix it (which user, which operation, what failed).

2.4 Analytics data (about visits to teslita.com)

To understand which pages get used, we record:

  • Page URL, language, referring domain, device class (mobile/desktop), browser, OS.
  • UTM parameters and Google Ads click ID if present in the link you arrived from.
  • A daily-rotating visitor hash — a SHA-256 of your IP and User-Agent that resets every UTC midnight, so we can count unique daily visits without storing your IP or being able to track you across days.
  • Anonymous interaction events: scroll depth, button clicks, form submissions/abandonment, page-leave duration.

2.5 Email & support

If you email us, we keep the email so we can reply and look up the conversation later.

3. Why we collect it (legal basis)

Under GDPR Article 6 we always need a legal reason to process your data. Here’s ours:

  • To run the service you signed up for — account, vehicle, trip, charging, battery data. Legal basis: contract performance (Art. 6(1)(b)).
  • To keep the service secure — sessions, server logs, anti-bot challenge (Cloudflare Turnstile). Legal basis: legitimate interest (Art. 6(1)(f)) in preventing fraud and abuse.
  • To meet legal obligations — e.g. retaining invoice/charging records for tax purposes. Legal basis: legal obligation (Art. 6(1)(c)).
  • To improve the product — first-party analytics. Legal basis: legitimate interest (Art. 6(1)(f)). You can object to this; see section 9.
  • To send transactional email — password resets, account notices. Legal basis: contract performance.

4. How long we keep it

  • Account data — while your account exists, then deleted on request or when you close the account.
  • Vehicle, trip, charging, battery data — while your account exists. You can export or delete it via your account.
  • Sessions — sliding 90-day expiry from the last request. Expired session rows are purged.
  • Server & error logs — up to 30 days.
  • Analytics page views & events — up to 24 months in identifiable form (the visitor hash already resets every day, so cross-day linkage isn’t possible).
  • Charging invoices — retained for the legally required tax period (typically up to 10 years under German § 147 AO) where they relate to a paid transaction.
  • Support emails — up to 3 years after the last contact, unless we need to keep them longer for legal reasons.

When you delete your account, we delete the data immediately except where law requires us to keep it (e.g. invoices). Backups are overwritten on a rolling 30-day cycle.

5. Who we share it with

We don’t sell your data. We don’t share it for advertising. We use a small number of vetted processors strictly to run the service:

ProcessorWhat they receiveWhat they doWhere
Amazon Web Services EMEA SARLEverything (server hosting)Hosts the application and databaseFrankfurt, Germany (EU)
Postmark (ActiveCampaign LLC)Your email address, message contentSends transactional email (password reset, account notices)USA (SCCs)
Cloudflare, Inc.IP address, browser fingerprint at registrationAnti-bot CAPTCHA (Turnstile)EU edge / USA (SCCs)
Tesla, Inc.OAuth requests, vehicle commandsSource of all vehicle data; required for the serviceUSA (own privacy policy)

We have data processing agreements (Art. 28 GDPR) in place with these processors where required. We do not transfer your data to anyone else for marketing or analytics.

6. Cookies & storage on your device

We keep this short and honest. We use only what we need:

  • Session cookie (sid) — set when you log in, keeps you logged in. Strictly necessary; no consent required (TTDSG § 25(2)).
  • Admin session cookie (admin_sid) — only set if you’re a Teslita admin. Strictly necessary.
  • Local storage (lang, teslita.lastEmail) — remembers your language choice and pre-fills your email on the login screen for convenience. You can clear these in your browser at any time.
  • Cloudflare Turnstile — the anti-bot challenge on the registration page may set its own short-lived storage. This is necessary to stop automated signups.

We do not set advertising cookies, analytics cookies, or any third-party tracking cookies. Our analytics works entirely server-side using a daily-rotating hash, so it doesn’t store anything on your device.

7. Connecting your Tesla account

Teslita talks to your Tesla account through Tesla’s official Fleet API. When you connect your account:

  • You log in directly with Tesla — we never see your Tesla password.
  • Tesla gives us an access token and a refresh token scoped to the permissions you approve. We store these encrypted.
  • We use the tokens to read your vehicle data and (with your permission) send commands like climate or charging control.
  • You can revoke our access at any time in your Tesla account settings, in the Teslita app, or by deleting your Teslita account.

Tesla’s own privacy policy applies to data they hold about you and your vehicle. Read it at tesla.com/legal/privacy.

8. International data transfers

Our servers are in Germany, so the bulk of your data stays in the EU. Two of our processors (Postmark and Cloudflare) operate in the United States. For these we rely on the EU–US Data Privacy Framework and/or the EU Standard Contractual Clauses as the legal mechanism for transfer (GDPR Art. 46).

Tesla, Inc. is also based in the United States. By connecting your Tesla account you accept that vehicle data flows through Tesla’s infrastructure in the US, governed by their privacy policy.

9. Your rights under GDPR

You have the following rights regarding your personal data. To use any of them, just email hello@teslita.com from the address on your account — we’ll respond within 30 days.

  • Access (Art. 15) — ask us what we have on you and get a copy.
  • Rectification (Art. 16) — correct anything that’s wrong.
  • Erasure (Art. 17) — delete your account and your data. We keep only what law forces us to (e.g. invoices).
  • Restriction (Art. 18) — ask us to stop processing your data while a dispute is resolved.
  • Data portability (Art. 20) — get a structured export of your data so you can take it elsewhere.
  • Object (Art. 21) — object to our analytics (legitimate-interest basis). We’ll honour it.
  • Withdraw consent — where we relied on consent, you can take it back at any time.
  • Complain to a supervisory authority — you can lodge a complaint with the data protection authority of your country, or with our lead authority: the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD).
Self-service export. You don’t need to email us to get your data — just log in and go to Settings → Data & privacy → Export my data. We’ll prepare a ZIP containing everything we hold about you (account, trips, charging sessions, vehicle telemetry, settings, and more) in the background and email you when it’s ready. The download link stays valid for 48 hours.

10. Security

We take reasonable measures to protect your data, including:

  • HTTPS everywhere; HSTS enforced.
  • Bcrypt-hashed passwords (cost factor 12).
  • OAuth tokens stored encrypted at rest.
  • Short session lifetime with sliding expiry.
  • Rate limiting on authentication endpoints.
  • Anti-bot protection on registration (Cloudflare Turnstile).
  • Regular dependency and security updates.

No system is perfectly secure. If you suspect your account has been compromised, change your password and email us at hello@teslita.com.

11. Children

Teslita is not directed at children under 16, and we do not knowingly collect data from them. If you believe a child has signed up, please email us so we can delete the account.

12. Changes to this policy

If we change anything material, we’ll update the “last updated” date at the bottom and — for changes that affect your rights or expand what we collect — notify you by email or in-app message before the change takes effect. Minor wording or clarification changes may be made without notice.

13. Contact & complaints

For anything privacy-related — questions, requests, complaints — email hello@teslita.com. Postal mail to the address in section 1 also works.

You always have the right to complain to a data protection authority. In Germany, our supervisory authority is the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel.

Last updated: May 2026. If anything on this page is unclear or out of date, please email hello@teslita.com.