1. Introduction

Piston Labs, Inc. ("Piston Labs," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our GPS tracking devices, mobile and web applications, Shop Dashboard, Fleet services, and related services (collectively, the "Services").

By using our Services, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use our Services.

2. Our Privacy-First Commitment

GPS LOCATION DATA IS NOT STORED BY DEFAULT. Unlike many fleet and vehicle tracking services, Piston Labs has implemented a privacy-first architecture:

• Default behavior: GPS coordinates are used only in real-time for calculations (such as trip distance) and are never stored
• Opt-in storage: If you explicitly enable location history storage for your own records and purposes, GPS data will be retained in your account
• Real-time location viewing: Only available to authorized account owners who opt into this feature. No other party can view your vehicle's location.

This means that unless you opt in, your historical location data cannot be breached because it does not exist. We cannot provide location history to any third party, including law enforcement, if you have not opted to store it.

We do store non-GPS telemetry such as trip summaries (start time, end time, distance traveled), odometer readings, and vehicle diagnostic information to provide our core service features.

3. Information We Collect

3.1 Information You Provide

• Account Information: Name, email address, phone number, and password when you create an account
• Vehicle Information: VIN (automatically detected or manually entered), year, make, model, license plate, and odometer readings
• Service Records: Photos or PDFs of repair orders that you upload, or that repair shops upload on your behalf
• Payment Information: Processed securely by our payment provider; we do not store full credit card numbers

3.2 Information Collected Automatically

• Device Telemetry: Vehicle speed, ignition status, battery voltage, engine RPM, and other OBD-II parameters (where supported)
• Trip Data: Trip start/end times, total distance traveled, and duration (GPS coordinates only stored if you opt in)
• Mileage Data: Odometer readings from OBD-II or GPS-calculated distance accumulation
• Device Information: IMEI number, firmware version, cellular signal strength, and connection status
• App Usage: Features accessed, pages viewed, and interaction patterns

3.3 Information from Third Parties

• VIN Decoding Services: Vehicle specifications based on VIN (NHTSA database)
• Repair Shop Records: Shops may upload repair orders for vehicles they service. This is the shop's own business record and does not require customer authorization.
• Shop Management Systems: Service history from integrated systems like Tekmetric

3.4 Data Retention Summary

4. How We Use Your Information

We use your information to:

• Provide real-time vehicle location to authorized account owners who opt into this feature (location is only stored if you enable location history)
• Calculate and track vehicle mileage
• Generate maintenance reminders based on actual driving patterns
• Parse and organize service records using AI
• Process payments and manage subscriptions
• Improve our Services through aggregated, anonymized analytics
• Send service notifications and updates
• Comply with legal obligations

5. How We Share Your Information

5.1 With Your Consent

Repair shops can only access: (a) information you explicitly choose to share with them, or (b) repair orders that the shop itself has created for your vehicle. Shops never have access to your location data or any personal information you have not shared. You control what information shops can see about you and your vehicle.

5.2 Service Providers

We use trusted service providers to operate our platform:

• Cloudflare: Edge computing and data processing infrastructure
• Supabase: Database hosting and authentication
• Soracom: Cellular connectivity for GPS tracking devices
• OpenAI: AI-powered document parsing (repair orders are processed but not stored by OpenAI)
• Payment Processors: Secure payment handling

These providers are contractually bound to protect your information and use it only for the services they provide to us.

5.3 Legal Requirements

We may disclose information when required by law, court order, or government request. However, because we do not store GPS location history, we cannot provide historical location data even under legal compulsion.

5.4 Business Transfers

If Piston Labs is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

5.5 What We Never Share

• We do not sell your personal information to data brokers or advertisers
• We do not share GPS location history because we do not have it
• We do not share your information with insurers without your explicit consent

6. Data Security

We implement robust security measures to protect your information:

• Encryption in Transit: All data is encrypted using TLS 1.3 during transmission
• Encryption at Rest: Stored data is encrypted using industry-standard AES-256
• Access Controls: Role-based access limits who can view your data
• Edge Processing: Sensitive telemetry is processed at the edge via Cloudflare Workers, minimizing data exposure
• Data Minimization: We only collect and retain data necessary for our Services

While we implement strong security measures, no system is completely secure. If you discover a security vulnerability, please report it to security@pistonlabs.com.

7. Your Privacy Rights

7.1 All Users

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your account and personal information
• Data Portability: Receive your data in a structured, machine-readable format
• Opt-Out: Opt out of marketing communications at any time

7.2 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information we collect, use, and disclose
• Right to delete personal information (subject to certain exceptions)
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights
• Right to limit use of sensitive personal information

Note on GPS as Sensitive Information: Under CCPA/CPRA, precise geolocation is considered sensitive personal information. Because we never store GPS coordinates, we inherently limit the use of this sensitive category.

7.3 European Users (GDPR)

If you are located in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict processing, data portability, and object to processing. Our legal basis for processing is contract performance and legitimate interests.

7.4 Exercising Your Rights

To exercise any of these rights, contact us at privacy@pistonlabs.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

8. Vehicle Service History and Record Types

We maintain two distinct types of service records with different privacy characteristics:

8.1 Private Records (Your Personal Data)

Original repair orders, receipts, and documents you upload contain personally identifiable information (PII) such as your name, contact information, payment details, and itemized costs. These private records:

• Are accessible only to you (the account owner)
• Are never shared with shops, future vehicle owners, or third parties without your explicit consent
• Can be deleted upon request
• Remain under your control at all times

8.2 Synthesized Vehicle Records (Public Service History)

From private records, we extract and synthesize anonymized service information linked to the vehicle's VIN. This public vehicle history includes only: services performed, parts replaced, mileage at service, and dates. It:

• Does NOT include your name, contact information, payment amounts, or any PII
• Is linked to the VIN, not to your personal account
• Can transfer to future vehicle owners when you sell the car
• Provides value by documenting the vehicle's maintenance history

This separation ensures your personal information remains private while allowing the vehicle itself to maintain a complete, valuable service history that benefits future owners.

9. Fleet and Employee Tracking

If your employer uses our Fleet services to track a vehicle you operate:

• Your employer, not Piston Labs, is the data controller for employment-related tracking
• Your employer must provide you with notice of tracking as required by applicable law
• California AB-984 requires employers to provide written notice before tracking employees via GPS
• GPS location data is still never stored, even for fleet tracking

For questions about how your employer uses our Services, please contact your employer directly.

10. Children's Privacy

Our Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@pistonlabs.com and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through prominent notice in our applications at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For questions or concerns about this Privacy Policy or our data practices, please contact us:

Piston Labs, Inc.
Privacy Inquiries: privacy@pistonlabs.com
Security Issues: security@pistonlabs.com
General Support: support@pistonlabs.com
Website: pistonlabs.co