T Boring Order Tracker tostviewer.de
DE EN ES

Privacy Policy

Privacy Policy for Boring Order Tracker (App & Website)

This privacy policy applies to both the website tostviewer.de and the Boring Order Tracker app for iOS and Android.

1. Controller

Responsible for data processing within the meaning of the General Data Protection Regulation (GDPR):

Jan Gerster
Hauptstr. 53
79787 Lauchringen
Germany
Email: info@hosting-fox.de

2. What data is collected?

The app and website collect and process data only as necessary for their features. The scope depends on which features you enable:

a) Tesla Account Data

When you sign in, the app receives OAuth tokens from Tesla to authenticate API requests (scopes: openid, email, offline_access, user_data, vehicle_device_data). These tokens are stored securely on the respective device. The app fetches your order information (model, status, dates, delivery center, configuration, option codes) directly from Tesla's servers. If enabled, financing details (monthly payments, interest rates, loan terms) are also retrieved.

b) Existing Vehicles & Live Data

The existing-vehicle option is optional and only works when you explicitly enable it in app settings.

If enabled, the app fetches registered vehicles directly from the Tesla API and stores their live telemetry in a local cache. This includes state, battery level, estimated range, odometer, charging status, software version, and vehicle configuration. If this option is off, existing vehicles are not fetched.

The option is used for status accuracy, pickup-related workflows, and comparison notifications only. You can disable it at any time, and then no new existing-vehicle data is loaded or sent.

c) Change History

The app locally tracks changes to your orders over time (status updates, delivery window changes, configuration changes). This data is stored only on your device.

d) Stats / Comparison (Opt-In)

With your explicit consent (Opt-In), anonymized data is sent to the stats server. For orders this includes: model, configuration, order date, expected delivery window, delivery center, status, option codes, and a VIN-assigned flag (true/false only). For existing vehicles it includes: anonymized vehicle fingerprint (SHA256 hash), model, state, battery level, range, odometer, charging status, software version, and vehicle configuration. A unique device identifier (UUID) is transmitted for deduplication.

On the server, technical timestamps are additionally stored for: last received update, first VIN assignment, and last delivery-window change.

The stats payload does NOT include: real names, email addresses, phone numbers, postal addresses, actual VIN numbers, payment amounts, or financing details.

e) Bugs & Ideas (Opt-In)

If you enable this feature, the app transmits your anonymized device ID and any content you submit (ideas, votes, comments, support tickets). Your IP address is automatically transmitted with each request and is required for moderation, spam protection, and vote integrity.

f) Blog (Opt-In)

If you enable the blog, the app transmits your anonymized device ID, your chosen username, and content you submit (posts, comments, likes, and up to 4 images per post). Your IP address is transmitted automatically with each request. Blog content may be translated using AI (OpenAI) on the app operator's server. When a translation is requested, the relevant text is sent to the server, where it is translated and returned to the app.

g) Community Identity (Optional)

You can optionally link your community profile across features using Sign in with Apple. When used, a SHA256 hash of your Apple user ID is generated as an anonymous identity key. Your Apple email is requested but not required and is not stored on the app developer's servers.

h) Background Refresh

If enabled, the app refreshes order and vehicle data in the background (approximately every 2 hours). The existing-vehicles option controls whether existing vehicle telemetry is refreshed. Local notifications can be shown for detected changes.

i) In-App Purchases (Tip Jar)

Purchase transactions are handled entirely by Apple via StoreKit. No purchase data is sent to the app developer's servers. The app only stores a local flag indicating whether a purchase was made.

j) Vehicle Handover Documentation

The app creates a handover report during vehicle pickup with inspection points, photos, and optional notes. Completed reports receive a verification code that can be used to verify the document's authenticity at tostviewer.de/verify.php. The report stores the model, masked VIN (partially hidden), inspection status, and creation date.

k) Website (tostviewer.de)

The website does not collect personal data. No cookies are set (except an optional language preference cookie), no analytics or tracking tools are used, and no advertisements are displayed. The web server logs standard technical access data (IP address, timestamp, requested page, browser type) in log files. This data is used exclusively for ensuring technical operation and defending against attacks and is deleted after no more than 30 days.

3. How is your data stored?

  • Tesla access tokens are stored encrypted in the iOS Keychain (hardware-backed encryption via Secure Enclave, accessible after first device unlock).
  • Order data, vehicle data (including live telemetry), change history, and blog cache are stored locally in your app sandbox as JSON files.
  • User settings, preferences, and your anonymous device ID (UUID) are stored in standard UserDefaults.
  • Vehicle images are cached locally from Tesla's compositor servers.
  • If you enable Stats, anonymized comparison records (for orders and vehicles) are stored on a server located in Germany. Existing vehicles are restricted to technical vehicle fields only.
  • Blog posts, ideas, and support tickets are stored on a server located in Germany.
  • Without explicit consent, no data is transmitted to external servers (except Tesla's own servers for order and vehicle data retrieval).

4. Third-party services

The app communicates with the following services:

  • Tesla, Inc. (auth.tesla.com, owner-api.teslamotors.com, akamai-apigateway-vfx.tesla.com, static-assets.tesla.com): Authentication, order data retrieval, vehicle telemetry, and vehicle images. Tesla's privacy policy applies to data processed by Tesla.
  • App operator's server (hosting-fox.de): Stats comparisons, blog, ideas, support, push notification delivery, documentation verification, and handover documentation. Only used when respective consent is granted (except verification, which is publicly accessible).
  • Apple (StoreKit, Sign in with Apple): In-app purchase handling and optional identity linking. Apple's privacy terms apply.
  • OpenAI (via app operator's server): Blog content translations are performed using OpenAI's API on the app operator's server. Only the text to be translated is processed; no personal data is sent to OpenAI.
  • QR code service (api.qrserver.com): For generating QR codes in handover reports. Only the verification URL is transmitted.

The app does NOT use any analytics SDKs, advertising networks, crash reporting services, or device location services. No data is shared for advertising, tracking, or profiling purposes.

5. Legal basis (Art. 6 GDPR)

  • Consent (Art. 6(1)(a)): Stats/Comparison data submission, Blog participation, Ideas & Support features. You can withdraw consent at any time in the app settings.
  • Contract performance (Art. 6(1)(b)): Processing of Tesla account data required to provide the app's core order-tracking functionality.
  • Legitimate interests (Art. 6(1)(f)): Technical processing such as IP address logging for spam protection and service security, anonymous device identifiers for deduplication, server log files for website protection.

The optional existing-vehicle fetch for comparison, status checks, and notifications runs only with your explicit consent in the data options.

6. Notifications

  • In-app and local notifications are processed directly on your device.
  • Push notifications are delivered via Apple Push Notification Service (APNs).
  • If you enable notifications, the app will notify you when changes to your orders or existing vehicles are detected during background refresh.
  • In-app notifications for blog activity, ideas updates, and support ticket changes are processed locally based on data fetched from the server.

7. Data security

  • All network communication is encrypted via HTTPS (TLS 1.2 or higher).
  • Authentication tokens are stored in the secure iOS Keychain with hardware-backed encryption.
  • The app does not use tracking or analytics SDKs.
  • No advertisements are shown.
  • Device identifiers used for Stats, Ideas, and Blog are anonymized UUIDs that cannot be traced back to your person.
  • Website database access is protected against SQL injection through prepared statements.

8. Your rights (GDPR)

Under the GDPR, you have the right to:

  • Access: Request information about what data is stored about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data.
  • Restriction: Request restricted processing.
  • Data portability: Receive your data in a structured format.
  • Object: Object to data processing.

Contact: info@hosting-fox.de

To remove data, you can use “Delete Data from Server” in settings or disable existing-vehicle sharing under Data options. You can also use “Delete Account & Reset App” to remove both local and server-side data for your account.

9. Data retention

  • Local data (tokens, orders, history, cache) is retained until you sign out, clear it manually, or uninstall the app.
  • Server-side comparison records, ideas, support tickets, blog content, notifications, existing vehicles, and handover documentation are retained until you request deletion or revoke consent.
  • In-app purchase records are managed by Apple according to their retention policies.
  • Website server log files are deleted after no more than 30 days.

10. Children's privacy

This app and website are not directed at children under 16. We do not knowingly collect personal data from children.

11. Changes to this policy

This privacy policy may be updated from time to time. The latest version is always available in the app and on this website.

As of: March 2026


← Boring Order Tracker