Privacy Policy

Exoda Control for Tesla – A product by Exoda

Developer: T. Stephan (Exoda)

Last updated: March 2026

This app ("Exoda Control for Tesla") is developed and operated by Exoda. The protection of your personal data is important to us. Below we explain transparently which data the app collects, processes, and where it is transferred.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

T. Stephan (Exoda)
Kookamp 40
46354 Südlohn
Germany
Contact via the app or by e-mail to: info@exoda.de

Exoda Control for Tesla is an independent product by Exoda and is not affiliated with or authorized by Tesla, Inc.

2. Tesla account & OAuth authentication

You sign in via the official Tesla OAuth 2.0 flow at auth.tesla.com.
The app stores the access token and refresh token encrypted in the Keychain (iOS) and Keystore (Android) respectively.
The app does not know your Tesla password – authentication takes place directly with Tesla.
The access token is renewed automatically when it expires (proactively every 6 hours).
When you sign out, all stored tokens are deleted.

3. What data is retrieved?

The following vehicle data is retrieved via the Tesla Fleet API:

State of charge, range, charging power
Vehicle status (online/offline, locked/unlocked)
Odometer reading, tyre pressure
Vehicle name, VIN, firmware version
Climate status (interior and exterior temperature)
Sentry Mode status
Trip data (speed, position, heading, power) – for trip history and logbook

This data is displayed only and is not stored permanently on external servers.

4. Vehicle control

The app can send the following commands to your vehicle:

Lock / unlock
Turn climate on/off, set desired temperature
Open frunk / trunk
Honk, flash lights
Adjust charge limit and charge current
Start/stop charging, open/close charge port
Enable/disable Sentry Mode
Open/close windows
Steering wheel heating, seat heating (levels 0–3)
Max Defrost (windscreen defrost)
Schedule/cancel software update
Media control (play/pause, track, volume)

All commands are sent via the Tesla Vehicle Command Protocol through a cloud proxy and signed with a private key.

5. Cloud services & data transfer

The app uses the following external services:

5.1 Tesla Fleet API

Endpoint: fleet-api.prd.eu.vn.cloud.tesla.com
Purpose: Retrieval of vehicle data and sending of read requests.

5.2 Tesla Auth

Endpoint: auth.tesla.com
Purpose: OAuth 2.0 authentication with PKCE (Proof Key for Code Exchange).

5.3 Google Cloud Run (Tesla proxy)

Purpose: Proxy server for signing Vehicle Command Protocol commands.
The private key resides exclusively in Google Secret Manager. No vehicle data is stored on the proxy.

5.4 Firebase Cloud Functions (europe-west1)

Purpose: Secure provision of the OAuth configuration (client ID/secret). The secrets are managed in Google Secret Manager.

5.5 Firebase Cloud Messaging (optional)

Purpose: Push notifications (e.g. departure/arrival).
The FCM token is stored locally and synchronised to Firestore to enable notifications. Use is optional and can be disabled at any time.

5.6 Cloud Firestore

Purpose: Synchronisation of the FCM token and Tesla token for server-side push notifications (Cloud Function). No vehicle usage or movement data is stored in Firestore.

All connections are encrypted via HTTPS/TLS.

6. Local data storage

The following data is stored encrypted in the device keychain:

Access token & refresh token (Tesla OAuth)
Tesla Client ID & Client Secret
Cloud proxy URL
Time of last token renewal

The logbook stores trips locally on the device (as a JSON file). This data is not transmitted to servers.

7. API cost logbook

Every chargeable Tesla API request (data retrieval, command, wake-up) is logged in Cloud Firestore with timestamp, type, and estimated cost. This serves solely to provide transparency for the operator. No personal user profiles are created.

8. No sharing with third parties

No data is sold or shared with third parties.
There are no analytics or tracking tools (no Google Analytics, no Firebase Analytics).
No advertising IDs or usage profiles are collected.
The app contains no advertising.

9. Your rights

You have the following rights under the GDPR:

Access to your stored data (Art. 15 GDPR)
Rectification of inaccurate data (Art. 16 GDPR)
Erasure of your data (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection to processing (Art. 21 GDPR)

To exercise your rights, please contact: info@exoda.de

You can revoke your Tesla access at any time in your Tesla account under Security → Third-Party Apps.

10. Sign-out & data deletion

Sign out: All stored tokens and credentials are deleted.
Uninstall: All local data is completely removed.
For deletion of Firestore data (FCM token, API logs), please contact us by e-mail.

11. Security

Tokens are stored in the iOS Keychain / Android Keystore (hardware-backed encryption).
The OAuth flow uses PKCE (Proof Key for Code Exchange) to protect against authorisation code interception.
The Vehicle Command private key resides exclusively in Google Secret Manager and is never present on the end device.
The app stores no passwords.

12. Changes to this privacy policy

This privacy policy may be updated when the app changes. The current version is always accessible via this website and the app menu.