Privacy Policy
kilowatts.cc — Tesla Energy Optimizer
Last updated: 11 June 2026
1. Who we are
The data controller for kilowatts.cc is:
Rui Pires
Braga, Portugal
Email: [email protected]
"We", "us", and "our" refer to Rui Pires operating kilowatts.cc.
2. What this policy covers
This policy describes how we collect, use, and protect personal data when you use kilowatts.cc — a service that connects to your Tesla account to automate vehicle charging and Powerwall management based on dynamic electricity tariffs.
3. Data we collect and why
3.1 Account data
- Email address — to send you a magic login link and transactional emails (billing alerts, credit warnings). Legal basis: contract performance (Art. 6(1)(b) GDPR).
3.2 Tesla integration data
- Tesla OAuth tokens (access token + refresh token) — to act on your behalf via the Tesla Fleet API (read vehicle state, send charging commands, read Powerwall data). Tokens are stored encrypted in our database and never shared with third parties beyond Tesla's own API infrastructure. Legal basis: contract performance.
- Vehicle data (charge state, battery level, location when charging) — received via Tesla Fleet Telemetry streaming; used only to evaluate automation rules and logged in automation history. Legal basis: contract performance.
- Energy site data (Powerwall charge level, grid/solar power) — polled via Tesla Fleet API REST when the relevant automation is enabled; used only to trigger automation actions. Legal basis: contract performance.
3.3 Usage and settings data
- Automation preferences (thresholds, schedules, enabled automations) — stored to run your automations. Legal basis: contract performance.
- Electricity pricing zone — used to fetch the correct day-ahead prices from euenergy.live. Legal basis: contract performance.
- Solar panel settings (location, panel area, efficiency) — only if you enable the solar forecast widget. Legal basis: contract performance.
3.4 Billing data
- Stripe customer ID and subscription status — we store a Stripe customer reference to manage your subscription. We do not store card numbers or full payment details; those are held by Stripe. Legal basis: contract performance and legal obligation.
- Credit ledger — a log of credits allocated and deducted, with timestamps and reasons. Legal basis: contract performance.
3.5 Technical and analytics data
- Error logs — anonymised crash reports sent to Sentry to help us fix bugs. No personally identifiable information is deliberately included.
- Page view analytics — anonymised usage events sent to PostHog to understand how features are used. IP addresses are not stored.
- Server logs — standard web server access logs retained for up to 30 days for security purposes.
4. Third-party processors
We share data with the following processors, all of whom are bound by data processing agreements:
| Processor | Purpose | Location |
|---|
| Tesla, Inc. | Vehicle/energy commands and telemetry via the Tesla Fleet API | USA (SCCs apply) |
| Stripe, Inc. | Payment processing and subscription management | USA (SCCs apply) |
| Resend, Inc. | Transactional email delivery | USA (SCCs apply) |
| Sentry (Functional Software, Inc.) | Error monitoring | USA (SCCs apply) |
| PostHog, Inc. | Product analytics | USA/EU (EU cloud option enabled) |
We do not sell your data to any third party, ever.
5. Data retention
| Data | Retention period |
|---|
| Account and settings data | Until you delete your account |
| Tesla tokens | Until you disconnect Tesla or delete your account |
| Automation logs | 12 months rolling |
| Credit ledger | 7 years (legal/accounting obligation) |
| Billing records | 7 years (legal/accounting obligation) |
| Server access logs | 30 days |
| Error logs (Sentry) | 90 days |
6. Your rights
Under GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your account and all associated data (see below).
- Portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to pause processing while a dispute is resolved.
- Object — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
Account deletion
You can delete your account from the account settings page. On deletion we will:
- Revoke your Tesla OAuth tokens (your authorisation is removed from Tesla's systems).
- Permanently delete your personal data, automation settings, and automation history.
- Retain only what we are legally required to keep (billing records for 7 years).
7. Security
Tesla tokens are stored encrypted at rest using AES-256. Connections to kilowatts.cc use TLS. We apply the principle of least privilege — the service requests only the Tesla API scopes it needs to function.
8. International transfers
We are based in Portugal (EU). Some processors listed in §4 are based in the USA. Transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Supervisory authority
If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the Portuguese data protection authority:
CNPD — Comissão Nacional de Proteção de Dados
https://www.cnpd.pt
10. Changes to this policy
We will notify users by email of any material changes before they take effect. The "last updated" date at the top of this page will always reflect the current version.
11. Contact
For any privacy question or data request: [email protected]