Privacy Policy

What we collect

We do not collect personal data in the traditional sense (such as accounts or profiles). XYESLA is a lightweight navigation layer for Tesla browsers and phones and operates without analytics, trackers, or advertising. Specifically:

• No accounts. We do not ask for your name, email, phone, or any other personal identifier.
• No analytics / trackers. There is no Google Analytics, no pixel, no session replay, no fingerprinting.
• No cookies. We do not set cookies. Preferences (favorites, recent addresses, display settings) live in your browser's localStorage and never leave your device.

What is sent to the server

For the site to function, your browser contacts our backend for the following, and nothing more:

• Hazard reports you submit (police, accident, pothole, roadwork, camera) — stored as a point (latitude, longitude, type, timestamp). No author attached. Kept for a short TTL and deleted automatically.
• An anonymous presence ping — a random string generated by your browser, used only to count how many people are online. Never tied to an identity.
• Search / reverse-geocode queries — when you search for an address or drop a pin, the query is relayed to TomTom via our backend. We do not log these queries.
• Temporary request logs — like every web server, standard HTTP access logs exist at the hosting layer (Railway) and contain your IP address and the path you hit. Used only for abuse prevention.
• 🔋 Tesla BLE link — if you pair your Tesla via the XYESLA Android or iOS app, a 5-character session code identifies your stream of BLE readings. No Tesla account, no OAuth, no password. Code lives only in your browser and server memory.
• 🔤 Share codes — 3-letter route codes (e.g. BAT) are stored in server memory for 10 minutes, then deleted. Contain only destination coordinates.

Location data

Your device's geolocation is used locally in your browser to show you on the map and to route you. It is not transmitted to us except when you explicitly create a hazard report at your current spot — in which case only that single point is sent, not a trajectory.

Location access is requested via your browser and can be denied or revoked at any time through your browser/OS settings. XYESLA remains functional without it — you simply won't see your own position or be auto-routed from it.

Third-party services

To render tiles and route you, your browser and/or our backend talk to:

• Map tile providers (OpenStreetMap / CARTO / Esri / OpenTopoMap / HOT)
• OSRM (routing)
• Overpass (speed-camera data from OpenStreetMap)
• TomTom (search, reverse-geocode, routing with real-time traffic — proxied via our backend)
• Open-Meteo (weather)
• OpenChargeMap (EV chargers)
• Tesla vehicle (battery %, range — over Bluetooth LE via the XYESLA Android or iOS app)

Each has its own privacy policy. These services may process your IP address as part of standard internet communication.

Legal basis (GDPR)

Processing is based on legitimate interest (providing navigation functionality, operating and protecting the service from abuse) and user consent (for geolocation, which your browser asks you to grant explicitly).

Retention

We retain data only as long as necessary for functionality. Hazard reports expire on their TTL (1 hour to 90 days depending on type); presence pings are evicted after 60 seconds of inactivity; hosting-level access logs are rotated by Railway on its default schedule.

Sharing

We do not sell, rent, or share any data with anyone. There is essentially nothing to share.

Your rights

Because we do not store personal data, there is nothing to export or delete that is tied to you as a person. If you want to remove a hazard report you made, either down-vote it or wait for the TTL to expire.

Contact

Questions: faytonserver@gmail.com