How is VoltKeep driving data protected?

Server-side encryption (X25519 + AES-GCM)

The driving data VoltKeep collects (route, speed, acceleration, battery state, etc.) is encrypted on your device before it ever leaves the iPhone. We use a hybrid X25519 public-key + AES-GCM scheme:

• On first setup, your device generates an X25519 key pair
• Only the public key is sent to the server. The private key stays in the iOS Keychain
• The server encrypts data with that public key when storing it
• Decryption happens on your device, using the locally held private key

With this design, not even our server administrators can decrypt the stored data. Even if the database were leaked, the contents remain unusable in their encrypted form.

VIN hashing

Tesla VINs are never stored as-is — they are kept as SHA-256 hashes.

This means database records are not directly tied to a specific vehicle. To look up a record by VIN, you'd have to hash the VIN first, and external matching against a known VIN list is impractical.

How Tesla OAuth tokens are handled

The access and refresh tokens issued by Tesla's OAuth flow are stored in the iOS Keychain on your iPhone.

• VoltKeep servers never store Tesla tokens
• Authentication to Tesla happens directly from your device
• Your Tesla password is never handed over (OAuth means we don't see it)

This is a fundamentally different design from TeslaMate, which stores access tokens server-side. Uninstalling VoltKeep removes the tokens from your Keychain, and you can also revoke the session from your Tesla account.

Data deletion requests

When you close your account, the in-app "Delete Account" option removes all server-side encrypted data, your public key, and the VIN hash. Deletion runs immediately.