Privacy Policy for Car Lease Tracker
Last updated: July 2026
Introduction
Car Lease Tracker ("the app") is published by CurlyByte Solutions ("we", "us", "our"). This Privacy Policy explains how we handle information when you use the iOS app, including optional premium vehicle connection features.
Data controller: CurlyByte Solutions — contact details are listed at the end of this policy.
Local data (default use)
Without enabling a vehicle connection, the app stores your lease data locally on your device using Apple’s SwiftData framework:
- Lease details (vehicle model, contract dates, mileage limits)
- Odometer logs and special trips
- Usage statistics derived from your entries
This core data is not uploaded to our servers unless you explicitly use an optional connection feature described below. You can delete local data in the app settings or by removing the app from your device.
Auto-sync connections (optional)
You may optionally connect a vehicle to import odometer readings automatically. You can disconnect at any time in the app. Each provider works differently:
Smartcar
Smartcar does not require a premium subscription.
- You supply your own Smartcar API credentials.
- Credentials and tokens are stored in the iOS Keychain on your device.
- The app communicates directly with Smartcar; we do not operate a backend for Smartcar.
- Data typically accessed: vehicle identifiers, make/model/year, odometer.
- Smartcar’s terms and privacy policy apply to their service.
Toyota (Europe, premium)
Requires an active premium subscription.
- Available for supported Toyota accounts in Europe only.
- Your Toyota email/password and session tokens are stored in the iOS Keychain on your device.
- The app communicates directly with Toyota services; we do not receive your Toyota password.
- Data typically accessed: vehicle VIN, display name, odometer.
Tesla connection (premium)
Tesla integration uses the Tesla Fleet API with OAuth 2.0. Before connecting, you must accept in-app data-processing consent that links to this policy.
What we access
- Odometer (converted to kilometres for your lease log)
- Battery state of charge and estimated range (EV vehicles)
- Vehicle identifier, VIN, and display name
- Charging state (e.g. charging / disconnected)
We do not request Tesla location data, and we never ask for or store your Tesla account password.
How Tesla sign-in works
- Sign-in happens in a secure browser session with Tesla (
auth.tesla.com). - OAuth access and refresh tokens are stored in the iOS Keychain on your device, scoped per lease.
- Token exchange and Fleet API calls are proxied through our EU-hosted connection broker (Google Cloud Run in
europe-west3). - The broker is stateless: it holds our Tesla developer credentials server-side but does not persist your user OAuth tokens or lease data.
- Synced vehicle values are saved locally in the app as part of your lease record.
Fleet API regions
You must select the Fleet API region that matches where your Tesla account is registered. Tesla operates separate regional endpoints. Our app supports:
- Europe, Middle East & Africa — EU Fleet API endpoint
- Americas & Asia-Pacific — NA Fleet API endpoint (covers the US, Canada, Mexico, Puerto Rico, and Asia-Pacific countries such as Japan, Australia, and New Zealand — not only North America)
Mainland China uses a separate Tesla developer platform and is not supported by this app. See Tesla’s official guide: Regions and Countries.
Legal basis (GDPR)
Processing of Tesla vehicle data for auto-sync is based on your consent (Art. 6(1)(a) GDPR), given through the in-app consent toggle before connection. You may withdraw consent by disconnecting Tesla in the app and/or revoking third-party access in your Tesla account settings.
Retention
- OAuth tokens remain on your device until you disconnect or delete the app.
- Imported odometer readings remain in your local lease history until you delete them or clear app data.
- Our connection broker does not retain Tesla user tokens after requests complete.
Third parties
- Tesla, Inc. — vehicle data source and OAuth provider. See Tesla Privacy Notice.
- Google Cloud Platform (EU) — infrastructure processor for the stateless API broker only.
- Apple Inc. — device platform and Keychain storage.
Revoking Tesla access
You can disconnect Tesla at any time in the app (Auto-Sync settings). You can also remove third-party app access in your Tesla account. Deleting the app removes locally stored tokens and lease data from your device.
Install Attribution (AppsFlyer)
On iOS, Car Lease Tracker uses AppsFlyer, a third-party mobile attribution service, only to determine whether an installation resulted from one of our advertising campaigns on services such as X Ads, Meta Ads, Google Ads, TikTok, or Snapchat.
The app sends one install/first-launch request to AppsFlyer. After AppsFlyer confirms that request, Car Lease Tracker stops the AppsFlyer SDK. We do not send later app sessions, purchases, subscriptions, lease details, odometer logs, trips, expenses, vehicle connection data, or custom in-app activity to AppsFlyer.
For install attribution, AppsFlyer may collect and process:
- Device identifiers (for example, IDFV and an AppsFlyer install identifier called AF ID)
- The advertising identifier (IDFA) only if you authorize tracking through Apple’s App Tracking Transparency prompt
- The install and first-launch request
- Technical device information (for example, operating system, device type, language, screen size)
- Network information (for example, IP address)
- Limited performance signals used for request delivery and fraud prevention
This data is transmitted to AppsFlyer and may be linked to your device for advertising measurement. AppsFlyer may send an install postback to the advertising partner that delivered or participated in the campaign. AppsFlyer’s processing is described in its Privacy Policy.
App Tracking Transparency: Before device-level advertising attribution, Car Lease Tracker explains the measurement and offers Apple’s tracking-permission prompt. If you authorize tracking, AppsFlyer may use the IDFA for deterministic install attribution. If you deny or skip permission, no IDFA is available; Apple, AppsFlyer, and participating ad networks may still provide aggregate or modeled installation attribution using privacy-preserving systems such as SKAdNetwork or AdAttributionKit.
Your choice: You can continue using every Car Lease Tracker feature without granting tracking permission. Your selection is stored on your device so the explanation is not repeatedly displayed. You can also manage Apple tracking permissions in iOS Settings after the system prompt has been shown.
Legal basis: Where applicable, device-level advertising measurement is based on your consent. Aggregate measurement and the limited processing needed to deliver, secure, and prevent fraud in the install request are handled as permitted by applicable law. Contact us if you wish to exercise privacy rights relating to this processing.
Subscriptions
Premium features, including Toyota and Tesla direct connections, require an active App Store subscription processed by Apple. We do not receive your payment card details. Apple’s privacy policy applies to purchase data.
Your rights
If you are in the European Economic Area or another jurisdiction with similar laws, you may have the right to access, rectify, erase, restrict, or object to processing of your personal data, and to data portability, where applicable. You may also lodge a complaint with your local supervisory authority.
To exercise these rights, contact us using the details below. Because most data is stored on your device, you can also delete it directly in the app.
Children
The app is not directed at children under 16. We do not knowingly collect personal data from children.
Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.
Contact Us
If you have any questions about this Privacy Policy, please contact us at:
CurlyByte Solutions
Dr. Rafael Sosa