Privacy Policy

1. Introduction

GoCharge (“we,” “us,” or “our”) is a community-powered service that helps electric-vehicle drivers see real-time wait times at public charging stations. Drivers who are charging publish their status, and drivers who are looking for a charger can see estimated availability before they drive there. We are currently operating in private beta.

GoCharge is the data controller for personal data processed through this service. We determine the purposes and means of processing your personal data.

The operating entity for GoCharge is [LAWYER TO CONFIRM: legal operator name]. Questions, requests, or complaints may be sent to support@letsgocharge.com.

2. Information we collect

Account information

Your email address, display name, a bcrypt hash of your password (we never store your actual password), email-verification state, and an administrative flag for staff accounts.

Vehicle information

If you add a vehicle to your Garage: Vehicle Identification Number (VIN), license plate and US state of registration, a nickname you choose, and whether the vehicle is your default.

Location data

When you visit the map, your browser may ask your permission to share your location so we can show nearby stations. If you deny, we fall back to a default city-level location. If you connect a vehicle via Smartcar, we receive the vehicle's location only while a charging session is active, so we can match it to a station.

Smartcar telemetry (optional)

If you connect a vehicle through Smartcar, we receive and store: OAuth access and refresh tokens (encrypted at rest), the vehicle's VIN and Smartcar vehicle identifier, charge-state events (charging, fully charged, disconnected), and charging location. We use this data solely to auto-publish your charging sessions.

Charging session data

The station and stall you're using, start and end times, estimated completion time, whether the session was published manually or via Smartcar, and the vehicle you selected (if any).

Waitlist entries

The station you joined a waitlist for, your position in the queue, timestamps for join / notify / acknowledge / leave events, and the vehicle you selected (if any).

Community submissions

When you submit a stall name or provider during a charging session, we store the submission linked to your account so we can moderate it. Approved submissions are published publicly in the app to help other drivers identify the stall.

Technical data

IP address, user-agent string, request identifiers, and structured JSON logs used for security monitoring, abuse prevention, and debugging.

3. How we use your information

• Operate the service: show you nearby stations, display wait times from other drivers, manage the waitlist, and publish your status to other signed-in users.
• Authenticate you: sign-in, sign-up, email verification, and password reset.
• Auto-detect charging sessions via Smartcar if you connect a vehicle.
• Moderate community submissions before publication.
• Prevent abuse and secure the service (audit logs, session tracking; rate limiting and additional account-security features are planned).
• Communicate with you about your account. We currently send only transactional emails: email verification, password reset, and security notices. Transactional emails are required for the service and cannot be unsubscribed from without deleting your account. We do not send marketing email. If we ever add marketing email, it will be opt-in with a clear unsubscribe link.

4. Legal basis for processing

For users in the European Union, United Kingdom, or other jurisdictions with similar frameworks, we rely on these legal bases:

• Contract — to provide the service you signed up for (accounts, sessions, waitlist).
• Consent — for browser geolocation, Smartcar vehicle connection, and (if ever added) marketing email.
• Legitimate interest — for security, fraud prevention, and basic product improvement.

We apply GDPR-level data-handling practices globally, not only where legally required.

5. How we share your information

• Other signed-in users: Your estimated time to completion and the station/stall you're occupying are visible to other signed-in drivers. This is the core feature of the service.
• Public community submissions: Approved stall names and provider identifiers are visible publicly in the app.
• Admin access: Admin access to user data is limited to authorized GoCharge personnel, logged for audit, and used only for moderation, customer support, security investigation, and fraud prevention. Admins do not access your data for marketing, analytics, or third-party disclosure.
• Service providers: See Section 6.
• We do NOT sell your personal information. This statement applies to “sale” and “sharing” as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA).
• Legal disclosure: We may disclose information if required by law, legal process, or a lawful government request, with notice to you where permitted.

6. Third-party service providers

• Vercel ↗ (opens in new tab) — hosting, serverless compute, and application logs.
• Neon ↗ (opens in new tab) — managed Postgres database (data hosted in the United States).
• Smartcar ↗ (opens in new tab) — optional vehicle-connection provider used to auto-publish sessions.
• Infobip ↗ (opens in new tab) — transactional email delivery in production.
• Google (Gmail SMTP) ↗ (opens in new tab) — transactional email delivery in development environments only.
• OpenChargeMap ↗ (opens in new tab) — public source of charging-station data. We send geographic bounding boxes to query nearby stations; we do not send your account identity.

7. Data retention

Account data is retained while your account is active. If you delete your account, we remove your personal data within 30 days, except data we must retain for legal, tax, security, or fraud-prevention reasons (audit logs may be retained for up to 12 months). Charging session and waitlist records may be retained in de-identified or aggregated form for product analytics. Community submissions you authored remain published after account deletion unless you specifically request their removal.

8. Your rights

You may request any of the following:

• Access to the personal data we hold about you
• Correction of inaccurate or incomplete data
• Deletion of your personal data
• Objection to or restriction of specific processing activities
• Portability of your data in a structured, machine-readable format
• Withdrawal of consent (the primary mechanism for the Smartcar connection is to disconnect the vehicle in your Garage)

To exercise any right, email support@letsgocharge.com. We aim to respond within 30 days.

8a. California privacy rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• The right to know what personal information we collect and how we use and disclose it
• The right to request deletion of your personal information
• The right to correct inaccurate personal information
• The right to limit the use and disclosure of sensitive personal information
• The right to opt out of the “sale” or “sharing” of personal information as those terms are defined under CCPA. As stated in Section 5, we do not sell or share your personal information.
• The right not to be discriminated against for exercising any CCPA right

To exercise any California right, email support@letsgocharge.com.

9. Security

We take security seriously and apply the following controls: bcrypt password hashing (cost factor 12), HTTPS-only transport, HMAC-signed Smartcar OAuth state parameters, JWT-based session cookies, structured audit logging with request identifiers, admin access controls, and Smartcar webhook signature verification.

Honest disclosure: Rate limiting on authentication endpoints, a password-breach check (HIBP / zxcvbn), and multi-factor authentication are planned but not yet shipped. You should not reuse passwords from other services.

9a. Data breach notification

In the event of a personal data breach affecting your information, we will notify affected users without undue delay, and we will notify data-protection authorities where required by applicable law. Our notification will describe the nature of the breach, its likely consequences, and the steps we are taking to address it.

10. Children's privacy

GoCharge is not directed to children under 13 in the United States (per COPPA) or under 16 in the European Union and United Kingdom (per GDPR, subject to member-state age of consent). Account creation requires users to be at least 18 years old under our Terms of Service. We do not knowingly collect data from children. If you believe a child has provided personal information, please contact us at support@letsgocharge.com and we will delete it.

11. International transfers

Personal data we process is hosted and processed in the United States. If you access the service from another country, your data is transferred to the United States for processing. We apply GDPR-level protections by default, regardless of where you reside.

12. Cookies and similar technologies

We use strictly-necessary cookies for authentication (the NextAuth session cookie) and to remember basic user-interface preferences. We do not use third-party analytics cookies, advertising cookies, or cross-site tracking technologies at this time. If we add any non-essential cookies in the future, we will request your consent before enabling them.

13. Changes to this policy

We will update this policy as the service evolves. Material changes (new data uses, new categories of data, or new third parties) trigger a version bump (for example 1.0 → 2.0) and will be communicated by email and/or in-app notice. Non-material changes (typo fixes, clarifications) may update the “Last updated” date without a version bump. The current Version and Last updated date appear at the top of this page. Your continued use of the service after the effective date of a material change constitutes acceptance of the updated policy.

14. Contact us

Questions, rights requests, or complaints: support@letsgocharge.com.