Legal

Privacy Policy

Last updated: February 2026

1. Who We Are

ClearMyCarma ("we," "us," or "our") operates the website and service at clearmycarma.app. Our mission is to let drivers turn everyday miles into charitable donations — automatically, with no extra effort.

We connect to your vehicle through Tesla's Fleet API or Smartcar's API (supporting 40+ brands) with your explicit consent, and we read only your odometer to calculate how far you've driven each month.

2. Data We Collect

Account data you provide

  • Your name and email address (used to create your account and communicate with you)
  • Your password, stored as a salted cryptographic hash — we never see it in plain text
  • Your selected cause and pledge rate (dollars per mile)

Vehicle data (with your consent)

  • Odometer reading — read once per month to calculate miles driven. This is the only vehicle datapoint we collect.
  • Your Tesla user ID (from OAuth) or Smartcar user ID — used solely to maintain your vehicle connection
  • Vehicle make, model, and year — displayed in your account settings

Payment data

  • Your payment method is securely handled by Stripe. We store only your Stripe Customer ID and payment method ID — never raw card numbers, CVVs, or full PAN data.

What we do NOT collect

  • GPS location, routes, or driving patterns
  • Speed, acceleration, or driving behavior
  • Vehicle command access — we cannot unlock, start, or control your car in any way
  • Data from children under 13

3. How We Use Your Data

  • Monthly billing: We read your odometer on the 1st of each month, calculate miles driven × your pledge rate, and charge your card on file via Stripe.
  • Charitable donations: Funds collected are directed to the cause you selected.
  • Account management: Your email is used to send billing receipts and service notices.
  • Service improvement: Aggregate, anonymized usage data (e.g., total miles across all users) may be used to improve the service.

We do not sell your personal data. We do not use your data for advertising.

4. Vehicle API Disclosures

Tesla

We access your Tesla vehicle through Tesla's Fleet API under the scopes you authorized during the OAuth flow. We request only the minimum necessary scopes to read your odometer. Your data is also subject to Tesla's Privacy Notice. We are an independent application and are not affiliated with Tesla, Inc.

Smartcar

For non-Tesla vehicles, we use the Smartcar API to connect to your vehicle. We request only read_odometer and read_vehicle_info scopes. Your use is also subject to Smartcar's Privacy Policy.

5. Data Sharing

We share your data only with the following service providers, who are contractually prohibited from using it for their own purposes:

  • Stripe — payment processing
  • Upstash (Redis) — encrypted data storage
  • Vercel — hosting and infrastructure
  • Tesla / Smartcar — vehicle API providers

We do not sell, rent, or trade your personal information to any third party.

6. Your Rights & Choices

Disconnect your vehicle

You can disconnect your vehicle at any time from your Account Settings. For Tesla, you can also revoke access directly: Tesla app → Security & Privacy → Third-Party Apps → ClearMyCarma → Revoke. We stop reading odometer data immediately.

Delete your account

Email us at privacy@clearmycarma.app to request full account deletion. We will remove your personal data within 30 days.

Data portability

You may request a copy of the data we hold about you at any time.

California residents (CCPA/CPRA)

  • Right to know what personal information we collect, use, and share
  • Right to delete personal information
  • Right to opt out of the sale or sharing of personal information (we do not sell personal data)
  • Right to correct inaccurate personal information
  • We do not discriminate against users who exercise these rights

7. Data Retention

  • Odometer readings: Stored as your monthly baseline; overwritten each billing cycle
  • Billing records: Retained for 7 years as required for financial record-keeping
  • Account data: Retained until you request deletion
  • Session cookies: Expire after 8 hours (HTTP-only, encrypted)

8. Security

We use industry-standard protections including TLS encryption in transit, HTTP-only encrypted session cookies (iron-session), OAuth 2.0 with PKCE for Tesla authentication, and we never store your vehicle account credentials. OAuth tokens are stored encrypted in our database.

9. Children's Privacy

ClearMyCarma is not directed to children under 13. We do not knowingly collect personal information from children.

10. Changes to This Policy

We will notify enrolled users of material changes via email and by updating the date above. Continued use after changes constitutes acceptance.

Contact Us

For privacy questions, data requests, or to exercise your rights:

Email: privacy@clearmycarma.app

We respond to all privacy requests within 30 days.