Blitz T Club ("we", "us", or "our") operates the BlitzVolt platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service. This policy is compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
Our Commitment: We believe in radical transparency. This policy discloses every type of data we collect, exactly how we use it, who we share it with, and how long we keep it. If you have any questions after reading this, contact us at info@blitztclub.com.
1.0 Data Controller
The data controller responsible for your personal information is:
Blitz T Club
EntityBlitz T Club
JurisdictionOntario, Canada
Privacy Officerinfo@blitztclub.com
General Inquiriesinfo@blitztclub.com
As the data controller, we determine the purposes and means of processing your personal information and are responsible for ensuring compliance with PIPEDA.
2.0 Information We Collect
We collect the following categories of personal information to operate the BlitzVolt platform:
2.1 Account Information
Full legal name
Email address
Province of residence
Account creation date
2.2 Tesla API Tokens & Vehicle Data
OAuth Tokens: Encrypted Tesla Fleet API access tokens and refresh tokens, stored using AES-256-GCM encryption.
Vehicle Identification Number (VIN): Used to verify vehicle ownership and attribute charging sessions to your account.
Charging Data: Energy delivered (kWh), charging start and end timestamps, session duration, charging power levels (kW), and charge state (plugged in, charging rate).
GPS Coordinates: Location data recorded at a maximum of every 15 minutes, only while the vehicle is awake and actively charging. GPS data received when the vehicle is not charging is immediately destroyed and never persisted. See Section 2.8 for full details.
Battery State of Charge (SOC): Battery percentage before, during, and after charging sessions.
Odometer Reading: For compliance reporting and session attribution under the Clean Fuel Regulations.
Vehicle Connectivity Status: Whether the vehicle is online, asleep, or offline.
2.3 Fleet Telemetry Data
Through the telemetry virtual key (paired via Tesla's app-key system), your vehicle pushes the following data streams directly to our server in real-time. This data is used for automatic charging session detection, reward crediting, and CFR compliance verification:
Charge state — plugged in status, active charging status, and charging rate (kW).
Battery state of charge (SOC) — percentage before, during, and after charging.
Energy delivered — total kWh added per charging session.
Vehicle GPS location — recorded at a maximum interval of 15 minutes, only while the vehicle is awake and charging. Non-charging GPS is destroyed on receipt (see Section 2.8).
Odometer reading — for compliance reporting.
Vehicle connectivity status — online, asleep, or offline.
Telemetry is read-only: The virtual key does not grant vehicle control. BlitzVolt cannot unlock doors, start the vehicle, activate climate control, or issue any commands. The key solely authorizes your vehicle to send charging data to our server. See our Terms of Service Section 4.5 for full details.
2.4 Home Geofence Data
Home address or manually set GPS coordinates.
Geofence radius configuration for charging session verification.
2.5 Financial Transaction Data
Reward accumulation history (kWh credits, CAD balances).
Withdrawal requests and Interac e-Transfer transaction records.
Referral bonus payments received.
Interac e-Transfer email address for payout delivery.
2.6 Referral Data
Unique referral code generated for your account.
Referral relationships (who referred you, who you referred).
Referral qualification status and progress toward thresholds.
BlitzVolt implements a strict charging-only GPS retention policy. Vehicle location data is collected through Tesla Fleet Telemetry at a maximum interval of once every 15 minutes, and is subject to the following protections:
Immediate Destruction of Non-Charging GPS: When a GPS coordinate is received and the vehicle is not actively charging (no power flow, no charging state), the data is immediately and permanently destroyed. It is never written to our database, never stored in server memory, and never logged. You can verify this in our open architecture — standalone location frames are discarded before any storage operation occurs.
Charging-Gated Retention: GPS coordinates are only retained in server memory when charging signals are simultaneously detected (power flow > 1kW or active charging state). This prevents driving location data from being captured between sessions.
Automatic Memory Purge: Any in-memory vehicle state (including GPS) that has not seen charging activity for 30 minutes is automatically purged every 5 minutes by a background cleanup process. This ensures no location data persists in RAM between sessions.
Session-End Wipe: When a charging session ends, all in-memory GPS state for that vehicle is immediately deleted. Only the GPS coordinates captured during that specific charging session are persisted to the database for audit purposes.
Sleep Mode = No Data: When your vehicle enters sleep mode (typically 10–15 minutes after parking and locking), Tesla ceases all telemetry transmission. No GPS, no charging data, nothing is sent. BlitzVolt does not wake sleeping vehicles to collect data.
What we DO NOT track: Driving routes, daily travel patterns, locations visited, commute times, speeds, or any movement data. We do not build a location history of where your vehicle has been. The only GPS data we retain is the coordinate recorded during an active charging session, used solely to verify that charging occurred within 500m of your registered home address.
This charging-only GPS retention policy is designed to satisfy the data minimization principle under PIPEDA while meeting the Measurement, Reporting, and Verification (MRV) requirements of Canada's Clean Fuel Regulations. Carbon credits cannot be issued without verifiable location proof that charging occurred at the participant's registered home address — but that proof is limited to the charging event itself, not your vehicle's broader movements.
3.0 How We Use Your Data
We use your personal information for the following specific, identified purposes:
Reward Calculation: To calculate and credit your account with points based on verified home charging sessions at the applicable rate (up to 5 points per kWh in Telemetry Mode or 4 points per kWh in Standard Mode).
Geofence Verification: To verify that charging sessions occur at your registered home location using GPS coordinate matching and the Haversine formula.
CFR Carbon Credit Aggregation: To aggregate verified charging data for the purpose of generating carbon credits under Canada's Clean Fuel Regulations (CFR), which funds the rewards program.
Fraud Prevention: To detect and prevent fraudulent activity, including anomalous charging patterns, duplicate accounts, and referral program abuse.
Service Improvement: To analyze usage patterns and improve the platform experience, performance, and reliability.
Communication: To send service-related notifications, reward updates, and important account information.
Legal Compliance: To comply with applicable laws, regulations, and legal processes.
4.0 Data Sharing
We do not sell your personal information. We share data only with the following categories of service providers and as required by law:
Supabase (Data Processor): Our primary database and backend infrastructure provider. All data at rest is encrypted and protected by Row Level Security (RLS) policies. Supabase acts as a data processor under our instructions and is contractually bound to protect your data.
Tesla Fleet API: We send API requests to Tesla's servers to retrieve your charging data as authorized by your OAuth consent. Tesla's own privacy policy applies to data on their platform.
Interac e-Transfer Processor: We share your Interac e-Transfer email address and payment amount with our payment processor to facilitate withdrawals. No banking credentials or account numbers are shared with us or stored.
Legal Requirements: We may disclose information when required by law, regulation, legal process, or governmental request, including to comply with CRA reporting obligations and law enforcement requests.
CFR Compliance Auditors & Carbon Credit Aggregators: Charging session data (including GPS coordinates, energy delivered, timestamps, and geofence verification results) may be shared with Environment and Climate Change Canada (ECCC), third-party verification auditors, and carbon credit aggregators for the purpose of verifying emission reductions and issuing carbon credits under the Clean Fuel Regulations. This data is limited to what is necessary for compliance reporting — no driving data, personal travel history, or non-charging location data is shared.
5.0 Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy:
Retention Schedule
Account DataDuration of active account
Charging Session Data7 years (CFR compliance)
Charging GPS Coordinates7 years (audit proof — charging sessions only)
Non-Charging GPS Data0 seconds — destroyed on receipt, never stored
Tesla OAuth TokensDeleted on disconnect
Telemetry Virtual KeyRemoved on disconnect / key deletion
Financial Transaction Records7 years (tax compliance)
Referral DataDuration of active account
Device/Usage Logs90 days
When data reaches the end of its retention period, it is securely deleted or anonymized so it can no longer be associated with you.
6.0 Security Measures
We implement industry-leading security measures to protect your personal information:
AES-256-GCM Encryption: All Tesla API tokens and sensitive credentials are encrypted at rest using AES-256-GCM, an authenticated encryption algorithm providing both confidentiality and integrity guarantees.
TLS Encryption: All data in transit between your device and our servers is encrypted using Transport Layer Security (TLS 1.2+).
Row Level Security (RLS): Our Supabase database enforces Row Level Security policies, ensuring that each user can only access their own data.
OAuth 2.0 PKCE: Your Tesla connection uses the PKCE extension to OAuth 2.0, ensuring your Tesla credentials are never exposed to our platform.
Access Controls: Internal access to personal data is strictly limited to authorized personnel on a need-to-know basis.
Disclaimer: While we implement robust security measures, no system is completely secure. We cannot guarantee the absolute security of your data. We encourage you to use strong, unique passwords and to protect your account credentials.
7.0 Your Rights Under PIPEDA
Under PIPEDA, you have the following rights regarding your personal information:
Right of Access: You may request a copy of all personal information we hold about you. We will provide this within 30 days of receiving a verified request.
Right to Correct: You may request correction of any inaccurate or incomplete personal information. You can update most account details directly in the app.
Right to Withdraw Consent: You may withdraw your consent for data collection at any time by disconnecting your Tesla account and/or deleting your BlitzVolt account. Note that withdrawal of consent may affect your ability to use the Service.
Right to Data Portability: You may request an export of your data in a structured, commonly used, machine-readable format (such as JSON or CSV).
Right to Delete: You may request the deletion of your personal information, subject to legal retention requirements (e.g., charging data retained for 7 years for CFR compliance).
To exercise any of these rights, please contact our Privacy Officer at info@blitztclub.com. We will respond to all requests within 30 days.
8.0 Cookies & Tracking
BlitzVolt uses minimal cookies and tracking technologies:
Essential Cookies: We use cookies necessary for authentication, session management, and security (e.g., CSRF protection). These cannot be disabled.
No Third-Party Analytics: We do not use Google Analytics, Facebook Pixel, or any third-party advertising tracking scripts.
No Advertising Cookies: We do not serve ads or use advertising cookies of any kind.
If we introduce additional tracking technologies in the future, we will update this policy and provide appropriate notice and consent mechanisms.
9.0 Third-Party Links
The BlitzVolt platform may contain links to third-party websites or services, including Tesla's website and Interac's services. This Privacy Policy does not apply to third-party sites.
We are not responsible for the privacy practices of third-party services. We encourage you to read the privacy policies of any third-party services you access through our platform. Your interactions with third-party websites are governed solely by their respective terms and policies.
10.0 Children's Privacy
BlitzVolt is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.
If we become aware that we have collected personal information from a person under 18 without verification of parental consent, we will take steps to delete that information promptly. If you believe a minor has provided us with personal information, please contact us at info@blitztclub.com.
11.0 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Update the "Last Updated" date at the top of this policy.
Notify you via email and/or in-app notification at least 30 days before changes take effect.
Provide an opportunity for you to review the changes and, if you disagree, to delete your account and data.
Continued use of the Service after the effective date of any changes constitutes acceptance of the revised Privacy Policy.
12.0 Contact
For privacy-related questions, data access requests, or to exercise any of your rights under PIPEDA, please contact our Privacy Officer:
Privacy Officer — Blitz T Club
Privacy Inquiriesinfo@blitztclub.com
General Supportinfo@blitztclub.com
JurisdictionOntario, Canada
If you are not satisfied with our response to a privacy concern, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca.