Privacy Policy

Last updated: March 19, 2025

1. Controller

The entity responsible for data processing on this website and in connection with the associated Chrome extension is:
Teslafocus
Mitropoleos 54
Veroia 59100, Greece (EU)
info@teslafocus.com

2. Collection and Processing of Personal Data
2.1. When Using the Website and Chrome Extension

When you visit our website and use the Chrome extension, we collect the following personal data:
- Email address (required for authentication and user management)
- Name (required, for user identification and personalization, if a user account is created)
Purposes of Processing:
- Ensuring authentication (e.g., via Google Login using OAuth 2.0).
- Managing the user account.
- Providing and optimizing the functionality of the Chrome extension (e.g., displaying enriched vehicle data).
Legal Basis:
- The processing of the email address and name is based on Art. 6(1)(b) GDPR (performance of a contract), as this data is necessary to provide the service, including user authentication and account management.
- Vehicle Identification Numbers (VINs): When using the Chrome extension, we collect Vehicle Identification Numbers (VINs) displayed on the Tesla inventory website (https://www.tesla.com/). These VINs are extracted to retrieve additional vehicle information from our server at teslafocus.com, transmitted over HTTPS, and are not stored locally on the user’s device. The legal basis for processing VINs is Art. 6(1)(b) GDPR (performance of a contract), as this data is necessary to provide the extension’s functionality. VINs are not linked to personal data unless explicitly provided by the user, and they are deleted after processing or upon user request, unless required for legal retention purposes on our server (teslafocus.com).

2.2. Cookies

We use cookies to enable certain functions of our website and Chrome extension. Cookies are small text files stored on your device.
Cookies Used by Us:

NamePurposeStorage DurationCategory
`token`Storage of a JSON Web Token (JWT) for authentication24 HoursTechnically necessary
`user_info`Storage of user information (e.g., name, email) for authentication and user management24 HoursTechnically necessary
`user_session`Management of user session data for authentication and session security24 HoursTechnically necessary
`refresh_token`Storage of a Refresh Token to renew the authentication token7 DaysTechnically necessary
`_ga`, `_ga_3C730ZZL00`Analysis of user behavior (Google Analytics)24 hours or 2 yearsAnalytics (optional)
Technically Necessary Cookies:
For technically necessary cookies (e.g., `token`, `user_info`, `user_session`, `session`), no consent is required as they are essential for providing the service (Legal basis: Art. 6(1)(b) GDPR).
Optional Cookies (e.g., Google Analytics):
For non-essential cookies, such as analytics cookies (e.g., `_ga`, `_gid`), we rely on your consent, which you provide by continuing to use our website or extension. You can prevent the storage of these cookies by installing the browser add-on to disable Google Analytics (available at: https://tools.google.com/dlpage/gaoptout). We do not currently offer a cookie banner or settings to manage these cookies directly on our website.
Third-Country Data Transfer:
Data transmitted via cookies to Google Analytics may be transferred to the USA. We use EU Commission-approved Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR to ensure an adequate level of data protection. Please note that the USA does not offer a data protection level equivalent to that of the EU, and U.S. authorities could theoretically access your data. However, we have implemented technical and organizational measures to minimize this risk (e.g., IP anonymization). Please note that the transfer of data to Google Analytics in the USA involves risks due to the potential access by U.S. authorities under certain circumstances, as the USA does not provide an equivalent level of data protection as the EU. We have implemented EU Standard Contractual Clauses (SCC) and additional technical measures (e.g., IP anonymization) to mitigate these risks, but we cannot guarantee absolute protection against access by U.S. authorities. For more information, see Google’s Privacy Policy: https://policies.google.com/privacy.

3. Purpose of Data Processing

The processing of the aforementioned data serves the following purposes:
Authentication and User Management: Using OAuth 2.0, JSON Web Token (JWT), and password hashing (bcrypt), we ensure secure login and protection against unauthorized access.
- Legal Basis: Art. 6(1)(b) GDPR (performance of a contract).
Provision of Our Services: Particularly to display enhanced information on the Tesla inventory page, including retrieving and processing Vehicle Identification Numbers (VINs).
- Legal Basis: Art. 6(1)(b) GDPR (performance of a contract).
Analysis and Optimization: Using Google Analytics, we analyze user behavior on our website to improve our offering.
- Legal Basis: Art. 6(1)(a) GDPR (consent). Alternatively, if consent is not obtained: Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in improving the functionality and user-friendliness of our website. We ensure through IP anonymization and opt-out options that your rights and freedoms are not disproportionately affected.

4. Disclosure to Third Parties
4.1. teslafocus.com

As part of the Chrome extensions functionalities, data is transmitted to the external server of teslafocus.com to retrieve additional vehicle information. Additionally, teslafocus.com offers users the option to register and log in directly on the platform.
Registration and Login at teslafocus.com:
Users can register at teslafocus.com with the following data:
- Name (required, for user identification and personalization),
- Email address (required for registration and user management),
- Password (required for authentication).
Alternatively, users can use the option to register and log in via Google OAuth 2.0. In this case, the following data is transmitted from Google to teslafocus.com:
- Email address,
- Name (required, if stored and shared in the Google account).
Purposes of Processing:
- Provision and management of the user account on teslafocus.com, including authentication.
- Enabling login via Google OAuth 2.0 to simplify the registration process.
- Retrieval of additional vehicle information (e.g., based on the VIN number) within the Chrome extension.
Legal Basis:
- The processing of data provided during registration (name, email address, password) is based on Art. 6(1)(b) GDPR (performance of a contract), as this data is necessary to provide the service (user account provision).
- The use of Google OAuth 2.0 is also based on Art. 6(1)(b) GDPR (performance of a contract), as this option facilitates simplified registration and login.
- The transmission of the VIN number to teslafocus.com to provide vehicle information is based on Art. 6(1)(b) GDPR (performance of a contract). Note: The VIN number is generally not considered personal data unless it can be linked to an individual in combination with other data. We ensure that no personal data is transmitted without a legal basis. VINs are transmitted over HTTPS and are not stored locally on the users device.
Note on Google OAuth 2.0:
If you choose to register or log in via Google OAuth 2.0, your data (email address, name) will be processed in accordance with Googles privacy policies. Please note that Google may transfer data to the USA, a third country without an equivalent level of data protection as the EU. Google has committed to using EU Commission-approved Standard Contractual Clauses (SCC) to ensure an adequate level of protection. Nevertheless, U.S. authorities could theoretically access your data. For more information, see Google’s Privacy Policy: https://policies.google.com/privacy.
Data Processing by teslafocus.com:
We have concluded a Data Processing Agreement (DPA) with teslafocus.com pursuant to Art. 28 GDPR to ensure that your data is processed solely for the agreed purposes and in compliance with the GDPR. teslafocus.com is obliged to implement appropriate technical and organizational measures to protect your data, including HTTPS encryption, restricted access controls, and potentially server-side encryption (e.g., AES-256) for sensitive data like VINs.

4.2. Google Analytics

We use Google Analytics to analyze user behavior. This involves collecting data such as IP address (anonymized), location data, technical user behavior, and other technical information.
- Legal Basis: Art. 6(1)(a) GDPR (consent). Alternatively, if consent is not obtained: Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in optimizing our online offering.
- Third-Country Data Transfer: See Section 2.2 (Cookies) for details on data transfer to the USA.

5. Data Storage Duration

Personal data is generally stored as long as a user account exists or until the user deletes their account.
- Email Address and Name: These data are deleted once the user account is deleted, unless legal retention obligations apply.
- Vehicle Identification Numbers (VINs): VINs are not stored locally on the user’s device and are processed temporarily in memory during the use of the Chrome extension. They are transmitted over HTTPS to our server (teslafocus.com).
- Google Analytics Data: The storage duration of analytics data is up to 2 years (depending on the cookie settings). Anonymized data may be stored longer as it is no longer personal.
If legal retention obligations apply (e.g., tax or commercial law requirements), the data will be retained accordingly. After the retention periods expire, the data will be deleted or anonymized without delay.

6. Security Measures

To protect your data, we implement, among others, the following technical and organizational measures:
- OAuth 2.0 for secure Google login.
- JSON Web Token (JWT) for authentication.
- bcrypt for password hashing.
- Session Management and corresponding redirects to ensure session security.
- HTTPS Encryption to secure data transmission, including the transmission of Vehicle Identification Numbers (VINs) from the Chrome extension to teslafocus.com.
We regularly review the effectiveness of our security measures and adjust them as needed to ensure an appropriate level of protection.

7. User Rights

As a data subject, you have the following rights under the GDPR:
- Right of Access (Art. 15 GDPR): You can request confirmation of whether and which personal data about you is being processed, as well as further information about the processing (e.g., purposes, categories of data, recipients).
- Right to Rectification (Art. 16 GDPR): If your data is inaccurate or incomplete, you have the right to request its correction or completion.
- Right to Erasure (Art. 17 GDPR): Subject to legal retention obligations, you can request the deletion of your personal data (right to be forgotten”).
- Right to Restriction of Processing (Art. 18 GDPR): You have the right to request restriction of processing, e.g., if the accuracy of the data is disputed or the processing is unlawful.
- Right to Data Portability (Art. 20 GDPR): You can request to receive the data you provided in a structured, commonly used, and machine-readable format or have it transferred to another controller.
- Right to Object (Art. 21 GDPR): You have the right to object to the processing of your personal data, particularly in the context of Google Analytics, if it is based on Art. 6(1)(f) GDPR (legitimate interest). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Right to Withdraw Consent (Art. 7(3) GDPR): If you have given us consent to process your data (e.g., for Google Analytics), you can withdraw it at any time. The withdrawal does not affect the lawfulness of processing prior to the withdrawal.
- Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, workplace, or the place of the alleged infringement, if you believe the processing of your personal data violates the GDPR. A list of data protection authorities in Greece can be found at: www.dpa.gr.
Exercising Your Rights:
To exercise these rights, you can use the functions available in your user profile (e.g., profile editing and account deletion) or contact us via the contact form provided on our website. Alternatively, you can reach us by email at info@teslafocus.com. We will process your request promptly, at the latest within the legally prescribed deadlines.

8. Changes to the Privacy Policy

We reserve the right to update this Privacy Policy as needed to ensure it always complies with current legal requirements or reflects changes to our services. The latest version will be available on our website. We will inform you of significant changes affecting your rights via email or a notice on our website.

9. Contact

For questions or further information about data protection, please contact:
Teslafocus
Mitropoleos 54
Veroia 59100, Greece (EU)
info@teslafocus.com