1. Who we are
Wheelz is published by Vortac Labs, an independent app studio. In this policy, “Vortac Labs,” “Wheelz,” “we,” “us,” and “our” refer to the entity that operates the Wheelz mobile application and the vortaclabs.com website. For purposes of the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), Vortac Labs is the “business.” For purposes of the European Union General Data Protection Regulation and the United Kingdom General Data Protection Regulation (collectively, “GDPR”), Vortac Labs is the “controller” of personal data processed through the services described here.
2. Scope
This policy applies to the Wheelz iOS application, the vortaclabs.com website, and any related online services that link to this policy (together, the “Services”). It does not apply to third-party websites, applications, or services that are not operated by Vortac Labs, even if you reach them through the Services. Those third parties have their own privacy practices.
3. Summary at a glance
- We collect account information, vehicle information, drive and location information, device information, photographs you upload, push-notification tokens, and support correspondence.
- We use that information to run the Services, authenticate you, generate drive summaries and statistics, send notifications, prevent fraud and abuse, comply with law, and improve the product.
- We share information with service providers (such as Google Firebase, Apple, and Mapbox), with legal authorities when required, in connection with corporate transactions, and with your consent.
- We may, now or in the future, sell, license, or share aggregated or de-identified drive and vehicle data with third parties including automotive research firms, insurance industry analytics providers, mapping and navigation services, and municipal or academic traffic-research entities. We do not sell personal information that identifies you individually.
- You have rights to access, correct, delete, port, restrict, and opt out of certain processing of your personal information. You can exercise those rights by emailing privacy@vortaclabs.com.
4. Categories of personal information we collect
The categories of personal information we collect, framed using the California Consumer Privacy Act's defined categories, are:
- A. Identifiers
- Username, display name, real name (if you choose to provide it), email address, optional phone number, account identifier, sign-in provider identifier (for example, an Apple or Google account identifier), device identifier, and IP address.
- B. Customer records
- Account profile, vehicle profile (make, model, year, optional photo, and generated vehicle artwork), and saved drives.
- C. Commercial information
- A record of features you have used inside the app. We do not currently process payments. If we introduce paid features in the future, transaction data will be processed by a third-party payment processor and added to this category.
- D. Internet or other electronic network activity
- Information about your interactions with the app and the website, including session timestamps, screen views, feature use, crash reports, diagnostic logs, and referring URLs.
- E. Geolocation data (precise)
- Precise device location while drive recording is active or while the app is in the foreground with location permission granted. This includes latitude, longitude, course (direction of travel), speed, horizontal accuracy, altitude where available, and timestamps. We treat precise geolocation as sensitive personal information.
- F. Sensory or audiovisual information
- Photographs you upload, including profile photos and vehicle photos. We do not record audio or video.
- G. Inferences
- Inferences drawn from your activity in the app, such as estimated drive types (highway, surface street, track), top-speed records, and personal bests.
- H. Sensitive personal information
- Precise geolocation and account credentials. Under CCPA/CPRA you have the right to limit our use of sensitive personal information to purposes necessary to provide the Services. We do not use sensitive personal information to infer characteristics about you.
We do not knowingly collect government identifiers, biometric data, health information, financial account numbers, racial or ethnic information, religious beliefs, union membership, sexual orientation, or genetic data.
5. How we collect personal information
- Directly from you. When you create an account, complete onboarding, add a vehicle, upload a photo, send a support message, or otherwise interact with the Services.
- Automatically from your device. When you use the app, our software collects device information, app interaction information, crash and diagnostic logs, and, with your permission, precise geolocation data.
- From third parties. If you sign in with Apple or Google, we receive a limited identifier and the information you authorize that provider to share. We may also receive aggregated information from analytics and infrastructure providers about how the Services are performing.
6. Why we use personal information
We use personal information for the following purposes:
- Provide the Services. Create and authenticate accounts, store vehicles and drives, generate route previews and statistics, display leaderboards, and deliver push notifications.
- Manage your account. Honor your settings, respond to support requests, and communicate operational information.
- Safety and abuse prevention. Detect, investigate, and prevent fraud, harassment, impersonation, and other misuse of the Services.
- Legal compliance. Comply with applicable laws, respond to lawful requests from public authorities, and enforce our Terms of Service and Safety Policy.
- Product research and improvement. Understand how the Services are used, debug issues, and improve features. This includes training internal machine-learning models on de-identified or aggregated data.
- Aggregated data products. Produce de-identified or aggregated datasets that we may use internally, publish, or sell or license to third parties as described in Section 9.
- Corporate transactions. Evaluate, negotiate, or execute a merger, acquisition, financing, reorganization, sale of assets, or similar transaction.
7. Location data
Wheelz depends on precise location data to provide its core functionality. When you grant the app “Always Allow” location permission on iOS, the app uses a combination of significant location changes, geofence triggers, and high-accuracy location updates to detect when a drive begins, to record the route and speed while the drive is in progress, and to determine when the drive ends.
During an active drive, Wheelz collects latitude, longitude, course, speed, horizontal accuracy, altitude where available, and timestamps. These data points are written to your account's drive log. Speed samples are used to compute top-speed records, personal bests, and leaderboard positions where applicable.
You can change location permissions at any time in your device settings. If you set location permission to “While Using” or “Never,” the app will not be able to record drives automatically in the background, and some features (route recording, speed tracking, leaderboards, drive summaries) will degrade or stop working. You can also delete previously recorded drives from inside the app.
We treat precise geolocation as sensitive personal information under applicable law. See Section 10 for your right to limit our use of sensitive personal information.
8. How we share your data
We share personal information in the following circumstances:
- Service providers and processors. We share information with vendors that perform services on our behalf and under written contracts that restrict their use of the information. These include cloud infrastructure providers (Google LLC, including Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, and Firebase Cloud Messaging), authentication providers (Apple Inc., Google LLC), and mapping providers (Mapbox, Inc.).
- Aggregated or de-identified data recipients. We may, now or in the future, share or sell aggregated or de-identified data with third parties including automotive research firms, insurance industry analytics providers, mapping and navigation services, data aggregators, and municipal or academic traffic-research entities. See Section 9 for details and your opt-out rights.
- Legal compliance and safety. We may disclose information in response to a subpoena, court order, search warrant, or other lawful request, or where we believe in good faith that disclosure is necessary to comply with law, enforce our Terms or Safety Policy, protect the rights, property, or safety of Vortac Labs, our users, or the public, or detect and prevent fraud or security incidents.
- Corporate transactions. If Vortac Labs is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, personal information may be transferred as part of that transaction, subject to the terms of this policy or with notice to you where required by law.
- With your direction or consent. If you ask us to share information with another party, or if we obtain your consent for a specific disclosure not described above.
9. Data sales and sharing under US state privacy laws
Vortac Labs may, now or in the future, monetize aggregated or de-identified data derived from drives, vehicles, and usage of the Services. Categories of recipients may include data aggregators, automotive industry research firms, insurance industry analytics providers (in a form in which you are not individually identified), mapping and navigation services, and municipal, governmental, or academic traffic-research entities. We do not sell personal information that identifies you individually.
Some United States state privacy laws define “sale” and “sharing” broadly enough that certain disclosures of de-identified or pseudonymous data could be treated as a sale or share, even where the data does not directly identify a consumer. Out of an abundance of caution, this section serves as our notice of sale and sharing under those laws, including the California Consumer Privacy Act as amended, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, and comparable laws in Oregon, Montana, Iowa, Tennessee, and any other US state in which we offer the Services.
9.1 Your right to opt out
You have the right to opt out of the sale or sharing of your personal information and the right to opt out of targeted advertising and certain profiling activities under applicable state law. To exercise that right:
- Email privacy@vortaclabs.com with the subject line “Do Not Sell or Share My Personal Information.” Please include the email address associated with your Wheelz account.
- Use the in-app data-sharing setting to disable inclusion of your drive data in aggregated and de-identified data products. (TODO: the in-app toggle is a planned engineering deliverable. If the toggle is not yet available when you read this, the email channel above is the authoritative opt-out method.)
9.2 Global Privacy Control
If your browser or device transmits a Global Privacy Control (“GPC”) signal when interacting with the vortaclabs.com website, we treat that signal as a valid opt-out of the sale or sharing of personal information collected through the website for the device and browser from which the signal is sent. The GPC signal does not currently propagate from iOS app contexts; please use the email or in-app opt-out for the mobile app.
9.3 Categories disclosure (CCPA / CPRA twelve-month look-back)
| Category | Source | Purpose | Disclosed to | Sold or shared (de-identified or aggregated only) | Retention |
|---|---|---|---|---|---|
| Identifiers | You; sign-in providers; your device | Account creation, authentication, communications, security | Cloud infrastructure providers; authentication providers | No | Active account plus 30 days after deletion request; backups up to 90 days |
| Customer records | You; the app | Display profile, vehicles, and drive history | Cloud infrastructure providers | No (individual records); Yes (aggregated or de-identified vehicle composition data) | Active account plus 30 days after deletion request |
| Commercial information | You; payment processor (future) | Process transactions if and when paid features launch | Payment processor (future) | No | As required by tax and accounting law (typically seven years) |
| Internet or network activity | Your device; the app; the website | Operate, secure, debug, and improve the Services | Cloud infrastructure providers; analytics processors | Yes (aggregated only) | Up to 24 months |
| Geolocation data (precise) | Your device (with permission) | Drive detection, route and speed recording, leaderboards | Cloud infrastructure providers; mapping provider for tile rendering | Yes (aggregated and de-identified drive data) | Active account plus 30 days after deletion request |
| Sensory or audiovisual information (photos) | You | Display profile and vehicle photos in the app | Cloud storage provider | No | Active account plus 30 days after deletion request |
| Inferences | Derived by the app | Top-speed records, leaderboards, drive summaries | Cloud infrastructure providers | Yes (aggregated only) | Active account plus 30 days after deletion request |
| Sensitive personal information (precise location, credentials) | Your device; you; sign-in providers | Provide the Services and secure your account only | Cloud infrastructure providers; authentication providers | No | Active account plus 30 days after deletion request |
10. Your privacy rights
Depending on where you live, you may have some or all of the following rights with respect to your personal information:
- Right to know or access. Confirm whether we are processing your personal information and obtain a copy of it.
- Right to correct. Correct inaccurate personal information we maintain about you.
- Right to delete. Request deletion of your personal information, subject to legal exceptions.
- Right to portability. Receive a copy of personal information in a portable, structured format.
- Right to opt out of sale or sharing. Direct us to stop selling or sharing your personal information as described in Section 9.
- Right to limit use of sensitive personal information. Direct us to limit the use of your sensitive personal information (including precise geolocation) to purposes necessary to provide the Services.
- Right to opt out of targeted advertising and profiling. Under VCDPA, CPA, CTDPA, UCPA, TDPSA, and comparable laws.
- Right to appeal. If we deny a privacy request, you may appeal by replying to our written decision. In Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and Tennessee, the law specifically provides this appeal right; we honor it in all jurisdictions.
- Right against retaliation. We will not deny you Services, charge you a different price, or provide you a different level of quality because you exercised a privacy right.
10.1 How to exercise your rights
To exercise a right, email privacy@vortaclabs.com from the email address associated with your Wheelz account, or send a written request to the mailing address listed in Section 18. We may ask you to verify your identity before responding to certain requests. We will respond within forty-five (45) days of receiving a verifiable request, and may extend that period by an additional forty-five (45) days when reasonably necessary. An authorized agent may submit a request on your behalf if you provide written authorization that we can verify.
10.2 State-by-state summary
- California (CCPA/CPRA). Right to know, access, correct, delete, opt out of sale or sharing, limit use of sensitive personal information, and not be retaliated against. See also the California Supplement in Section 19.
- Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Iowa, and Tennessee. Rights to access, correct (where applicable), delete, portability, and opt out of sale, targeted advertising, and profiling that produces legal or similarly significant effects. Texas requires a notice of the right to opt out of sale and sharing, which this policy provides in Section 9.
- Other states. If a state in which you reside enacts a privacy law granting you rights described here, we honor those rights to the extent the law applies to Vortac Labs and the processing in question.
10.3 European Union and United Kingdom (GDPR / UK GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Sections 10.1 and 10.2 plus the rights to restrict processing, to object to processing based on our legitimate interests or direct marketing, to withdraw consent at any time without affecting the lawfulness of prior processing, and to lodge a complaint with a supervisory authority. See Section 18 for our EU/UK contacts (placeholder) and Section 17 for international transfer mechanisms.
11. Retention
We retain personal information for as long as your account is active or as needed to provide the Services. When you request deletion of your account, we initiate a thirty (30) day soft-delete period during which the account is deactivated and recoverable, after which we delete or anonymize the underlying records in our active production systems.
Encrypted backups taken in the normal course of business are typically retained for up to ninety (90) days on a rolling basis; deleted records are not restored from those backups unless required for disaster recovery, and we re-apply the deletion when a backup is restored.
We may retain de-identified or aggregated data, including data derived from drives, vehicles, and usage, for an unlimited period. Once data has been de-identified in accordance with applicable law, we will maintain and use it only in de-identified form and will not attempt to re-identify it.
We may also retain personal information for longer periods where necessary to comply with law, resolve disputes, enforce our agreements, prevent fraud or abuse, or for tax, accounting, or regulatory recordkeeping.
12. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include encryption in transit using industry-standard Transport Layer Security, encryption at rest where supported by the underlying infrastructure provider, role-based access control, logging, and periodic review of our security posture.
No method of transmission over the internet or method of electronic storage is one hundred percent secure. We cannot guarantee absolute security. If you believe your account has been compromised, contact privacy@vortaclabs.com.
13. International data transfers
Vortac Labs is based in the United States. When you use the Services, personal information may be transferred to, stored in, and processed in the United States or any other country in which Vortac Labs or its service providers maintain facilities. These countries may have data protection laws that differ from those in your country.
Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed adequate by the relevant authority, we rely on the European Commission's Standard Contractual Clauses (or, for transfers from the United Kingdom, the UK International Data Transfer Addendum) as the lawful basis for the transfer, together with any supplementary measures necessary to ensure an essentially equivalent level of protection.
14. Children's privacy
Wheelz is not directed to children. The Services are intended for users who are at least seventeen (17) years of age and who hold a valid driver's license or learner's permit in their jurisdiction. We do not knowingly collect personal information from children under the age of thirteen (13). If we learn that we have collected personal information from a child under thirteen without verifiable parental consent, we will delete that information promptly.
If you are a parent or guardian and believe your child has provided personal information to us, contact privacy@vortaclabs.com and we will investigate and, where appropriate, delete the information.
15. Third-party links and services
The Services rely on, link to, or interoperate with third-party platforms and services, including Apple iOS and Apple sign-in services, Google Firebase (including Authentication, Firestore, Cloud Storage, Cloud Functions, and Cloud Messaging), and Mapbox. Your interactions with those services are governed by their own privacy policies and terms.
- Apple privacy policy: see Apple's published privacy policy.
- Google / Firebase privacy policy: see Google's published privacy policy.
- Mapbox privacy policy: see Mapbox's published privacy policy.
16. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and provide additional notice through the Services, by email, or by other means we consider reasonable. Your continued use of the Services after the effective date of an update constitutes your acceptance of the updated policy, except where additional consent is required by law.
17. Contact
For general privacy questions or to exercise the rights described in Section 10: privacy@vortaclabs.com.
For GDPR / UK GDPR inquiries: dataprotection@vortaclabs.com.
Mailing address: Vortac Labs, attn: Privacy.
18. European Union and United Kingdom supplement
This section applies to individuals whose personal data is processed by Vortac Labs in connection with the offer of Services to individuals located in the European Economic Area, the United Kingdom, or Switzerland, or in connection with monitoring of their behavior in those territories.
18.1 Lawful bases for processing
- Performance of a contract. Processing necessary to provide the Services that you have requested, including account authentication, drive recording, route rendering, and notification delivery (GDPR Art. 6(1)(b)).
- Legitimate interests. Processing necessary for our legitimate interests in operating, securing, and improving the Services, preventing fraud, conducting analytics, and developing aggregated data products, where those interests are not overridden by your interests, rights, and freedoms (GDPR Art. 6(1)(f)).
- Legal obligation. Processing necessary to comply with a legal obligation to which we are subject (GDPR Art. 6(1)(c)).
- Consent. Where required by law, we process personal data on the basis of your consent, which you may withdraw at any time (GDPR Art. 6(1)(a) and, for special categories of personal data, Art. 9(2)(a)).
18.2 Data Protection Officer and EU Representative
For inquiries directed to our Data Protection Officer (where appointed) or our Article 27 representative in the European Union (where appointed), contact dataprotection@vortaclabs.com.
18.3 Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority in the member state of your habitual residence, place of work, or place of the alleged infringement. We would, however, appreciate the chance to address your concerns first; please contact us at the address above.
19. California supplement (CCPA / CPRA)
This section provides information required by the California Consumer Privacy Act as amended by the California Privacy Rights Act. It supplements, and does not replace, the rest of this policy.
19.1 Notice at collection
At or before the point of collection, we collect the categories of personal information listed in Section 4 for the purposes listed in Section 6. We may sell or share certain categories of personal information as described in Sections 8 and 9, in de-identified or aggregated form. We retain personal information for the periods described in Section 11.
19.2 Categories disclosed for a business purpose
In the preceding twelve months, we have disclosed the categories of personal information identified in Section 9.3 to the categories of recipients identified in that section for the business purposes described in Section 6.
19.3 Categories sold or shared
In the preceding twelve months, we have not sold or shared personal information that identifies you individually. We may, now or in the future, sell or share aggregated or de-identified personal information of the categories identified in Section 9.3 as “Yes” under the “Sold or shared” column. To the extent any such sharing constitutes a “sale” or “share” under the CCPA/CPRA, you may opt out as described in Section 9.1.
19.4 Sensitive personal information
We collect and use the sensitive personal information identified in Section 4(H) only for the purposes permitted under CCPA/CPRA regulation section 7027(m), including to provide the Services that you request, to ensure security and integrity, to detect and respond to malicious or fraudulent activity, and to perform services on behalf of the business. We do not use sensitive personal information for the purpose of inferring characteristics about a consumer.
19.5 Shine the Light
California Civil Code Section 1798.83 permits California residents to request information about disclosures of personal information to third parties for the third parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
20. Related policies
Our Safety Policy describes how Wheelz is intended to be used and the responsibilities of drivers. Our Terms of Service govern your legal relationship with Vortac Labs.