Privacy Policy — CyberFreq

1. Overview

CyberFreq is a push-to-talk (PTT) voice communication app for verified Tesla vehicle owners. The app pairs to your Tesla, opens proximity-based voice channels with nearby drivers, and includes a community driver-rating system. This policy explains what data we collect, why, and your rights under GDPR (EU/EEA/UK residents), CCPA/CPRA (California residents), and Google Play's User Data policy.

We do not sell your data. We do not run ads. We do not use third-party analytics trackers.

The data controller is AICrownz LLC, operating the CyberFreq service. Contact for any privacy matter: aicrownzllc@gmail.com.

2. Data We Collect

2.1 Tesla OAuth Data (Read-Only)

When you sign in with Tesla, we request the following Tesla Fleet API scopes — read-only; no commands; no energy:

Scope	What We Read	Why
`profile`	Name, email, Tesla account ID	Account identity, profile display
`vehicle_information`	Vehicle model, VIN (hashed), region	Verification badge, fleet grouping
`vehicle_location`	Approximate location during active session	Proximity matching for PTT radius

We never request: unlock, start, climate, charging control, energy products, or any write-access / command Tesla scopes. CyberFreq cannot send commands to your vehicle and cannot read or control any Powerwall, Solar, or energy product on your account.

Location handling: Vehicle location is read from Tesla only while you have an active CyberFreq session. Server-side, raw coordinates are immediately resolved to a coarse grid cell (≈1 km resolution) for proximity matching. Precise coordinates are never transmitted to other users' devices and are not retained after the session ends.

2.2 Microphone & Voice (PTT Audio)

CyberFreq requests the microphone (RECORD_AUDIO) permission so you can transmit on push-to-talk channels. The microphone is only active while you are actively pressing the talk button.

Audio captured during push-to-talk is ephemeral — streamed in real time over the voice channel and never written to disk on our servers.
No voice recordings are stored, replayed, transcribed, or analyzed by us or by any third party.
Audio buffers are released from memory the moment a transmission ends.
We do not use voice for biometric identification or speech-to-text.

2.3 Bluetooth & Auto-Launch

CyberFreq can automatically open a session when your phone connects to your verified Tesla's Bluetooth (a feature you can disable in Settings). To support this, the app uses the Android BLUETOOTH_CONNECT permission to detect connection events.

We do not pair, scan, or read data from any Bluetooth device other than identifying that a connection event matches your verified Tesla.
No audio is routed over Bluetooth in a way that captures device microphones outside your phone.
You can revoke this permission any time in Android Settings; auto-launch will simply turn off.

2.4 Photos & Media (READ_MEDIA_IMAGES)

The Android manifest declares READ_MEDIA_IMAGES because the React Native / Expo media stack used by the app references the system image picker. This permission is only used if you choose to upload a profile picture from your device's photo library.

We do not scan, index, or upload your photo library in the background.
We never read media files unless you explicitly tap "Choose photo" inside the app and pick one image.
If you select an image, only that single image is transmitted, resized to a small avatar, and stored against your CyberFreq profile. The original is not retained.
You can deny or revoke this permission at any time in Android Settings; CyberFreq will continue to work without a custom profile photo.

2.5 Account Data

Account and rating data are kept in a SQLite database on our server. The geospatial index used for proximity matching stores only the active-session grid cell described in §2.1; it is not a long-term location history.

Field	Stored	Retention
Tesla account ID (hashed)	Yes	Until account deletion
Display name	Yes	Until account deletion
Vehicle model + region	Yes	Until account deletion
Profile image (if you upload one)	Yes	Until you remove it or delete account
Driver rating score (4 dimensions: language, aggression, spam, helpfulness)	Yes	Until account deletion
Active-session grid cell (≈1 km)	Session only	Cleared when session ends
Session timestamps (login/logout)	Yes	90 days, then purged
Premium subscription state & purchase records	Yes	Per legal/tax requirement (up to 7 years)

Driver ratings: The 4-dimension rating system aggregates community feedback. Premium-tier members can vote; ratings are stored against your account so other drivers can see your tier badge. Individual votes are anonymized — you cannot see who rated you.

2.6 Device & Technical Data

We log standard server-side data needed to operate and secure the service:

IP address (used for abuse prevention and rate-limiting, retained 30 days)
App version, OS version, device model (for crash diagnostics)
Error logs (anonymized after 14 days)

We do not use: advertising IDs, fingerprinting SDKs, or behavioral tracking tools (e.g., Firebase Analytics, Mixpanel, Amplitude, Meta Pixel).

3. How We Use Your Data

Purpose	Legal Basis (GDPR)
Account authentication via Tesla OAuth	Contract performance
Proximity matching for PTT channels	Contract performance
Driver ratings and community features	Legitimate interest
Abuse prevention and security	Legitimate interest
Premium subscription management	Contract performance
Legal compliance (purchase records)	Legal obligation

4. Data Sharing & Sub-processors

We share data only with the following service providers (sub-processors), each under a data processing agreement with GDPR-compliant terms. None of them receive payment for the data — they process it on our behalf to deliver the service.

Provider	Purpose	Data Shared
Tesla, Inc.	Vehicle owner verification & Fleet API (read-only)	OAuth identity tokens
Stripe, Inc. (via ExtensionPay)	Premium subscription payments	Email, billing details (handled directly by Stripe; CyberFreq never sees card numbers). Stripe account: `acct_1TNLS2IUrGu95Vjv`.
ExtensionPay	Subscription/checkout flow that fronts Stripe	Email, subscription state
Render, Inc.	Server hosting (API, WebSockets, SQLite)	All server-side data described in §2 is processed on Render infrastructure
Cloudflare, Inc.	CDN, DNS, edge security for cyberfreq.app	Connection metadata (IP, user agent) for the marketing site and any edge-routed traffic
Anthropic, PBC	AI moderation / "super-brain" classification of community reports	Anonymized text snippets from user-submitted reports (no identifiers attached)
OpenRouter	Routing layer for the moderation/AI super-brain calls	Same anonymized content as Anthropic; OpenRouter relays the API call
Sentry (if enabled in a build)	Crash & error reporting	Stack traces and device metadata; user identifiers are scrubbed where present
Google Play / Google LLC	App distribution & install integrity	Standard Play Store install metadata governed by Google's policies

We do not share your data with data brokers, advertisers, or third-party analytics companies. We do not sell or "share" personal information for cross-context behavioral advertising as defined by CCPA/CPRA.

International transfers: Several sub-processors above are based in the United States. Where required, transfers from the EU/EEA/UK rely on Standard Contractual Clauses or equivalent safeguards published by each provider.

5. Cookies & Tracking

CyberFreq is a mobile app. We do not use web cookies. On-device, we store:

A session token (encrypted, local storage) — used only to maintain your logged-in state.
App preferences (e.g., channel radius setting) — local only, never synced.

No cross-app tracking. No advertising identifiers.

6. Your Rights

GDPR (EU/EEA/UK Residents)

You have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — delete your account and all associated data ("right to be forgotten")
Restriction — limit processing of your data in certain circumstances
Portability — receive your data in a machine-readable format
Object — object to processing based on legitimate interest
Withdraw consent — revoke Tesla OAuth at any time via your Tesla account settings

To exercise any right, email aicrownzllc@gmail.com with subject "GDPR Request". We will respond within 30 days.

If you are unsatisfied with our response, you may lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your EU member state's DPA).

CCPA (California Residents)

Under the California Consumer Privacy Act, you have the right to:

Know what personal information we collect and how it is used
Delete your personal information
Opt out of sale — we do not sell personal information (no opt-out needed)
Non-discrimination — exercising your rights will not affect your service

To submit a CCPA request: email aicrownzllc@gmail.com with subject "CCPA Request". We will respond within 45 days.

7. Data Retention

Data Type	Retention Period
Account data (active user)	Until account deletion
Session location (grid cell)	Session duration only
PTT audio	Never stored
Server logs (IP, errors)	14–30 days
Purchase records	7 years (legal obligation)

To delete your account: Settings → Account → Delete Account, or email aicrownzllc@gmail.com.

8. Children's Privacy

CyberFreq is not directed at users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact aicrownzllc@gmail.com and we will delete it promptly.

9. Security

We implement:

TLS 1.3 in transit
AES-256 encryption at rest for account data
OAuth tokens stored with PKCE flow — never exposed server-side
Hashed VIN identifiers (SHA-256 + salt)

No security system is perfect. If you discover a vulnerability, please disclose responsibly to aicrownzllc@gmail.com.

10. Changes to This Policy

We will notify users of material changes via in-app notification at least 14 days before changes take effect. The "Last Updated" date at the top of this document reflects the current version.

11. Contact

CyberFreq Privacy
Email: aicrownzllc@gmail.com
Website: https://cyberfreq.app