Privacy

Last updated 2026-05-26

Who we are

EV Charging History is a personal/hobby project run by Marat Dyatko (i@marat.online). It is not affiliated with, endorsed by, or sponsored by AB Volvo, Volvo Car Group, Volvo Car USA LLC, or any other Volvo company. The Volvo trademark and the names of Volvo APIs are used only to describe their owner.

What data we hold

• Your Volvo ID subject identifier (the sub claim from your OAuth ID token). We use it as our user identifier.
• Your VIN listand per-vehicle details fetched from Volvo's Connected Vehicle API: model, year, fuel type, exterior colour, battery capacity, gearbox, upholstery, steering side, exterior/interior image URLs.
• A growing log of energy-state snapshots (battery %, range, plug status, charging status, charging power, target SOC, current limit) and the derived charging-session rows (start/end times, SOC delta, kWh, start/end coordinates).
• Your OAuth refresh and access tokens, encrypted at rest with AES-256-GCM. Used solely to call Volvo's APIs on your behalf.
• Your VCC API key and OAuth client credentials, encrypted at rest. Required to authenticate against Volvo's APIs.

We do not store your Volvo ID password or email. We do not embed third-party analytics, advertising, or tracking scripts.

Where it lives

All data is processed in Google Cloud, region europe-north1 (Stockholm, Sweden). Sub-processors: Google Cloud Run (compute), Cloud SQL for PostgreSQL (storage), Secret Manager (encryption keys), Cloud Scheduler (polling timer), Cloud Logging (operational logs, redacted to last-4 VIN). No data leaves the European Union.

Why we hold it (legal basis)

Consent (GDPR Art. 6(1)(a)), granted when you complete the OAuth flow at volvoid.eu.volvocars.com and accept the scopes we request:openid, energy:state:read, energy:capability:read,conve:vehicle_relation, location:read.

How long

Until you delete your account. Operational logs in Cloud Logging are rotated out by Google after 30 days. We do not back up the database; nothing to retain beyond live rows.

Your rights

• Access / portability — download everything we have on you as JSON: /api/account/export.
• Erasure — from the dashboard, hit Sign out, then sign back in and use Delete account. One click drops every row we have for you and revokes your refresh token at Volvo.
• Withdrawal of consent— sign out: we revoke your refresh token at Volvo and drop our copy. Volvo's side stops trusting any old access tokens we may still be holding.
• Rectification— the vehicle details (model, year, etc.) come directly from Volvo. We refresh them at sign-in. If they're wrong, fix them in the Volvo Cars app and sign in again.
• Complaints — you have the right to lodge a complaint with the Swedish data-protection authority (IMY).

Security

Sensitive fields (tokens, secrets, VCC API key, OAuth client secret) are encrypted with AES-256-GCM before being written to PostgreSQL. The encryption key lives in Google Secret Manager, only accessible by the running service. Traffic between your browser and the app is TLS-only.

Cookies

One session cookie (volvo_charging_session), HTTP-only, encrypted and signed by the server using iron-session. No tracking, no analytics, no third-party cookies.

Contact

Questions or data requests: i@marat.online.