Privacy Policy

Effective date: 28 February 2026 · Last updated: 4 March 2026

1. Who we are

Voltly ("the Service") is operated by Alessandro Nichelini, acting as the sole data controller ("I", "me", "my").

Data controller contact
Alessandro Nichelini
Italy
Email: privacy@voltly.it

This Privacy Policy explains what personal data I collect when you use Voltly, why I collect it, how I use it, and the rights you have under the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).

2. What Voltly does

Voltly is a personal electric-vehicle charging session tracker. It allows you to:

Automatically import charging sessions from receipt emails sent by charging operators;
Manually add, edit, and merge charging sessions;
Visualise statistics about your charging history (kWh consumed, cost, operators, etc.).

3. Data I collect and why

3.1 Account & authentication data

Authentication is provided by Clerk. When you create an account I receive:

Email address
Username (chosen freely at registration)
Clerk user identifier (internal ID)
Session tokens and device/browser metadata managed by Clerk

Privacy tip: You are not required to use your real name as a username. I strongly encourage choosing a random or fantasy username so that your account is not directly traceable to your identity.

Legal basis: Art. 6(1)(b) GDPR – processing is necessary to perform the contract (providing you access to the Service).

3.2 Charging session data

For each charging session the following data is stored:

Date, start time, duration
Charging operator name
Location / address (extracted from receipt or entered manually)
Energy delivered (kWh)
Total cost and price per kWh
Vehicle (if included in the receipt)
Source of the record (email receipt, manual entry, or JoinON import)

Legal basis: Art. 6(1)(b) GDPR – necessary to perform the core service you requested.

3.3 Email metadata

When you forward a charging receipt to your personal integration address (@sessions.voltly.it), the following email metadata is stored alongside the session:

Sender address (the charging operator's email)
Email subject
Received-at timestamp
Message ID

The full text body of the email is temporarily processed by AWS Bedrock (an AI service) to extract the structured charging data listed in §3.2. After extraction the raw text is stored only as a backup reference within your session record; it is never used for advertising, profiling, or shared with third parties beyond the processor relationship described in §5.

Legal basis: Art. 6(1)(b) GDPR – necessary to automate the import of your charging history.

3.4 Technical and operational data

Standard web server and AWS infrastructure logs may capture your IP address, browser user-agent, and request timestamps for security and debugging purposes. These logs are retained for a short period and are not used for profiling.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in ensuring security and diagnosing technical issues.

4. How long I keep your data

Category	Retention period
Account data	As long as your account is active
Charging sessions & email metadata	As long as you keep them; deleted when you delete the session or close your account
Raw email content (backup)	Same as the owning session record
Infrastructure / access logs	Up to 30 days

When you delete your account all personal data is permanently removed within 30 days, except where a longer retention period is required by applicable law.

5. Third-party processors (sub-processors)

I use the following sub-processors to deliver the Service. Each is bound by a Data Processing Agreement or equivalent safeguard.

Processor	Purpose	Location	Transfer basis
Clerk, Inc.	Authentication & session management	USA	Standard Contractual Clauses (SCCs)
Amazon Web Services	Hosting, database (DynamoDB), email receiving (SES), serverless compute (Lambda)	EU – Ireland (eu-west-1)	Stored within the EU; AWS DPA
Amazon Bedrock (AI)	AI extraction of charging data from email text	EU – Ireland (eu-west-1)	AWS DPA; no model training on your data

No personal data is sold, rented, or shared with any third party for advertising or commercial purposes.

6. Your rights under GDPR

As a data subject you have the following rights, exercisable free of charge:

Right of access (Art. 15): obtain a copy of the personal data I hold about you.
Right to rectification (Art. 16): correct inaccurate or incomplete data.
Right to erasure (Art. 17): request deletion of your data ("right to be forgotten").
Right to data portability (Art. 20): receive your charging sessions in a machine-readable format (CSV export is available directly in the app).
Right to restrict processing (Art. 18): ask me to limit how I use your data in certain circumstances.
Right to object (Art. 21): object to processing based on legitimate interests.
Right to withdraw consent (Art. 7(3)): where processing is based on consent, you can withdraw at any time without affecting prior lawful processing.

To exercise any of these rights, email me at privacy@voltly.it. I will respond within 30 days. Where technically feasible, you can also delete sessions and export your data directly within the app.

7. Right to lodge a complaint

If you believe your data is being processed unlawfully you have the right to lodge a complaint with the Italian supervisory authority:

Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma, Italy
www.garanteprivacy.it

You may also contact the supervisory authority of your EU member state of residence.

8. Cookies and local storage

Voltly uses cookies and browser local storage only as strictly necessary to:

Maintain your authenticated session (managed by Clerk);
Remember your UI preferences (e.g. last selected time range) locally on your device.

No third-party advertising or analytics cookies are set. No data is shared with advertising networks.

9. Data security

I implement appropriate technical and organisational measures to protect your data, including:

All data in transit is encrypted via TLS;
DynamoDB tables use server-side encryption at rest;
Access to AWS resources is restricted via least-privilege IAM policies;
Authentication is delegated to Clerk, which implements industry-standard security practices.

Despite these measures, no transmission over the internet is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, I will notify you and the supervisory authority as required by GDPR Art. 33–34.

10. Children

Voltly is not directed at persons under 18 years of age. I do not knowingly collect personal data from anyone under 18. If you believe a minor has provided data, please contact me and I will delete it promptly.

11. Changes to this policy

I may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice in the app at least 14 days before taking effect. The "last updated" date at the top of this page always reflects the current version.

12. Contact

For any privacy-related questions or requests, please contact:
privacy@voltly.it