Piston Labs Privacy-First Architecture
Source of Truth Document Last Updated: January 2026 Classification: Public (Consumer + Technical Audience)
Executive Summary
Piston Labs takes a fundamentally different approach to vehicle telematics: we minimize data collection by design. While competitors store everything and promise to protect it, we recognize that the most secure data is data that doesn't exist.
Our core principle: Can't steal what doesn't exist.
Part 1: The Problem with Traditional Telematics
Industry-Wide Security Failures
The vehicle telematics industry has a systemic security problem. Companies collect massive amounts of sensitive location data, store it indefinitely, and routinely fail to protect it.
Real-World Breaches (2023-2025)
| Company | Year | Records Exposed | Data Type | Root Cause |
|---|---|---|---|---|
| Spireon | 2023 | 15.5 million vehicles | Real-time GPS, VINs, user data | Exposed admin portal, hardcoded credentials |
| Gravy Analytics | 2025 | Billions of location points | Historical location data from 30+ apps | Data broker aggregation vulnerability |
| Tracelo | 2024 | 1.4 million users | Phone tracking, location history | Database misconfiguration |
| Hapn GPS | 2024 | 8,600 devices | Live tracker locations, owner info | No authentication on API |
| SiriusXM | 2022 | Unknown | Vehicle locations, commands | API authorization flaw |
OBD-II Device Vulnerabilities
Academic security research on consumer OBD-II dongles reveals systemic issues:
- 85% of devices have no authentication mechanism
- 70% transmit data over unencrypted channels
- 60% have hardcoded credentials or default passwords
- 40% allow remote code execution via Bluetooth/WiFi
Source: Argus Cyber Security, University of Michigan Transportation Research Institute
The Real Risk: Location Data as a Weapon
Location data isn't just privacy-sensitive—it's dangerous:
- Stalking & Domestic Violence: Abusers use vehicle trackers to monitor victims
- Physical Security: Knowing when someone leaves home enables burglary
- Pattern Analysis: Historical data reveals home address, workplace, routines
- Insurance Discrimination: Location patterns used to deny/increase coverage
- Law Enforcement Overreach: Warrantless bulk data requests
When a telematics company is breached, every user's historical movements become public.
Part 2: Our Technical Architecture
Design Principle: Ephemeral by Default
┌─────────────────────────────────────────────────────────────────┐
│ PISTON LABS DATA FLOW │
├─────────────────────────────────────────────────────────────────┤
│ │
│ [Otto Device] ──TCP──> [Cloudflare Worker] ──> [Durable Object]│
│ │ │ │
│ │ │ │
│ ┌─────────┴─────────┐ │ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ [GPS: WebSocket] [Non-GPS: Supabase] [State] │
│ (Ephemeral) (Persisted) (Temp) │
│ │ │ │
│ │ │ │
│ ▼ ▼ │
│ [User's App] [Service Records] │
│ (Real-time) [Mileage History] │
│ [Trip Summaries] │
│ │
│ ───────────────────────────────────────────────────────────── │
│ GPS flows through the system but is NOT stored by default. │
│ Users must explicitly opt-in to location history storage. │
└─────────────────────────────────────────────────────────────────┘What We Store vs. What We Don't
| Data Type | Stored? | Justification |
|---|---|---|
| Current Odometer | Yes | Required for service reminders |
| Trip Distance | Yes | Fuel/efficiency calculations |
| Engine Diagnostics (DTCs) | Yes | Core product value |
| Battery/Voltage | Yes | Vehicle health monitoring |
| GPS Coordinates | No | Not needed for core functionality |
| Location History | No | Opt-in only |
| Movement Patterns | No | Never stored |
Real-Time GPS via WebSocket (Ephemeral Streaming)
For users who want "Find My Car" functionality, we provide real-time location via WebSocket:
// Cloudflare Durable Object - GPS never touches disk
export class VehicleState extends DurableObject {
private sessions: Map<WebSocketSession, string> = new Map();
async processGPS(latitude: number, longitude: number) {
// Stream to connected clients
for (const [session] of this.sessions) {
session.send(JSON.stringify({
type: 'location',
lat: latitude,
lng: longitude,
timestamp: Date.now()
}));
}
// GPS is NOT written to storage
// When WebSocket closes, data is gone
}
}Security Properties:
- GPS exists only in memory during active session
- No database = no breach exposure
- No historical record = no pattern analysis possible
- User closes app = data evaporates
Opt-In Location History
Users who explicitly want location history can enable it:
// Only if user has opted in
if (user.locationHistoryEnabled) {
await supabase.from('location_history').insert({
vehicle_id: vehicleId,
latitude: coords.lat,
longitude: coords.lng,
recorded_at: new Date()
});
}Opt-In Requirements:
- Explicit toggle in app settings (default: OFF)
- Clear explanation of what's stored
- Data retention limit (90 days default)
- One-tap full deletion
Binary Data: Stripping GPS at Ingestion
Our devices use Teltonika Codec 8 Extended binary protocol. GPS data sits at fixed byte offsets:
AVL Record Structure (per record):
┌──────────────────────────────────────────────────────────────┐
│ Timestamp │ Priority │ Longitude │ Latitude │ Alt │ ... │ IO │
│ 8 bytes │ 1 byte │ 4 bytes │ 4 bytes │ 2B │ │ │
│ │ │ ◄─────── GPS Block (15 bytes) ──────►│
└──────────────────────────────────────────────────────────────┘We can zero out GPS fields while preserving all diagnostic data:
function stripGPSFromCodec8(buffer: ArrayBuffer): ArrayBuffer {
const view = new DataView(buffer);
let offset = 10; // Skip preamble + length + codec + count
const recordCount = view.getUint8(9);
for (let i = 0; i < recordCount; i++) {
offset += 8; // Skip timestamp
offset += 1; // Skip priority
// Zero out GPS block (15 bytes)
for (let j = 0; j < 15; j++) {
view.setUint8(offset + j, 0);
}
offset += 15;
// Skip IO elements (variable length)
offset += parseIOLength(view, offset);
}
return buffer;
}Result: Raw binary archives for debugging contain zero location data.
Part 3: Security Analysis
Attack Surface Comparison
| Attack Vector | Traditional Telematics | Piston Labs |
|---|---|---|
| Database breach | All historical GPS exposed | No GPS to expose |
| Backup theft | Location history in backups | No location in backups |
| Insider threat | Employee access to all data | GPS never reaches backend |
| SQL injection | Query returns GPS history | GPS field doesn't exist |
| API abuse | Enumerate user locations | No location endpoint |
| Legal subpoena | Must provide all stored data | No GPS data to provide |
| Data broker sale | Monetize location data | Nothing to sell |
Quantified Risk Reduction
Using standard risk calculation: Risk = Probability × Impact
Scenario: Database Breach
Traditional Approach:
- Probability: ~15% annually (based on industry breach rate)
- Impact: All users' location history exposed (HIGH)
- Risk Score: 0.15 × 10 = 1.5 (HIGH)
Piston Labs Approach:
- Probability: Same ~15% annually
- Impact: Diagnostic data only, no location (LOW)
- Risk Score: 0.15 × 2 = 0.3 (LOW)
Risk Reduction: 80%
Scenario: Targeted Attack (Stalker/Abuser)
Traditional Approach:
- Attacker compromises account or exploits API
- Retrieves complete movement history
- Impact: Severe (physical safety risk)
Piston Labs Approach:
- Attacker compromises account
- No historical location data exists
- Real-time WebSocket requires active session
- Impact: Minimal (current location only if app is open)
What Remains Exposed in a Breach
If Piston Labs is breached, attackers could access:
| Data | Sensitivity | Mitigation |
|---|---|---|
| Email addresses | Medium | Industry standard |
| Vehicle VIN | Low | Already semi-public |
| Odometer readings | Low | No privacy impact |
| Service history | Low | No location correlation |
| Diagnostic codes | Low | Technical data only |
Notably absent: Location history, movement patterns, home/work addresses, daily routines.
Part 4: Compliance & Legal Position
Regulatory Alignment
| Regulation | Requirement | Our Compliance |
|---|---|---|
| GDPR | Data minimization | Collect only what's necessary |
| CCPA | Right to deletion | No GPS to delete (by default) |
| CPRA | Limit sensitive data | GPS is opt-in only |
| State privacy laws | Reasonable security | Reduced attack surface |
Law Enforcement Requests
When law enforcement requests location data:
Traditional Company Response:
"Here are 18 months of GPS coordinates for this vehicle..."
Piston Labs Response:
"We do not store location data. Real-time GPS is ephemeral and not logged."
We cannot provide what we don't have. This isn't obstruction—it's architecture.
Insurance & Liability
Our architecture provides liability protection:
- Reduced breach notification scope: GPS isn't PII if it's not stored
- Lower damages in litigation: No location data = no location-based harm claims
- Simplified compliance audits: Fewer data categories to document
Part 5: Consumer-Facing Communication
How We Talk About Privacy
Wrong approach (competitor-style):
"We take your privacy seriously. Your data is encrypted and protected by enterprise-grade security."
Our approach:
"We don't store your location. Period. Your car's GPS flows through our system to your phone, but we don't keep it. Can't leak what we don't have."
Key Messages for Marketing
"Your location, your control."
- Real-time GPS goes to your phone, not our servers
- Enable history only if you want it
- Delete everything with one tap
"We built it this way on purpose."
- Not a privacy policy—a privacy architecture
- Other companies promise to protect your data; we chose not to collect it
"Car diagnostics without surveillance."
- Know your battery voltage without us knowing your home address
- Get service reminders without location tracking
FAQ Responses
Q: How do you provide real-time location without storing it?
A: We use WebSocket streaming through Cloudflare's edge network. When you open the app, your car's GPS coordinates flow directly to your phone. When you close the app, the connection ends and the data is gone. It's like a phone call—the conversation happens, but we're not recording it.
Q: What if I want location history?
A: You can opt in. We'll store up to 90 days of location data, and you can delete it anytime. But we think most people don't actually need a permanent record of everywhere their car has been.
Q: What do you actually store?
A: Odometer readings, engine diagnostic codes, battery voltage, fuel efficiency data. The stuff that helps you maintain your car, not track your movements.
Q: What happens if you get hacked?
A: Attackers would get diagnostic data—the same information your mechanic sees. They wouldn't get location history because we don't have it.
Part 6: Technical Implementation Checklist
Current State ✓
Planned Enhancements
Architecture Invariants
These rules must never be violated:
- GPS coordinates SHALL NOT be written to persistent storage without explicit user opt-in
- WebSocket GPS streams SHALL NOT be logged or recorded
- Raw Codec 8 binaries MAY be stored only with GPS bytes zeroed
- Location history opt-in SHALL default to OFF
- Any location data stored SHALL have automatic expiration
Part 7: Competitive Differentiation
How We Compare
| Feature | Bouncie | Zubie | Hum | Piston Labs |
|---|---|---|---|---|
| GPS tracking | Always on | Always on | Always on | Opt-in only |
| Location history | Stored indefinitely | 1 year | Stored | Not stored (default) |
| Data monetization | Yes (anonymized) | Yes | Yes | Never |
| Breach exposure | Full history | Full history | Full history | Diagnostics only |
| Monthly cost | $8/mo | $10/mo | $10/mo | TBD |
Our Moat
Privacy-first isn't a feature—it's an architectural decision that's hard to reverse. Competitors would need to:
- Redesign their data pipeline
- Delete existing location databases
- Rebuild real-time streaming infrastructure
- Change their business model (no data monetization)
By the time they catch up, we'll have the privacy-conscious market.
Appendix A: Breach Case Studies
Spireon (2023)
What happened: Security researcher found exposed admin portal with hardcoded credentials. Could access 15.5 million vehicles across multiple fleet management brands (GoldStar, LoJack, FleetLocate).
Data exposed: Real-time GPS, historical locations, VINs, customer data, ability to remotely disable vehicles.
Root cause: Credential management failure, no authentication on admin API.
Piston Labs difference: Even with similar vulnerability, attacker gets diagnostic data only.
Gravy Analytics (2025)
What happened: Location data broker (aggregates from 30+ apps) suffered massive breach. Billions of location data points exposed including sensitive locations (clinics, government buildings, religious sites).
Impact: Location data traced back to individual devices, revealing daily patterns and sensitive visits.
Root cause: Centralized aggregation of location data creates high-value target.
Piston Labs difference: We don't aggregate or sell data. No data broker relationship.
SiriusXM Connected Vehicle (2022)
What happened: API vulnerability allowed attackers to locate vehicles, unlock doors, start engines using only VIN number.
Root cause: Authorization bypass—API didn't verify requestor owned the vehicle.
Piston Labs difference: Our WebSocket requires authenticated session. No remote commands.
Appendix B: Security Architecture Details
Data Flow Security
[Device] ──TLS/TCP──> [Cloudflare Edge] ──Internal──> [Durable Object]
│
│ (GPS)
▼
[WebSocket]
│
▼
[User's Device]
GPS never touches: Database, Logs, Backups, AnalyticsEncryption
| Layer | Method | Key Management |
|---|---|---|
| Device → Edge | TLS 1.3 | Cloudflare managed |
| Edge → DO | Internal (Cloudflare backbone) | N/A |
| DO → User | WSS (TLS) | Cloudflare managed |
| Database | AES-256 at rest | Supabase managed |
Access Controls
| Role | GPS Access | Diagnostic Access |
|---|---|---|
| End User | Real-time (own vehicle) | Yes |
| Support Staff | None | Read-only |
| Engineering | None | Anonymized |
| Database Admin | None (doesn't exist) | Encrypted |
Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | Jan 2026 | Engineering | Initial document |
Review Schedule: Quarterly or after any security incident
Owner: Engineering Team
Approval: Tyler (CEO)