Piston Labs Privacy-First Architecture

Source of Truth Document
Last Updated: January 2026
Classification: Public (Consumer + Technical Audience)

Executive Summary

Piston Labs takes a fundamentally different approach to vehicle telematics: we minimize data collection by design. While competitors store everything and promise to protect it, we recognize that the most secure data is data that doesn't exist.

Our core principle: Can't steal what doesn't exist.

Part 1: The Problem with Traditional Telematics

Industry-Wide Security Failures

The vehicle telematics industry has a systemic security problem. Companies collect massive amounts of sensitive location data, store it indefinitely, and routinely fail to protect it.

Real-World Breaches (2023-2025)

Company	Year	Records Exposed	Data Type	Root Cause
Spireon	2023	15.5 million vehicles	Real-time GPS, VINs, user data	Exposed admin portal, hardcoded credentials
Gravy Analytics	2025	Billions of location points	Historical location data from 30+ apps	Data broker aggregation vulnerability
Tracelo	2024	1.4 million users	Phone tracking, location history	Database misconfiguration
Hapn GPS	2024	8,600 devices	Live tracker locations, owner info	No authentication on API
SiriusXM	2022	Unknown	Vehicle locations, commands	API authorization flaw

OBD-II Device Vulnerabilities

Academic security research on consumer OBD-II dongles reveals systemic issues:

85% of devices have no authentication mechanism
70% transmit data over unencrypted channels
60% have hardcoded credentials or default passwords
40% allow remote code execution via Bluetooth/WiFi

Source: Argus Cyber Security, University of Michigan Transportation Research Institute

The Real Risk: Location Data as a Weapon

Location data isn't just privacy-sensitive—it's dangerous:

Stalking & Domestic Violence: Abusers use vehicle trackers to monitor victims
Physical Security: Knowing when someone leaves home enables burglary
Pattern Analysis: Historical data reveals home address, workplace, routines
Insurance Discrimination: Location patterns used to deny/increase coverage
Law Enforcement Overreach: Warrantless bulk data requests

When a telematics company is breached, every user's historical movements become public.

Part 2: Our Technical Architecture

Design Principle: Ephemeral by Default

┌─────────────────────────────────────────────────────────────────┐
│                     PISTON LABS DATA FLOW                       │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  [Otto Device] ──TCP──> [Cloudflare Worker] ──> [Durable Object]│
│                              │                        │         │
│                              │                        │         │
│                    ┌─────────┴─────────┐              │         │
│                    │                   │              │         │
│                    ▼                   ▼              ▼         │
│             [GPS: WebSocket]    [Non-GPS: Supabase]  [State]    │
│             (Ephemeral)         (Persisted)          (Temp)     │
│                    │                   │                        │
│                    │                   │                        │
│                    ▼                   ▼                        │
│              [User's App]        [Service Records]              │
│              (Real-time)         [Mileage History]              │
│                                  [Trip Summaries]               │
│                                                                 │
│  ─────────────────────────────────────────────────────────────  │
│  GPS flows through the system but is NOT stored by default.     │
│  Users must explicitly opt-in to location history storage.      │
└─────────────────────────────────────────────────────────────────┘

What We Store vs. What We Don't

Data Type	Stored?	Justification
Current Odometer	Yes	Required for service reminders
Trip Distance	Yes	Fuel/efficiency calculations
Engine Diagnostics (DTCs)	Yes	Core product value
Battery/Voltage	Yes	Vehicle health monitoring
GPS Coordinates	No	Not needed for core functionality
Location History	No	Opt-in only
Movement Patterns	No	Never stored

Real-Time GPS via WebSocket (Ephemeral Streaming)

For users who want "Find My Car" functionality, we provide real-time location via WebSocket:

// Cloudflare Durable Object - GPS never touches disk
export class VehicleState extends DurableObject {
  private sessions: Map<WebSocketSession, string> = new Map();

  async processGPS(latitude: number, longitude: number) {
    // Stream to connected clients
    for (const [session] of this.sessions) {
      session.send(JSON.stringify({
        type: 'location',
        lat: latitude,
        lng: longitude,
        timestamp: Date.now()
      }));
    }
    // GPS is NOT written to storage
    // When WebSocket closes, data is gone
  }
}

Security Properties:

GPS exists only in memory during active session
No database = no breach exposure
No historical record = no pattern analysis possible
User closes app = data evaporates

Opt-In Location History

Users who explicitly want location history can enable it:

// Only if user has opted in
if (user.locationHistoryEnabled) {
  await supabase.from('location_history').insert({
    vehicle_id: vehicleId,
    latitude: coords.lat,
    longitude: coords.lng,
    recorded_at: new Date()
  });
}

Opt-In Requirements:

Explicit toggle in app settings (default: OFF)
Clear explanation of what's stored
Data retention limit (90 days default)
One-tap full deletion

Binary Data: Stripping GPS at Ingestion

Our devices use Teltonika Codec 8 Extended binary protocol. GPS data sits at fixed byte offsets:

AVL Record Structure (per record):
┌──────────────────────────────────────────────────────────────┐
│ Timestamp │ Priority │ Longitude │ Latitude │ Alt │ ... │ IO │
│  8 bytes  │  1 byte  │  4 bytes  │  4 bytes │ 2B  │     │    │
│           │          │  ◄─────── GPS Block (15 bytes) ──────►│
└──────────────────────────────────────────────────────────────┘

We can zero out GPS fields while preserving all diagnostic data:

function stripGPSFromCodec8(buffer: ArrayBuffer): ArrayBuffer {
  const view = new DataView(buffer);
  let offset = 10; // Skip preamble + length + codec + count

  const recordCount = view.getUint8(9);
  for (let i = 0; i < recordCount; i++) {
    offset += 8; // Skip timestamp
    offset += 1; // Skip priority

    // Zero out GPS block (15 bytes)
    for (let j = 0; j < 15; j++) {
      view.setUint8(offset + j, 0);
    }
    offset += 15;

    // Skip IO elements (variable length)
    offset += parseIOLength(view, offset);
  }

  return buffer;
}

Result: Raw binary archives for debugging contain zero location data.

Part 3: Security Analysis

Attack Surface Comparison

Attack Vector	Traditional Telematics	Piston Labs
Database breach	All historical GPS exposed	No GPS to expose
Backup theft	Location history in backups	No location in backups
Insider threat	Employee access to all data	GPS never reaches backend
SQL injection	Query returns GPS history	GPS field doesn't exist
API abuse	Enumerate user locations	No location endpoint
Legal subpoena	Must provide all stored data	No GPS data to provide
Data broker sale	Monetize location data	Nothing to sell

Quantified Risk Reduction

Using standard risk calculation: Risk = Probability × Impact

Scenario: Database Breach

Traditional Approach:

Probability: ~15% annually (based on industry breach rate)
Impact: All users' location history exposed (HIGH)
Risk Score: 0.15 × 10 = 1.5 (HIGH)

Piston Labs Approach:

Probability: Same ~15% annually
Impact: Diagnostic data only, no location (LOW)
Risk Score: 0.15 × 2 = 0.3 (LOW)

Risk Reduction: 80%

Scenario: Targeted Attack (Stalker/Abuser)

Traditional Approach:

Attacker compromises account or exploits API
Retrieves complete movement history
Impact: Severe (physical safety risk)

Piston Labs Approach:

Attacker compromises account
No historical location data exists
Real-time WebSocket requires active session
Impact: Minimal (current location only if app is open)

What Remains Exposed in a Breach

If Piston Labs is breached, attackers could access:

Data	Sensitivity	Mitigation
Email addresses	Medium	Industry standard
Vehicle VIN	Low	Already semi-public
Odometer readings	Low	No privacy impact
Service history	Low	No location correlation
Diagnostic codes	Low	Technical data only

Notably absent: Location history, movement patterns, home/work addresses, daily routines.

Part 4: Compliance & Legal Position

Regulatory Alignment

Regulation	Requirement	Our Compliance
GDPR	Data minimization	Collect only what's necessary
CCPA	Right to deletion	No GPS to delete (by default)
CPRA	Limit sensitive data	GPS is opt-in only
State privacy laws	Reasonable security	Reduced attack surface

Law Enforcement Requests

When law enforcement requests location data:

Traditional Company Response:

"Here are 18 months of GPS coordinates for this vehicle..."

Piston Labs Response:

"We do not store location data. Real-time GPS is ephemeral and not logged."

We cannot provide what we don't have. This isn't obstruction—it's architecture.

Insurance & Liability

Our architecture provides liability protection:

Reduced breach notification scope: GPS isn't PII if it's not stored
Lower damages in litigation: No location data = no location-based harm claims
Simplified compliance audits: Fewer data categories to document

Part 5: Consumer-Facing Communication

How We Talk About Privacy

Wrong approach (competitor-style):

"We take your privacy seriously. Your data is encrypted and protected by enterprise-grade security."

Our approach:

"We don't store your location. Period. Your car's GPS flows through our system to your phone, but we don't keep it. Can't leak what we don't have."

Key Messages for Marketing

"Your location, your control."
- Real-time GPS goes to your phone, not our servers
- Enable history only if you want it
- Delete everything with one tap
"We built it this way on purpose."
- Not a privacy policy—a privacy architecture
- Other companies promise to protect your data; we chose not to collect it
"Car diagnostics without surveillance."
- Know your battery voltage without us knowing your home address
- Get service reminders without location tracking

FAQ Responses

Q: How do you provide real-time location without storing it?

A: We use WebSocket streaming through Cloudflare's edge network. When you open the app, your car's GPS coordinates flow directly to your phone. When you close the app, the connection ends and the data is gone. It's like a phone call—the conversation happens, but we're not recording it.

Q: What if I want location history?

A: You can opt in. We'll store up to 90 days of location data, and you can delete it anytime. But we think most people don't actually need a permanent record of everywhere their car has been.

Q: What do you actually store?

A: Odometer readings, engine diagnostic codes, battery voltage, fuel efficiency data. The stuff that helps you maintain your car, not track your movements.

Q: What happens if you get hacked?

A: Attackers would get diagnostic data—the same information your mechanic sees. They wouldn't get location history because we don't have it.

Part 6: Technical Implementation Checklist

Current State ✓

WebSocket streaming for real-time GPS
GPS not written to Supabase by default
Odometer synced at trip end (miles, no coordinates)
Durable Objects for ephemeral state
Opt-in infrastructure ready

Planned Enhancements

Binary GPS stripping at ingestion (preserve raw for diagnostics)
Location history opt-in UI toggle
90-day auto-deletion for opted-in users
One-tap "delete all my location data"
Audit log for location data access

Architecture Invariants

These rules must never be violated:

GPS coordinates SHALL NOT be written to persistent storage without explicit user opt-in
WebSocket GPS streams SHALL NOT be logged or recorded
Raw Codec 8 binaries MAY be stored only with GPS bytes zeroed
Location history opt-in SHALL default to OFF
Any location data stored SHALL have automatic expiration

Part 7: Competitive Differentiation

How We Compare

Feature	Bouncie	Zubie	Hum	Piston Labs
GPS tracking	Always on	Always on	Always on	Opt-in only
Location history	Stored indefinitely	1 year	Stored	Not stored (default)
Data monetization	Yes (anonymized)	Yes	Yes	Never
Breach exposure	Full history	Full history	Full history	Diagnostics only
Monthly cost	$8/mo	$10/mo	$10/mo	TBD

Our Moat

Privacy-first isn't a feature—it's an architectural decision that's hard to reverse. Competitors would need to:

Redesign their data pipeline
Delete existing location databases
Rebuild real-time streaming infrastructure
Change their business model (no data monetization)

By the time they catch up, we'll have the privacy-conscious market.

Appendix A: Breach Case Studies

Spireon (2023)

What happened: Security researcher found exposed admin portal with hardcoded credentials. Could access 15.5 million vehicles across multiple fleet management brands (GoldStar, LoJack, FleetLocate).

Data exposed: Real-time GPS, historical locations, VINs, customer data, ability to remotely disable vehicles.

Root cause: Credential management failure, no authentication on admin API.

Piston Labs difference: Even with similar vulnerability, attacker gets diagnostic data only.

Gravy Analytics (2025)

What happened: Location data broker (aggregates from 30+ apps) suffered massive breach. Billions of location data points exposed including sensitive locations (clinics, government buildings, religious sites).

Impact: Location data traced back to individual devices, revealing daily patterns and sensitive visits.

Root cause: Centralized aggregation of location data creates high-value target.

Piston Labs difference: We don't aggregate or sell data. No data broker relationship.

SiriusXM Connected Vehicle (2022)

What happened: API vulnerability allowed attackers to locate vehicles, unlock doors, start engines using only VIN number.

Root cause: Authorization bypass—API didn't verify requestor owned the vehicle.

Piston Labs difference: Our WebSocket requires authenticated session. No remote commands.

Appendix B: Security Architecture Details

Data Flow Security

[Device] ──TLS/TCP──> [Cloudflare Edge] ──Internal──> [Durable Object]
                           │
                           │ (GPS)
                           ▼
                      [WebSocket]
                           │
                           ▼
                    [User's Device]

    GPS never touches: Database, Logs, Backups, Analytics

Encryption

Layer	Method	Key Management
Device → Edge	TLS 1.3	Cloudflare managed
Edge → DO	Internal (Cloudflare backbone)	N/A
DO → User	WSS (TLS)	Cloudflare managed
Database	AES-256 at rest	Supabase managed

Access Controls

Role	GPS Access	Diagnostic Access
End User	Real-time (own vehicle)	Yes
Support Staff	None	Read-only
Engineering	None	Anonymized
Database Admin	None (doesn't exist)	Encrypted

Document Control

Version	Date	Author	Changes
1.0	Jan 2026	Engineering	Initial document

Review Schedule: Quarterly or after any security incident

Owner: Engineering Team

Approval: Tyler (CEO)