Last updated: January 15, 2026
Stima SAS ("Stima," "we," "us," or "our"), a company incorporated under French law with registered offices in Paris, France, operates the website stimaboda.org and provides EV battery fleet management software and hardware services under the brand name Stima. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our website, platform, and related services (collectively, the "Services").
As a company based in France, Stima processes personal data in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") and the French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, as amended). Where we process data of individuals located in other jurisdictions, we apply comparable standards of data protection.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree to the terms of this Privacy Policy, please do not use our Services. We may update this policy from time to time; the "Last updated" date at the top of this page will reflect the date of any material changes.
For the purposes of the GDPR, Stima SAS is the data controller for personal data collected through stimaboda.org and the Stima platform. Our Data Protection contact is jason@stimaboda.org.
2.1 Information you provide directly. When you register for a Stima account, request a product demo, contact us through our website, or communicate with our team, you provide personal information that we collect. This includes: your name and job title; your email address and phone number; your company name and billing address; payment information processed through our payment service provider (we do not store full card numbers); correspondence and support communications; and any information you include in forms submitted on our website.
2.2 Fleet and vehicle telemetry data. When you deploy Stima hardware (SEM-1 modules) and software on your vehicle fleet, our Services collect telemetry data from the vehicles and battery packs in your fleet. This data includes: battery cell voltages and temperature readings; vehicle location data (GPS coordinates) at the time of telemetry events; vehicle identification numbers (VINs) and battery pack serial numbers; charging event data (start time, end time, energy delivered, charging station identifier); and discharge curve data used for state-of-health estimation. This telemetry data relates to your vehicles and fleet operations, not to individual natural persons, except to the extent that vehicle location data could be combined with other information to identify a driver. We treat location data with appropriate care and do not use it to profile individual drivers.
2.3 Usage data and analytics. When you access the Stima web platform or mobile app, we automatically collect certain technical information, including: your IP address and browser type; the pages you visit and features you use within the platform; timestamps of your interactions; device type and operating system; and session duration. This data is collected through cookies and similar tracking technologies, described further in our Cookie Policy.
2.4 Driver app data. If your fleet drivers use the Stima driver app, the app collects: the driver's mobile device identifier for notification delivery; location data while the app is in use (for charge routing purposes, with explicit in-app consent); and battery concern reports submitted through the one-tap reporting feature. Driver app data is processed on behalf of the fleet operator and is accessible to the fleet operator through the management dashboard. Individual drivers whose data is processed through the app should consult their fleet operator regarding data practices.
3.1 Service provision. We use the information we collect to provide, maintain, and improve the Stima platform and hardware. This includes processing telemetry data to generate battery state-of-health estimates and degradation alerts; computing charge routing recommendations; operating the fleet management dashboard; processing payments for subscriptions; and providing technical support. The legal basis for this processing is performance of our contract with you (Article 6(1)(b) GDPR).
3.2 Machine learning model training. We use aggregated and pseudonymized telemetry data from across our monitoring fleet to train and improve our battery degradation prediction models. This processing is necessary for our legitimate interest in improving the accuracy and reliability of our Services (Article 6(1)(f) GDPR). We do not use individually identifiable personal data for model training without your explicit consent; telemetry data used for model training is processed at the fleet and battery chemistry level, not at the level of individual drivers or operators.
3.3 Communications. We use your contact information to send you service-related communications (account notifications, maintenance alerts, billing statements), product updates and release notes, and, with your consent, marketing communications about Stima products and industry developments. You may unsubscribe from marketing communications at any time using the link in any such email or by contacting us at contact@stimaboda.org. The legal basis for service communications is performance of contract; for marketing communications, the legal basis is your consent (Article 6(1)(a) GDPR).
3.4 Security and fraud prevention. We process certain data for the purposes of detecting, investigating, and preventing fraudulent or unauthorized use of our Services, in compliance with our legal obligations and our legitimate interests in maintaining the security of our platform. The legal basis for this processing is Article 6(1)(c) and 6(1)(f) GDPR.
4.1 Service providers. We share personal data with third-party service providers who assist us in operating our business, subject to appropriate data processing agreements that require them to protect your data in accordance with GDPR. Our current key service providers include: Amazon Web Services (cloud hosting, EU-West-1 region in Ireland); Stripe (payment processing); Postmark (transactional email delivery); and Sentry (error monitoring and diagnostics). We review service provider agreements annually and update this list when providers change.
4.2 Business transfers. In the event of a merger, acquisition, corporate restructuring, or sale of all or substantially all of Stima's assets, personal data may be transferred to the acquiring entity. We will notify you of any such transaction via email and provide a 30-day period during which you may request deletion of your account and personal data.
4.3 Legal requirements. We may disclose personal data when required to do so by applicable law, regulation, court order, or governmental authority. When feasible and legally permissible, we will notify you before complying with such requests. We do not sell personal data to third parties for advertising or any other commercial purpose.
4.4 Aggregated and anonymized data. We may share aggregated, anonymized, or pseudonymized data — from which individual operators and vehicles cannot be identified — with industry partners, research institutions, or investors. Such sharing is for market research, academic publications, or investor reporting purposes and does not constitute personal data disclosure under GDPR.
As a company operating globally with customers in Africa and Southeast Asia, we transfer personal data across international borders. All transfers from the European Economic Area (EEA) to countries not recognized by the European Commission as providing an adequate level of data protection are governed by appropriate safeguards, specifically the European Commission's Standard Contractual Clauses (SCCs, as updated in June 2021) incorporated into our data processing agreements.
Our primary cloud infrastructure operates in AWS EU-West-1 (Dublin, Ireland), which is within the EEA. Telemetry data collected from vehicles operating in Africa is transmitted to this EU region for processing and storage. If you require specific information about the safeguards governing international transfers applicable to your data, contact us at contact@stimaboda.org.
We retain different categories of data for different periods based on our operational needs and legal obligations:
Account information: Retained for the duration of your subscription plus 3 years following account closure, to fulfill contractual obligations, legal requirements, and dispute resolution purposes.
Telemetry data (full resolution): Retained at second-level granularity for 24 months from collection date, after which it is downsampled to hourly averages for archival purposes.
Hourly averaged telemetry: Retained for 7 years for long-term battery degradation research under pseudonymization.
Financial and billing records: Retained for 10 years as required by French accounting law (Code de commerce, Article L.123-22).
Support correspondence: Retained for 3 years from the date of last interaction.
Marketing consent records: Retained until you withdraw consent plus 3 years for dispute resolution purposes.
If you are located in the European Economic Area or the United Kingdom, you have the following rights with respect to your personal data:
Right of access (Article 15 GDPR): You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about how it is processed.
Right to rectification (Article 16 GDPR): You have the right to have inaccurate personal data corrected and incomplete personal data completed.
Right to erasure (Article 17 GDPR): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (where processing is based on consent), or where you object to processing based on legitimate interests and our interests do not override yours.
Right to restriction of processing (Article 18 GDPR): You have the right to request restriction of processing in certain circumstances, such as where you contest the accuracy of your data or where processing is unlawful but you prefer restriction to erasure.
Right to data portability (Article 20 GDPR): For data processed by automated means on the basis of consent or contract, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to object (Article 21 GDPR): You have the right to object to processing of your personal data where that processing is based on our legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, submit a written request to contact@stimaboda.org. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests. If you believe we have not adequately addressed a data protection concern, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) in France (cnil.fr) or with the supervisory authority in your country of residence.
We implement technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
— Encryption of data in transit using TLS 1.3 for all communications between the SEM-1 module and our servers, and between the web/mobile client and our API.
— Encryption of data at rest using AES-256 for all database volumes containing personal data.
— Role-based access controls limiting access to personal data to Stima personnel with a documented business need.
— Multi-factor authentication required for all Stima staff accessing production systems.
— Regular automated vulnerability scanning and annual manual penetration testing of our API and web platform.
— Incident response procedures that include notification to affected users and supervisory authorities within 72 hours for breaches that pose a risk to individuals' rights and freedoms, as required by Article 33 GDPR.
While we take these measures seriously, no method of data transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security. If you discover a potential security vulnerability in our systems, please report it to jason@stimaboda.org, and we will investigate promptly.
We use cookies and similar tracking technologies on our website to enhance user experience, analyze traffic, and improve our platform. For detailed information about the specific cookies we use, their purposes, how long they persist, and how to manage them, please refer to our Cookie Policy.
When you first visit stimaboda.org, you will be presented with a cookie consent banner. Non-essential cookies (analytics and marketing cookies) will only be set with your explicit consent. You can withdraw consent and manage your cookie preferences at any time through the cookie settings accessible in the site footer, or by clearing your browser cookies.
The Stima platform is a business-to-business service not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have inadvertently collected personal data from a child under 18, we will promptly delete that information. If you believe we have collected data from a minor, contact us at contact@stimaboda.org.
We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable laws, or business operations. When we make material changes, we will notify you by email (if you have an active account) and/or by posting a prominent notice on stimaboda.org for a period of at least 30 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.
Continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
For questions, complaints, or requests related to this Privacy Policy or our data practices, contact us at:
Stima SAS
Attn: Data Protection
Paris, France
Email: contact@stimaboda.org
We aim to respond to all substantive data protection requests within 30 days. For urgent matters related to potential data breaches or security incidents, email jason@stimaboda.org directly.