Concerned about data privacy with third party apps

  • 1
  • Question
  • Updated 3 years ago
  • Answered
Archived and Closed

This conversation is no longer open for comments or replies and is no longer visible to community members.

I'm a brand new Automatic user, so bear with me. I was interested in using my 2nd gen adapter with an app like SpotAngeles, but if I connect my accounts, it appears they receive my email address, and obviously all real time location data. That concerns me. After contacting them, data is not anonymized, and everything is associated with my PII (email address). Not being paranoid, but if they were hacked, someone could know where I was with nothing more than my email address (if I understand how this all works). I have no idea how a third party app is securing (or not) the data they receive. 

Perhaps I am mistaken on how this works. Would love some clarification/feedback.

Photo of Joel


  • 80 Points 75 badge 2x thumb

Posted 3 years ago

  • 1
Photo of Adam Altman

Adam Altman, Alum

  • 3,712 Points 3k badge 2x thumb
Hi Joel,

Thanks for writing in and we hear your concern.  

We take many precautions to protect users from data breaches, and Spot Angels is following industry best practices on security. There's a reasonable use for them to have your email, so we allow it.  Though in the world of information security, one can never say something will never happen.  If you're uncomfortable, just don't connect it.

One potential solution if you're very concerned is to have a separate email address that is only used for automatic and has nothing to do with the rest of your life.

Privacy and Security in General
We regulate a partners access to Automatic user data by limiting what data fields they reasonably need to have access to. Before we let something be published to our app store, we inspect these scopes and will have a discussion with the app owners about why they need certain data and why, and we'll often remove certain access.

When you are asked to authenticate an application, it will tell you what data the app is requesting access to. This is very much like signing in with Facebook on other sites.  Note: typing your password into the authorization screen does not give your password to the partner, just to Automatic, again like facebook login.  If you are not comfortable with the data that the partner app is requesting, simply don't connect the app.  To ensure that you are not being phished, check the URL bar when on an authorization screen.  It must be coming from some domain that ends in Usually this will be like ''

We take additional security measures like modulating the user_id that represents you from one partner app to the next, enforcing that all data requests be made over HTTPS encrypted connections, and making developers agree to our Terms of Service Principles which require them to store data securely. Any violation of the terms of service would result in immediate suspension of their data access and possible legal action.

Email addresses specifically
While there is a way for partners to build apps using only an Automatic user's unique user_id, most of them like to additionally match up against email incase you are an existing user of their service (so they can merge the accounts), or simply to be able to contact you.  We find this to be a reasonable use of email address and so grant it to most applications that want it.

Spot Angels in Particular
I happen to know the spot angels situation fairly intimately, and can say that they are following industry best practice on security. Their application is hosted on Heroku which is owned by Salesforce, both of which are religious about security.  Heroku's data stores are backended by Amazon Web Services, which runs most of the consumer internet at this point. And if AWS or Heroku were hacked, Spot Angels would be the least of your concerns... which is to say that it's low liklihood.

Also, while I don't know this level of detail about all integrations, I do happen to know that spot angels uses very long random string passwords for it's database, which is about as good as a developer can do for a consumer grade application.

Risk is never zero
Though all of what I said above is good practice, and we are confident the risk of a data breach is very low, it remains true that anything is possible in the world of modern technology. If you are uncomfortable with the benefit to risk tradeoff, the best thing is to just not connect to that partner's app.

Photo of Joel


  • 80 Points 75 badge 2x thumb

Thank you so much for your thoughtful reply. You've put my mind at ease regarding third party apps in general, and Spot Angels specifically. 

This conversation is no longer open for comments or replies.