Controller
The data controller for INSTATuner is Tuning-Database, operating instatuner.tuning-database.co.uk. For all data-protection matters, contact: privacy@tuning-database.co.uk.
What we collect
- Account data — email, display name, locale preference, tier, subscription state. Sourced from your tuning-database.co.uk account via HMAC-signed sync, refreshed on every sign-in.
- Browser fingerprint — a one-way hash of stable browser characteristics (user-agent, screen size, timezone, canvas, WebGL) used to enforce the 2-device cap. Not used for tracking across sites.
- Session cookies — Laravel session cookie (essential, expires after 7 days idle), CSRF token cookie, locale preference cookie. No third-party trackers.
- Audit log — login attempts (success / failure / rate-limited), file uploads, downloads, edits, settings changes, subscription transitions, security events. Each entry is timestamped, IP-stamped, and tied to your account.
- Page views — URL path, status code, response time, IP, user-agent. Used for performance monitoring and abuse detection.
- Uploaded ECU files — the BIN/ORI/HEX/FRF binaries you submit, plus the SHA-256 hash, original filename, file size, and any extracted hardware/software identifiers. Stored at rest with restricted filesystem permissions.
- Editor drafts — the cell-level mutations you save as drafts inside the editor. Stored as JSON, tied to the originating upload.
- Device sessions — confirmed and pending devices, last-active timestamp, IP at confirmation time.
Lawful bases (GDPR Article 6)
- Contract performance (Art. 6(1)(b)) — for everything that delivers the paid service: account, uploads, editor, downloads, billing.
- Legitimate interest (Art. 6(1)(f)) — security audit log, fraud prevention, rate limiting, abuse investigation. Balanced against your interests; you can object.
- Legal obligation (Art. 6(1)(c)) — financial records (7 years), tax invoicing, breach notification.
- Consent (Art. 6(1)(a)) — only where explicitly captured (e.g. optional product-update emails). Withdrawable any time.
How we use it
To run the service, enforce subscription limits, prevent fraud, debug errors, deliver email notifications, and produce aggregate anonymous usage statistics. We do not sell, rent, or trade personal data.
Retention
| Category | Retention |
|---|---|
| Account data, subscription | While account is active + 60 days after closure (then deleted, except financial records). |
| Audit log | 24 months while account is active; 60 days after closure. |
| Page views | 90 days, then aggregated and IP-truncated. |
| Uploaded BINs (Standard tier) | 12 months after upload. |
| Uploaded BINs (Premium / VIP tiers) | Indefinite while subscription active; 60 days after closure. |
| Editor drafts | Same as the underlying upload. |
| Device sessions | Auto-revoked after 60 days inactive. |
| Financial records (invoices, payment metadata) | 7 years (legal obligation). |
Cookies & local storage
We set only strictly-necessary first-party cookies for sign-in (Laravel session), CSRF protection, and locale preference. Browser local storage holds the device-fingerprint hash and the design-system theme preference. No third-party advertising or analytics cookies are set by INSTATuner itself. The full list is in the Cookies Policy.
Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Hosting (compute, storage) | Germany / Finland (EU) |
| Let's Encrypt | TLS certificate issuance | USA |
| Stripe / PayPal (via WooCommerce) | Payment processing | EU / USA, GDPR-adequate or SCC-covered |
| WordPress (tuning-database.co.uk) | SSO + transactional email gateway | EU (same infrastructure) |
Your rights
Under GDPR, UK GDPR, and similar regimes you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion (subject to retention obligations above).
- Restriction — pause processing while a complaint is open.
- Portability — receive a structured, machine-readable export.
- Object — to processing based on legitimate interest.
- Withdraw consent — for any processing based on consent (impacts only consent-based processing, not contract or legal-obligation bases).
- Lodge a complaint — with your local data-protection supervisory authority.
Email privacy@tuning-database.co.uk with your account email; we respond within 30 days. The Account → Privacy panel inside the app also provides a self-service "Export my data" button that produces a signed JSON dump.
International transfers
Primary infrastructure (compute, storage, database, backups) is in the EU. Where a sub-processor is outside the EEA, the transfer is covered by the European Commission Standard Contractual Clauses (SCCs) or an adequacy decision.
Security
TLS-only access. Passwords are bcrypt-hashed at the identity provider. Uploaded BINs sit in private storage with apache-only filesystem permissions. Daily encrypted MySQL backups with 30-day retention. Annual access review.
Breach notification
In the event of a personal-data breach with a likely risk to your rights, we notify the supervisory authority within 72 hours and the affected users without undue delay.
Changes
Material changes are announced via email and the public changelog at least 30 days before they take effect.
Last updated: 2026-04-30