Privacy Policy

Effective Date: May 10, 2026

This Privacy Policy describes how TunePulse ("we", "us", "our") collects, uses, stores, shares, and protects your information when you use TunePulse (the "Service"). By using the Service, you agree to the practices described in this policy.

1. Data We Collect

We collect different categories of data depending on how you interact with the Service:

1.1 Account Data

When you register, we collect your name, email address, and password (stored as a salted hash). If you are invited as a collaborator, we receive your email address from the inviting user before you create an account.

1.2 Vehicle Records

You may create vehicle records that include a vehicle name, Vehicle Identification Number (VIN), and associated metadata. VINs are stored in their original form for owner use and displayed in a masked format where appropriate.

1.3 Uploaded Log Files

You may upload ECU datalog files in CSV format. These files contain time-series data recorded by the ECU Connect application, including but not limited to: air-fuel ratios, boost pressure, ignition timing, knock correction, injector duty cycle, wastegate duty, wheel speed, torque split, fuel trims, and other engine and vehicle parameters. Log files may also contain embedded metadata such as VIN, ECU calibration IDs (CALIDs), ROM hashes, programming information, and application version data.

1.4 Derived Data

The Service processes uploaded log files to produce derived data, including: parsed and structured parameter values, interactive charts and reports, statistical summaries, threshold comparisons and health assessments, and AI-generated insights with associated confidence levels. This derived data is generated from your uploaded content and stored as part of your account records.

1.5 User-Created Content

You may add labels, notes, mark events, and other annotations to your logs and vehicles. This content is stored alongside your vehicle and log records.

1.6 Share and Collaboration Data

When you create a public share link, we generate a cryptographic token and store a record of: the share type, which vehicle and logs are included, access scope settings, creation date, and view count. When you invite a collaborator, we also store the invited email address and whether the collaborator has re-share permissions.

1.7 Usage and Technical Data

We collect standard server logs that may include your IP address, browser type, referring URL, pages visited, and access timestamps. We use this data for service operation, security monitoring, and troubleshooting.

2. How We Use Your Data

We use the data described above for these purposes:

• Providing the Service: Parsing and analyzing log files, generating reports and insights, rendering charts, and displaying vehicle records.
• Sharing: Delivering shared reports to recipients via tokenized links and processing collaborator invitations by email.
• Account management: Authenticating users, managing roles and permissions, and processing account-related requests.
• Security and integrity: Detecting and preventing unauthorized access, abuse, and fraudulent activity.
• Improvement: Understanding how the Service is used to improve features and performance.
• Legal compliance: Meeting our obligations under applicable laws and responding to lawful requests.

3. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, our legal bases for processing your data are:

• Contract: Processing necessary to provide you with the Service you registered for (account data, log processing, report generation).
• Legitimate interests: Security monitoring, fraud prevention, service improvement, and support operations, balanced against your rights and expectations.
• Consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Legal obligation: Processing required to comply with applicable law.

4. Sharing and Disclosure

We do not sell your personal data. We may share data in these circumstances:

• At your direction: When you create a public share link or invite a collaborator, the included log data, charts, notes, labels, and other information are made available to the recipients you designate. Anyone who obtains a public share link can view the shared content.
• Service providers: We may use third-party services for hosting, email delivery, analytics, and infrastructure. These providers process data on our behalf under contractual obligations to protect your information.
• Admin access: Our administrators may access account and log data for support, abuse review, debugging, and system maintenance purposes.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect rights, safety, or property.
• Business transfers: In connection with a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity.

5. Public Share Links and Data Exposure

Public share links are tokenized URLs that do not expose your VIN, vehicle name, or account information in the URL itself. However, the shared report page may display vehicle information, parameter data, charts, notes, labels, and AI insights depending on the scope you selected when creating the link.

Shared pages include a noindex, nofollow directive to discourage search engine indexing, but we cannot guarantee that shared content will not be cached, archived, or redistributed by recipients or third-party services.

You may revoke any share link at any time from your dashboard. Revocation takes effect immediately, but it does not affect copies of data that recipients may have already saved or redistributed.

6. Threshold Profiles and AI Insights

The Service may apply configurable threshold profiles to your log data and produce AI-generated insights with associated confidence labels. Per-VIN threshold overrides and per-log source overrides are stored as part of your vehicle configuration. These thresholds and insights are informational and should not be treated as professional engineering analysis. See our Terms of Service for important disclaimers.

7. Data Retention

We retain your data according to the following schedule:

• Account data: Retained while your account is active and for a reasonable period after deletion to complete pending operations.
• Vehicle records and log files: Retained until you delete them or delete your account.
• Derived data (charts, reports, AI insights): Retained alongside the source log files. Deleted when the source log is deleted.
• Share tokens and collaboration records: Retained until revoked or until the underlying vehicle or log is deleted.
• Server logs: Retained for up to 90 days for security and operational purposes.
• Backups: When you delete a log or vehicle, we remove it from active systems within our normal deletion workflow. Residual copies may remain in backups for a limited period before being overwritten or securely destroyed.

8. Deletion

You may delete individual logs, vehicles, or share links from your dashboard at any time. These deletions remove the data from active systems promptly.

To delete your entire account and all associated data, contact us. We will process account deletion requests within 30 days, subject to any legal retention requirements.

9. Data Portability and Export

You may download your original uploaded log files from the Service. We also support data export requests for account and vehicle data in a structured, machine-readable format. To request an export, contact us.

10. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete data.
• Deletion / Erasure: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information we collect and how it is used, the right to request deletion, the right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising), and the right to non-discriminatory treatment when you exercise your rights.

EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you may exercise your rights by contacting us at the address below. You also have the right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us. We will respond within the timeframes required by applicable law.

11. Security

We implement reasonable and appropriate technical and organizational measures to protect your data, including:

• Encrypted storage of passwords using salted hashing algorithms.
• Cryptographic hashing of share tokens with constant-time comparison for verification.
• Role-based access controls limiting admin and user access to appropriate data.
• HTTPS encryption for data in transit (production environments).

No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we commit to promptly addressing any security incident and providing notice as required by applicable law.

12. Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and, where required, the appropriate supervisory authority, within the timeframes mandated by applicable law (72 hours for GDPR-covered breaches to the supervisory authority where the threshold is met, and without undue delay to affected individuals where risk is high).

13. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your data will be transferred to, stored, and processed in the United States. If required by applicable law (including GDPR), we will use appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses approved by the European Commission.

14. Children

The Service is not directed to children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.

15. Cookies and Tracking

The Service uses session cookies that are necessary for authentication and site functionality. We do not use third-party advertising trackers or cross-site tracking cookies. If we introduce analytics or optional cookies in the future, we will update this policy and provide appropriate controls.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on the Service with a new effective date. Your continued use of the Service after any change constitutes acceptance of the revised policy.

17. Contact

For questions, concerns, or requests related to this Privacy Policy or your personal data, please visit our contact page.