Legal

Privacy Policy

Last updated: 2026-05-27 · Version 0.1 (DRAFT)

⚠ DRAFT — Not yet reviewed by a lawyer or a privacy specialist. Do not rely on this as final policy for GDPR / CCPA / PIPEDA compliance.

TL;DR

We collect the minimum we need to run the product and bill you for it. We do not sell your data. We do not use your tune data to train AI models. Engine telemetry stays on your laptop unless you explicitly ask us to use it (e.g., an AI tuning call). Tune snapshots are stored so you can roll back; you can delete them at any time.

1. Who we are

Tuneless.tech is the data controller for the information described below. Contact: privacy@tuneless.tech.

2. What we collect

2.1 Account information

  • Email address (used as your login identifier).
  • Display name (optional).
  • Authentication metadata managed by Clerk (last sign-in time, IP address, device).

2.2 Subscription & billing

  • Subscription tier and status.
  • Billing history, invoice IDs, and payment method last-four and brand (the full card number never touches our servers — Stripe handles it directly).
  • Billing address (where required for tax purposes).

2.3 Vehicle & tune data

  • Vehicle profile metadata you enter (make/model, displacement, cam profile, etc.).
  • Tune snapshots — the byte-level configuration of your ECU at points in time.
  • Tune session metadata — when you ran a tune session, which vehicle it covered, and tune-counter state (how many of your purchased sessions you've used).

2.4 What we do not collect by default

  • Continuous live telemetry. Live sensor data (RPM, AFR, MAP, etc.) stays in your browser. We only see it when you explicitly run a tune session, and only the samples needed for that session are transmitted.
  • Vehicle identification numbers (VIN). We have no need for it.
  • Your physical location. We do not track GPS.

2.5 Cookies & analytics

We use a small number of strictly-necessary cookies for authentication (managed by Clerk). We use Plausible Analytics for traffic statistics; Plausible is cookieless and does not track individuals across sites. We do not use Google Analytics, Facebook Pixel, or similar tracking SDKs.

3. Why we collect it (legal bases)

  • Contract performance — to provide the Service you signed up for (account, purchases, tune sessions, tune storage).
  • Legitimate interest — to run the business: fraud prevention, rate-limiting, security, aggregate analytics.
  • Legal obligation — tax records, accounting records, lawful government requests.
  • Consent — for any future optional features that go beyond the above (e.g., a community share-tune feature, marketing emails). We will ask first.

4. Who we share data with

We share data only with the service providers we need to run the product, each under a contractual data processing agreement:

  • Clerk — authentication and session management.
  • Stripe — payment processing.
  • Cloudflare — hosting, CDN, DNS, and the Workers/D1 that run our backend.
  • Google (Gemini API) — AI inference for tuning suggestions. Requests are sent under our server-side API key; Google does not retain prompts from paid Gemini API users for training (see Google's terms).
  • Resend — transactional email (welcome, receipt, password reset).
  • Sentry — error tracking for diagnosing crashes.
  • Plausible — privacy-friendly traffic analytics.

We do not sell your data. We will not share it with advertisers or data brokers. We may disclose data if compelled by lawful process; if we receive such a request, we will challenge it where appropriate and notify you unless prohibited by law.

5. AI and your data

Tune sessions internally use a third-party large-language-model provider to produce the suggested cell-level corrections. When that happens, we send a structured request containing only the inputs needed for the task — a sample of telemetry rows, the current values of relevant tables, and your engine profile. We do not include your name, email, billing info, or other identifying information.

We do not use your tune data, telemetry, or tune-session inputs to train models — ours or anyone else's. AI provider terms governing model training apply to their handling of the request as described in section 4.

6. Retention

  • Account data — kept while your account is active and for 30 days after deletion, then permanently removed (except where law requires longer retention, e.g., tax records: 7 years).
  • Tune snapshots — kept while your account is active. After cancellation/downgrade to Free, kept for 90 days in a read-only export window.
  • Tune session metadata — counters and per-session records kept for the life of your account so you have an audit trail of what was tuned and when. Per-session inputs sent to the AI provider are not retained after the response is delivered.
  • Web server logs — 30 days, then aggregated to anonymous counts.

7. Security

We use industry-standard practices: TLS in transit, encryption at rest for D1, scoped API keys, principle-of-least-privilege access controls, and routine rotation of secrets. We do not store payment card numbers; Stripe does. We do not store passwords; Clerk does (and hashes them using state-of-the-art algorithms).

No system is perfectly secure. If we suffer a breach affecting your information, we will notify you without undue delay as required by applicable law.

8. Your rights

Depending on where you live, you may have rights under GDPR (EU/UK), CCPA/CPRA (California), PIPEDA (Canada), or similar laws. Subject to those laws, you may:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your data ("right to be forgotten").
  • Export your data (data portability).
  • Object to or restrict certain processing.
  • Withdraw consent where consent is the legal basis.
  • Lodge a complaint with your local data protection authority.

Email privacy@tuneless.tech to exercise any of these. We will respond within 30 days.

9. Children's privacy

The Service is not directed at children under 18. We do not knowingly collect information from anyone under 18. If you believe we have, contact us and we will delete it.

10. International transfers

We are based in the United States. If you use the Service from outside the US, you understand and consent to the transfer of your information to the US, which may have data-protection laws different from your jurisdiction. Where required (e.g., EU/UK to US), our processors use Standard Contractual Clauses or equivalent safeguards.

11. Changes to this Policy

We will update this page when our practices change. For material changes we will notify you by email and/or in-app banner.

12. Contact

Privacy questions: privacy@tuneless.tech.