Who runs Tracktuned
Tracktuned is operated by Lawrence L-Dean (sole trader), trading as Tracktuned, United Kingdom. We are the data controller for the personal data described below. For privacy questions, data subject requests, or anything else covered by this policy, email [email protected].
Overview
Tracktuned makes hardware and software for motorsport tuning: the Tracktuned Link wireless USB bridge with its desktop app, and the Tracktuned Connect mobile app for wireless CAN keypads. This policy covers all three. We collect as little data as possible, never sell anything, and never use anything for advertising, profiling, or third-party marketing.
We use cookies on the website only for what's strictly necessary (the dark-mode toggle stores your preference in localStorage). No analytics cookies. No marketing cookies. No fingerprinting.
What we collect: Tracktuned Connect (mobile app)
If you don't sign in: we collect nothing. The app works entirely offline on your device. Your button configurations, layouts, and settings are stored locally on your phone using SharedPreferences. No data leaves your device.
If you sign in (optional): to enable cloud sync of your layouts across devices, we collect:
- Your email address (for magic-link authentication)
- Your button layouts and configurations (synced to our cloud database)
We do not collect analytics, usage data, device identifiers, location data, contacts, photos, or anything else.
CAN bus communication
When connected to a Tracktuned Link device, the Connect app sends button commands over your local WiFi network to the device. This communication happens entirely on your private WiFi network. No CAN bus data, button presses, or ECU data is transmitted to us or any external server.
What we collect: Tracktuned Link (desktop app + bridge device)
The Link desktop app runs on your Windows PC and the Link hardware is a small WiFi-only device that sits next to your ECU. In normal use, neither sends anything to us. The app phones our update servers (releases.tracktuned.link) to check for newer firmware and app versions; that's the only background contact with our infrastructure.
Update checks: when the app fetches an update manifest we receive an HTTP request to our Cloudflare update endpoint. Cloudflare logs the source IP and request path for security and abuse-prevention purposes (DDoS protection, rate limiting). We do not associate these logs with any user identity. Cloudflare retains them under their own retention policy.
Crash diagnostics: the app keeps rolling local log files in %APPDATA%\Tracktuned Link\logs\ on your machine. These never leave your computer unless you explicitly press Get Support (see the next section).
Support diagnostics (only when you press Send)
If you press Get Support in the Link desktop app, we collect and send the following, only when you click Send, never automatically:
- What you type: your name, email, and the description of the issue.
- App + system info: Tracktuned Link version, USB/IP driver version, Windows version, locale, USB host controller make.
- Connected devices: VID/PID, product name, USB speed, and bound driver service of devices currently attached through the bridge.
- Live Link device dump: pulled fresh when you press Send, if the device is reachable. Includes: firmware version, OpenWrt version, kernel build, uptime, memory and disk usage, kernel command line, USB autosuspend and buffer-pool settings, WiFi configuration (including the device's WiFi password, which is the same shared password we ship to every customer, not a personal secret), WiFi state, IP addresses, listeners on the USB/IP ports, our proxy daemon's recent log lines,
usbipdstate, the list of currently-attached USB devices, the last 200 lines of the system log, and the last 100 lines of the kernel ring buffer. - Cached device info: last-known firmware version, uptime, USB autosuspend state, WiFi channel from the periodic five-minute background fetch (used if the device is not reachable when you press Send).
- Recent app logs: the most recent two log files from
%APPDATA%\Tracktuned Link\logs\(capped at 5MB each). - Stable install ID: a random UUID v4 generated on first run, used only to correlate repeat tickets from the same install. Reset on uninstall.
- Submission metadata: when the support bundle reaches our Cloudflare Worker, the Worker records your IP address alongside the ticket for abuse prevention and rate-limiting (one ticket per IP per hour). This IP is stored in the bundle's R2 metadata and deleted with the bundle.
What we do NOT collect: your home WiFi password (only the Tracktuned device's shared WiFi password ships in the bundle), ECU map data or tuning files, full Windows event log, your browsing data, anything from outside the Tracktuned Link app folder.
The Link app shows you exactly what's in the bundle before you press Send, in a "What's included" panel. You can cancel without sending if you change your mind.
How we use your data
- Email address: magic-link authentication (Connect), reply to your support ticket (Link).
- Layouts: sync across your devices (Connect only).
- Diagnostic bundle: diagnose and reproduce the issue you reported.
- Update-check IP logs: DDoS protection and rate limiting at the CDN layer.
We do not use your data for advertising, profiling, marketing, behavioural analytics, training models, or any purpose other than the ones above.
Legal basis (UK GDPR / EU GDPR)
| Data | Purpose | Lawful basis |
|---|---|---|
| Email + cloud-synced layouts | Provide the cloud-sync feature you opted into | Performance of a contract, Art. 6(1)(b) |
| Support bundle (name, email, description, diagnostics) | Diagnose your reported issue | Consent, Art. 6(1)(a), given when you press Send |
| Update-check IP / Worker IP logs | Security, anti-abuse, rate limiting | Legitimate interests, Art. 6(1)(f) |
Where data is stored
- Local-only data: your phone (SharedPreferences) and your PC (
%APPDATA%). Uninstalling removes it. - Cloud sync (Connect): Supabase, EU region. Row-level security: only you can read your own layouts.
- Support bundles (Link): Cloudflare R2 bucket
tracktuned-support. Cloudflare's R2 storage uses EU and US regions for redundancy. - Update manifests: Cloudflare R2, public read, no personal data.
Where data is processed outside the UK / EEA (e.g. Cloudflare US regions for redundancy), the transfer relies on Cloudflare's Standard Contractual Clauses and is limited to the data described above.
Retention
- Cloud-synced layouts: kept until you delete them or close your account. Closing the account deletes everything within 30 days.
- Support bundles: automatically deleted after 12 months from upload (R2 lifecycle policy). Earlier deletion on request, processed within 30 days.
- Cloudflare CDN logs: Cloudflare's own retention policy (typically days, not months).
- Email correspondence: kept as long as it's useful for the conversation, deleted on request.
Security
- All data in transit is encrypted with TLS 1.2+. The Link app rejects unsigned firmware updates (minisign signatures verified before flash).
- Cloud-stored data (Supabase, R2) is encrypted at rest by the provider.
- The desktop app installer ships drivers signed via Microsoft attestation. Auto-updates are minisign-signed; an unsigned or tampered update is refused.
- We don't store any payment data ourselves: all payments go through our checkout provider, which we'll list here once a payment processor is selected.
Breach notification
If we discover a personal data breach that's likely to result in a risk to your rights and freedoms, we'll notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware, and notify you directly at the email address you've given us as soon as practicable.
Your rights
Under UK GDPR / EU GDPR, you have the right to:
- Access: ask for a copy of your personal data we hold
- Rectification: correct inaccurate data
- Erasure: have your data deleted ("right to be forgotten")
- Restriction: limit how we use your data
- Portability: receive your data in a machine-readable format
- Objection: object to processing based on legitimate interests
- Withdraw consent: at any time, with no effect on processing already done
To exercise any of these rights, email [email protected]. We'll respond within 30 days. If you're unhappy with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk.
How to delete your data
- Local data (Connect / Link app): uninstall the app, or delete layouts from the Layouts screen.
- Cloud-synced layouts (Connect): sign out keeps your data in the cloud. To permanently delete your account and all cloud data, email [email protected]. Deletion completes within 30 days.
- Support tickets (Link): email [email protected] with the ticket ID. Removed within 30 days. All bundles are auto-deleted after 12 months regardless.
Third-party services we use
- Supabase: authentication and cloud storage for the Connect app. supabase.com/privacy
- Cloudflare: DDoS protection, R2 storage for support bundles + firmware/app updates, Worker hosting for the support API. cloudflare.com/privacypolicy
- Discord: internal support triage. Customer-submitted bundle metadata (ticket ID, first 1500 characters of your description, install-ID prefix, device summary) is posted to a private support channel only we have access to. Discord is not a public destination for this data. discord.com/privacy
- Bunny Fonts: privacy-friendly font hosting on the website. No tracking or analytics. fonts.bunny.net/about
We do not use Google Analytics, Facebook Pixel, Hotjar, or any other tracking / analytics / advertising tooling.
Children
Tracktuned products are designed for motorsport tuning and are not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has given us their data, email [email protected] and we'll delete it.
Changes to this policy
If we make material changes, we'll update the "Last updated" date at the top of this page and, where the change affects data we already hold, notify you by email if we have one for you. Continued use after a non-material update constitutes acceptance.
Contact
Questions, requests, or complaints about this privacy policy? Email [email protected]. We aim to respond within five working days, and within 30 days for any GDPR-mandated data subject request.