Effective Date: April 23, 2026 · Last Updated: April 23, 2026
EcuXprt ("we," "us," or "our") is a web-based ECU tuning platform. This Privacy Policy explains what data we collect, how we store and protect it, and your rights regarding that data.
We take the security of your tuning work seriously. Your calibration files (the intellectual property at the core of your business) are encrypted at rest using AES-256-GCM and are never accessible to anyone outside your account.
This policy applies to all users of EcuXprt, including:
When you create an account, we collect:
Authentication is handled by Supabase Auth. If you sign in via a third-party OAuth provider (e.g., Google), we receive only the basic profile information that provider shares with us.
If you subscribe to Tuner Pass, your payment is processed by Stripe. We store only your Stripe Customer ID and Subscription ID (reference tokens). We never see, store, or have access to your credit card number, CVV, or full payment details. All payment data lives exclusively with Stripe.
When you upload calibration files, we store the XDF definition file, stock BIN, working BIN files, all version-control commits, and subproject files.
All XDF and BIN files are encrypted with AES-256-GCM before being written to storage. Raw calibration data is never stored in plaintext. Only the EcuXprt server can decrypt these files, and only when you or an authorized collaborator accesses the project.
We store non-file project data including project names, vehicle information you enter, commit history messages and timestamps, and table edit history used for version control and undo/redo.
Messages sent between tuners and clients are encrypted at rest using AES-256-GCM. File attachments sent via chat (datalogs, BIN files, images) are also encrypted before storage.
If you use the AI Tuning Copilot, your conversation history is stored per-project. This includes your messages, the AI's responses, and the tool calls made during the session.
The AI Agent runs entirely server-side. Your tune data and messages are never sent directly from your browser to any AI provider. The EcuXprt server handles all communication with the AI on your behalf, and only the minimum context needed to answer your question is included in those requests.
We may collect standard server logs including IP address, browser and OS type, pages visited, and error logs. This data is used only for platform security, debugging, and performance monitoring.
| Data Type | Encryption |
|---|---|
| XDF files | AES-256-GCM |
| BIN files (stock, working, all commits) | AES-256-GCM |
| Draft / auto-save BIN data | AES-256-GCM |
| Chat messages | AES-256-GCM |
| Chat file attachments | AES-256-GCM |
| Subproject files | AES-256-GCM |
Row-Level Security (RLS) is enforced at the database layer. You can only query data you are authorized to see, enforced by the database itself, not just the application. Tuners see only their own projects and projects they've been explicitly invited to collaborate on. Clients see only projects they've been linked to by their tuner.
All data is transmitted over HTTPS/TLS. WebSocket connections used for real-time editor sync are also secured with TLS.
Authentication is managed by Supabase Auth using industry-standard JWT-based sessions. API keys and secrets are stored exclusively as server-side environment variables, never in client code or the browser.
We do not sell your data. We do not share your data with third parties for advertising. We share data only with the following service providers, strictly to operate the platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, file storage, authentication | All stored data (encrypted at rest on their infrastructure) |
| Stripe | Payment processing | Name, email, subscription status |
| AI Provider | AI Agent processing | Conversation messages and minimal tune context to answer your query. Raw BIN/XDF files are never shared. |
Your XDF and BIN files are your intellectual property. We do not:
The AI Agent reads your maps only when you ask it to, via tool calls you initiate. It does not passively scan or store your calibration data outside of the session context needed to respond to your message.
If you invite another tuner to collaborate on a project, they gain access only to that specific project. They cannot see your other projects, client list, or account details.
Clients you add to a project can view messages and upload files within that project's conversation. They cannot see your calibration files, table data, or the tune editor.
You can remove a client or collaborator from a project at any time. Their access is revoked immediately.
EcuXprt uses only essential session cookies required to keep you logged in. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
EcuXprt is not intended for users under the age of 18. We do not knowingly collect personal information from minors.
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will notify active users via email or an in-app notification.
If you have questions about this Privacy Policy or want to request data deletion, open a support ticket from your dashboard. Logged-in users can access it via Dashboard → Support. We will respond as soon as possible.