Privacy Policy

The data controller under the EU General Data Protection Regulation ("GDPR") is TempaDrive, whose details are listed below.

The table below summarises what we do with personal data. Each row links to the section further down that explains it in full.

Depending on how you interact with us, we may collect:

• Contact details you give us: full name, email, phone, postal address, messaging handles (WhatsApp, Telegram) if you choose to share them.
• Vehicle information necessary to deliver the service: make, model, year of manufacture, engine code, VIN (vehicle identification number), original ECU file, diagnostic readings.
• Order and transaction data: product selection, price, currency, invoice address, payment confirmation (we never see full card numbers — see Section 9).
• Account data (if you create one): login email, password hash, profile preferences.
• Communications: emails, form submissions, chat messages, calls we agree to record.
• Technical data collected automatically: IP address, approximate location (city level), device and browser type, operating system, referring URL, pages visited, timestamps.
• Cookies and similar technologies — see Section 6.
• Optional content you choose to publish: reviews, blog comments, photos of your vehicle.

We do not intentionally collect so-called special-category data (health, biometrics, political opinions, etc.). Please do not submit such data to us. If you do so by mistake we will delete it as soon as we become aware.

We use personal data for the following purposes:

• Provide the service you ordered — tune your ECU file, deliver FSC codes, enable BMW features, ship physical goods.
• Communicate with you about your order, answer your questions and provide after-sales support.
• Issue invoices and keep our books as required by Lithuanian and EU tax law.
• Detect and prevent fraud, abuse and attacks against our systems.
• Measure and improve the quality of our website, our services and our marketing (with your consent for analytics and advertising technologies).
• Send you newsletters or promotional messages (only if you asked us to, and you can unsubscribe in every email).
• Comply with legal orders from courts, supervisory authorities and tax authorities.

Under GDPR Article 6 we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — to deliver the tuning files, codes, goods and related services you order.
• Legal obligation (Art. 6(1)(c)) — for accounting, tax and consumer-protection record keeping.
• Legitimate interests (Art. 6(1)(f)) — for server security, fraud prevention, basic analytics that do not rely on tracking cookies, and to defend our legal rights. We have balanced our interests against yours; you may object at any time (see Section 10).
• Consent (Art. 6(1)(a)) — for analytics cookies, marketing cookies, session replay, advertising pixels and optional newsletters. You can withdraw your consent at any time without affecting processing done before withdrawal.

We use cookies and similar technologies (pixels, local storage, device identifiers) both to make the website work and to understand how visitors use it.

When you first visit the site we ask for your consent through a cookie banner. Strictly-necessary cookies run without consent because they are required for the site to function (for example, to remember your shopping cart or your consent choice). All other categories run only if you accept them.

You can change your choices at any time via the "Cookie Preferences" link in the footer, and most browsers let you delete cookies manually.

Some of these technologies transfer data outside the European Economic Area — see Section 8 for the safeguards we rely on.

We never sell your personal data. We share it only with the service providers we need in order to run the business, and only to the extent necessary. Each provider is bound by a data-processing agreement under GDPR Art. 28.

Categories of recipients:

We may also disclose data (i) to law-enforcement, regulators or courts when we are legally required to, (ii) to our professional advisers (lawyers, auditors) under strict confidentiality, and (iii) in the context of a merger, acquisition or sale of assets, in which case the acquirer will be bound by this policy for the data transferred.

Some of our processors are based outside the European Economic Area, most commonly in the United States. When that happens, we rely on one or more of the following safeguards recognised by the European Commission:

(a) European Commission adequacy decisions (including the EU–US Data Privacy Framework) where applicable; (b) Standard Contractual Clauses (2021 version) with additional technical and organisational measures; (c) your explicit consent, where allowed.

You can request a copy of the safeguards in place for a specific transfer by contacting us.

We keep personal data only for as long as necessary for the purpose we collected it, plus any period required by law. Concrete retention periods are shown in the summary table in Section 2.

In short:

• Order and accounting records: 10 years (Lithuanian accounting law).
• Contract and customer-support records: 5 years after the end of the business relationship.
• Marketing consents and preferences: until you withdraw consent.
• Server and security logs: up to 12 months.
• Analytics data: up to 26 months (GA4 default) or until you withdraw consent.

At the end of the retention period we delete the data or anonymise it so that it can no longer be linked to you.

If you are in the European Economic Area you have the following rights:

• Right of access — obtain a copy of the personal data we hold about you.
• Right to rectification — have inaccurate or incomplete data corrected.
• Right to erasure ("right to be forgotten") — have data deleted when it is no longer needed or when you withdraw consent.
• Right to restrict processing — ask us to pause certain processing.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format, and transfer it to another controller.
• Right to object — object to processing based on legitimate interests or direct marketing.
• Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make such automated decisions; our tuning files are produced by qualified engineers.
• Right to withdraw consent at any time, without affecting processing done before withdrawal.
• Right to lodge a complaint with a supervisory authority — our lead authority is Valstybinė duomenų apsaugos inspekcija (VDAI), Lithuania; see https://vdai.lrv.lt. You may also complain to the authority in your own country.

To exercise any of these rights, email us at info@tempadrive.com. We will reply within one month (GDPR Art. 12(3)), and we will not charge a fee unless the request is manifestly unfounded or excessive.

If you are in the United Kingdom, the UK GDPR and the Data Protection Act 2018 apply. Your rights mirror those in Section 10. You may complain to the UK Information Commissioner's Office at https://ico.org.uk.

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) may give you the following rights even if we are not currently required to meet the business-size thresholds:

(a) right to know what categories of personal information we have collected about you and how we use them; (b) right to delete personal information we collected from you, subject to legal exceptions; (c) right to correct inaccurate personal information; (d) right to opt out of the "sale" or "sharing" of personal information (we do not sell personal information in the traditional sense, but targeted advertising may be considered "sharing" under CPRA); (e) right to limit the use of sensitive personal information; (f) right to non-discrimination for exercising these rights.

To exercise your California rights, email info@tempadrive.com with the subject line "California privacy request". You may use an authorised agent; we may require verification of your identity.

Switzerland: if you are in Switzerland, the revised Swiss Federal Act on Data Protection (revFADP) applies. Your rights are broadly equivalent to those under the GDPR.

Brazil: if you are in Brazil, the Lei Geral de Proteção de Dados (LGPD) applies. You have the rights enumerated in LGPD Art. 18. Send requests to info@tempadrive.com.

Our services are intended for adults (18+) who own or are authorised to modify the relevant vehicle. We do not knowingly collect personal data from children under 16. If you believe a child has given us personal data, please contact us and we will delete it.

We apply appropriate technical and organisational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest for our databases and storage.
• Role-based access control with the principle of least privilege; administrative access is restricted to authorised staff.
• Regular backups and disaster-recovery procedures.
• Security patching of infrastructure and third-party libraries.
• Audit logs for administrative actions.
• Staff training and confidentiality agreements.

No system can be 100% secure. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify our lead supervisory authority within 72 hours (GDPR Art. 33) and, where the risk is high, notify you directly (Art. 34).

We do not take decisions about you using solely automated processing that produce legal effects or similarly significantly affect you. Our tuning files are prepared by qualified engineers, and orders that present a fraud risk are reviewed manually.

Our site may link to third-party sites (for example partner workshops or software vendors). We are not responsible for their privacy practices; please read their own policies before providing them with personal data.

We may update this policy to reflect changes in our services, our processors or applicable law. When we make material changes we will update the "Last updated" date at the top of the page and, where required, notify existing customers by email. Please review the policy periodically.

For any privacy question or to exercise your rights, write to: