AT Tuning
Tuning DatabasePricingAboutContactFAQLogin
Get started

Privacy Policy

Last updated: April 17, 2026.

1. Data controller

The controller of your personal data is:

  • AT Tuning, obrt za usluge
  • Stipe-Duje Drnasin
  • Cesta dr. Franje Tuđmana 929, 21217 Kaštel Štafilić, Hrvatska
  • OIB: 72412380695
  • Email: support@at-tuning.com
  • Phone: +385 95 8707 535

2. Data Protection Officer

Given the size and scope of our business, we are not required to appoint a Data Protection Officer (DPO). For any questions regarding personal data protection, you can contact us at support@at-tuning.com.

3. Data we collect

We collect the following categories of personal data:

  • Account data — email address, business name, password (hashed)
  • Order data — ECU files, selected vehicle and services, order short code, status
  • Financial data — credit balance, transaction history (payment processing is handled by Stripe — we do not store card details)
  • Communication data — messages sent through the platform messaging system
  • Technical data — IP address, browser type, cookie data (only with consent), device information

4. Purposes and legal basis

  • Contract performance (Art. 6(1)(b) GDPR) — processing orders, delivering tuned files, managing credits, order-related communication
  • Legitimate interest (Art. 6(1)(f) GDPR) — platform security, fraud prevention, audit logs, service improvement
  • Legal obligation (Art. 6(1)(c) GDPR) — maintaining accounting and tax records as required by Croatian law
  • Consent (Art. 6(1)(a) GDPR) — analytics cookies (Google Analytics) — you can withdraw consent at any time
  • Pre-contractual steps (Art. 6(1)(b) GDPR) — account registration, browsing vehicle catalog and pricing

5. Data recipients

We share your personal data with the following service providers who process data on our behalf:

  • Supabase Inc. — database, authentication and file storage (EU region)
  • Stripe, Inc. — payment processing (USA — protected by Standard Contractual Clauses)
  • Resend, Inc. — transactional email delivery (USA — protected by Standard Contractual Clauses)
  • Vercel, Inc. — website hosting (global network — protected by Standard Contractual Clauses)
  • Google LLC — website analytics, Google Analytics (USA — protected by Standard Contractual Clauses, only with user consent)

6. Third-country transfers

Some of our service providers (Stripe, Resend, Vercel, Google) are based in the USA. Data transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Art. 46(2)(c) GDPR. Supabase uses an EU region (eu-north-1) for data storage.

7. Data retention periods

  • Account data: retained while account is active, plus 30 days after deletion
  • ECU files: deleted 90 days after order completion
  • Financial records: retained for 11 years as required by Croatian tax law
  • Analytics data: retained for 26 months (Google Analytics default)

8. Your rights

You have the following rights regarding your personal data:

  • Right of access — request a copy of your personal data (Art. 15 GDPR)
  • Right to rectification — correct inaccurate data (Art. 16 GDPR)
  • Right to erasure — request deletion of your data (Art. 17 GDPR)
  • Right to restriction — restrict how your data is used (Art. 18 GDPR)
  • Right to data portability — receive your data in a structured format (Art. 20 GDPR)
  • Right to object — object to processing based on legitimate interest (Art. 21 GDPR)
  • Right to withdraw consent — withdraw consent for analytics cookies at any time

To exercise any of these rights, contact us at support@at-tuning.com. We will respond within 30 days.

9. Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority for personal data protection:

  • Agencija za zaštitu osobnih podataka (AZOP)
  • Selska cesta 136, 10000 Zagreb, Hrvatska
  • Tel: +385 1 4609 000
  • Email: azop@azop.hr
  • Web: azop.hr

10. Cookies

We use strictly necessary cookies (session, authentication, language selection) without your consent as they are required for the website to function. Analytics cookies (Google Analytics) are used only with your explicit consent, which you can give or withhold via the cookie notice displayed when you visit the site. You can change your decision by clearing your browser cookies and revisiting the site.

11. Automated decision-making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

12. Changes to this policy

We reserve the right to modify this privacy policy. All changes will be published on this page with an updated date. For significant changes, we will notify users via email.