Privacy Notice

Legal

This notice explains what personal data DashCAN processes, why and on what legal basis, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. What data we process, why, and our legal basis

We only process personal data where we have a lawful basis under Article 6 GDPR. The table below maps each processing purpose to the data involved and the legal basis we rely on.

(a) Account registration

Data: email address, password (stored only as a salted hash — never in plain text), display name.

Legal basis: performance of a contract — Art. 6(1)(b) GDPR (to create and operate your account).

(b) Orders, payment & shipping

Data: name, email, phone number, billing and shipping address.

Legal basis: performance of a contract — Art. 6(1)(b) — to process and deliver your order, and compliance with a legal obligation — Art. 6(1)(c) — for issuing and retaining invoices.

Payment: card payments are processed by Stripe. We do not receive or store your full card number or other card data.

Data: the telemetry you choose to upload, including GPS position, lap times and ECU/sensor logs.

Legal basis: performance of the cloud-service contract — Art. 6(1)(b) — and, where the upload is an optional feature you switch on, your consent — Art. 6(1)(a). Telemetry is only sent to us if you explicitly enable the cloud feature; otherwise it stays on your device.

(d) Waitlist & notification emails

Data: email address and the product you asked to be notified about.

Legal basis: consent — Art. 6(1)(a). You can withdraw at any time via the unsubscribe link or by emailing us.

(e) Site analytics (Google Analytics)

Data: usage and device data collected through Google Analytics (e.g. pages viewed, approximate location, device/browser information).

Legal basis: consent — Art. 6(1)(a). Analytics runs only if you accept it in our cookie banner. If you do not accept, no analytics cookies are set and no analytics data is collected.

(f) Support email

Data: your email address and the contents of your message.

Legal basis: our legitimate interest in answering enquiries and providing support — Art. 6(1)(f) — or performance of a contract — Art. 6(1)(b) — where your message relates to an existing order or account.

2. Recipients and processors

We use a small number of carefully selected service providers who process personal data on our behalf (processors) or receive it to perform their own role (recipients). They act only on our instructions or as needed to deliver their service:

Stripe — payment processing.
Google — site analytics (Google Analytics), used only with your consent.
Mailjet — transactional and notification email delivery.
Railway — our hosting provider, which stores the data needed to run the website and services.
Shipping carriers — to deliver physical orders to your address.

We do not sell your personal data; we share it only with the processors/recipients listed here to run the service. We may also disclose data where required by law or to establish, exercise or defend legal claims.

3. International transfers

Most processing takes place within the European Union / European Economic Area (EU/EEA).

Some of our providers — in particular Google and Stripe — may process personal data in the United States. Where they do, the transfer is covered by the EU–US Data Privacy Framework, for which the European Commission has issued an adequacy decision confirming an adequate level of protection. Other processing of your data takes place in the EU/EEA.

4. How long we keep your data (retention)

Account data — kept for as long as your account exists; deleted (or anonymised) after you close your account, subject to the retention rules below.
Order & invoice data — retained for approximately 8 years, as required by the Hungarian Accounting Act (Act C of 2000), §169(2).
Analytics data — retained in line with our Google Analytics retention settings.
Marketing & waitlist data — kept until you unsubscribe or withdraw consent.
Cloud telemetry & other data — kept for as long as needed for the purpose it was collected for. Where no fixed period applies, we determine retention by criteria such as the duration of our relationship with you, the existence of a legal obligation, and the need to defend legal claims.

5. Your rights

Under the GDPR you have the following rights in respect of your personal data:

Access — to obtain a copy of the personal data we hold about you (Art. 15).
Rectification — to have inaccurate or incomplete data corrected (Art. 16).
Erasure — to have your data deleted in the circumstances set out in Art. 17 ("right to be forgotten").
Restriction — to restrict our processing in certain cases (Art. 18).
Portability — to receive data you provided in a structured, commonly used, machine-readable format and to have it transmitted to another controller (Art. 20).
Objection — to object to processing based on our legitimate interests (Art. 21).
Withdraw consent — where we rely on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew (Art. 7(3)).

To exercise any of these rights, contact us at support@dashcan.eu. We will respond without undue delay and in any event within one month of receiving your request, as required by Art. 12(3) GDPR (this period may be extended by two further months for complex or numerous requests, in which case we will tell you).

You also have the right to lodge a complaint with a supervisory authority. In Hungary this is the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — the Hungarian National Authority for Data Protection and Freedom of Information — naih.hu.

6. Cookies & analytics

We use a small number of strictly necessary cookies to run the site and keep you signed in: access_token and refresh_token (httpOnly, essential) and auth_session (a JavaScript-readable cookie holding your basic user identity, kept for 7 days). Your cart and your cookie-consent choice are stored in your browser's local storage, not in cookies.

Analytics cookies (Google Analytics) are only set if you accept them in the cookie banner. For full details of every cookie, its purpose and duration, see our separate Cookie Policy.

7. Children

Our website, products and services are not directed to children under the age of 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact support@dashcan.eu and we will delete it.

8. Changes to this notice

We may update this Privacy Notice from time to time. When we do, we will post the revised version here with a new version number and date. Where a change requires it — for example a new processing purpose that relies on consent — we will seek your fresh consent before that processing begins. We encourage you to review this page periodically.

Last updated: June 2026 · Version 2.0