Introduction
OctoHex ("we", "our", "us") is a professional ECU immobilizer service operated for licensed automotive technicians and garages. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our platform at octohex.com.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable national data protection laws.
Data We Collect
Account Information
When you register, we collect:
- Business name — your garage or company name
- Email address — used for login, order notifications, and support
- Phone number — for account security and support contact
- Country — for regulatory compliance and service eligibility
- Business registration number (optional) — to verify professional status
- Password — stored as a bcrypt hash; we never store plaintext passwords
Order Data
Each time you submit an ECU processing order, we log:
- Vehicle details you provide (make, model, year, VIN)
- ECU profile selected
- Input file SHA-256 fingerprint (not the file itself — see below)
- Order timestamp, IP address, and browser user-agent
- Payment status and provider reference ID
- Your attestation of authorization for the vehicle
ECU Binary Files
Uploaded ECU binary files are stored only in encrypted memory during processing. The processed (output) file is temporarily held in our database until you download it, at which point it is immediately and permanently deleted. We do not retain copies of your ECU files after download.
Payment Data
We do not store credit card numbers or full payment credentials. Payments are handled by:
- PayPal — subject to PayPal's Privacy Policy
- NOWPayments — subject to NOWPayments' Privacy Policy
We store only the payment provider's reference ID and the transaction status.
Technical Data
- IP address (logged per order for fraud prevention and audit purposes)
- Browser user-agent string
- Session cookies (see Cookies section)
How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b) GDPR) |
| Processing ECU orders and delivering results | Contract performance (Art. 6(1)(b) GDPR) |
| Sending order confirmations and service notifications | Contract performance (Art. 6(1)(b) GDPR) |
| Fraud prevention and abuse detection | Legitimate interests (Art. 6(1)(f) GDPR) |
| Legal and regulatory audit trail | Legal obligation (Art. 6(1)(c) GDPR) |
| Improving service reliability | Legitimate interests (Art. 6(1)(f) GDPR) |
We do not use your data for advertising, profiling, or sale to third parties.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 12 months after closure |
| Order audit records (metadata) | 5 years (legal/regulatory compliance) |
| ECU binary files (input) | Deleted immediately after processing completes |
| ECU output files | Deleted immediately after first download |
| Payment reference IDs | 5 years (financial record-keeping) |
| IP address logs | 12 months |
| Session cookies | Expire on browser close or after 7 days |
Data Sharing
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
- Payment processors (PayPal, NOWPayments) — only the data necessary to complete a transaction
- Hosting infrastructure — our servers are hosted on cloud providers bound by EU data processing agreements
- Law enforcement — if required by a valid legal order, court judgment, or to prevent fraud or serious harm
Security
We implement the following technical and organizational measures to protect your data:
- Passwords stored as bcrypt hashes with salt — never in plaintext
- HTTPS/TLS encryption for all data in transit
- Authentication via signed JWT tokens stored in HttpOnly cookies
- ECU files processed in memory and not written to disk in plaintext
- Access to production systems limited to authorized personnel only
- Database access protected by strong credentials and network-level controls
Your Rights Under GDPR
If you are in the European Economic Area, you have the following rights regarding your personal data:
- Right of access — Request a copy of all data we hold about you
- Right to rectification — Request correction of inaccurate or incomplete data
- Right to erasure — Request deletion of your data ("right to be forgotten"), subject to legal retention obligations
- Right to restriction — Request that we limit processing of your data
- Right to data portability — Receive your data in a structured, machine-readable format
- Right to object — Object to processing based on legitimate interests
- Right to withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at privacy@octohex.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority.
Cookies
We use a single essential cookie:
| Cookie | Purpose | Duration |
|---|---|---|
access_token | Stores your authentication session (HttpOnly, not accessible to JavaScript) | 7 days or until logout |
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No consent banner is required as we only use strictly necessary cookies.
Contact
For any privacy-related questions or requests:
- Email: privacy@octohex.com
- Subject line: "Privacy Request — [Your registered email]"
For GDPR-specific requests, see our GDPR Compliance page.