Privacy Policy
Last updated: 2026-05-28
This Privacy Policy explains how the website PldWebApp (the "Service") processes personal data in connection with your use of the Service. For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), I act as the data controller.
1. Who I am (Data Controller)
- Controller: Zydrunas Salcius, private individual
- Country: Lithuania
- Email: z.salcius.sg@gmail.com
- Phone: +370 620 90002
2. Information I process
The Service does not require you to create an account. When you use the Service, I may process the following categories of data:
- Uploaded files (e.g.,
.pldor.txtfiles) and their contents. - Identifiers contained in those files or entered by you, such as Vehicle Identification Numbers (VIN), engine serial numbers, ECU serial numbers, and configuration parameters. Where these identifiers can be linked to an identifiable individual, I treat them as personal data.
- Selected modification options chosen during your session (e.g., VIN change, engine serial change, speed limit change, Lost ECU, etc.).
- Payment-related data handled by Stripe — see Section 6. I receive only the Stripe Checkout session/payment identifier and the payment status; I do not receive or store card numbers, CVC, or full cardholder details.
- Optional payment bypass codes you may enter (matched against a server-side allowlist) — only the entered value and the match result are processed; the codes themselves are not linked to your identity.
- Technical data such as IP address, browser type/user-agent, timestamps, request paths, error messages, and limited session identifiers.
- Acceptance and acknowledgement records, including timestamps and IP addresses associated with your acceptance of the Terms of Service, the per-transaction acknowledgements (e.g., the speed-change disclaimer), and other in-app confirmations.
- Communications you send me (e.g., support requests by email or phone).
3. Purposes and legal bases for processing
I process your data on the following GDPR Article 6 legal bases:
| Purpose | Legal basis |
|---|---|
| Receiving, processing, and returning your uploaded files | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and verifying payment status | Performance of a contract (Art. 6(1)(b)) |
| Recording acceptance of Terms and per-transaction acknowledgements | Performance of a contract / legal obligation (Art. 6(1)(b), (c)) |
| Service reliability, debugging, abuse and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations (e.g., tax, accounting, lawful requests) | Legal obligation (Art. 6(1)(c)) |
| Responding to your support inquiries | Legitimate interests (Art. 6(1)(f)) |
4. How uploaded files are used
Uploaded files are processed automatically to:
- Determine file type and validity,
- Apply the modification you selected,
- Generate the modified output file for your download,
- Verify that the corresponding payment has been completed,
- Diagnose errors if processing fails.
I do not use the contents of uploaded files for any purpose unrelated to providing you with the requested output.
5. Retention periods
Data is kept only as long as necessary for the purpose for which it was collected:
- Uploaded files and modified output files: stored in a temporary server folder during processing and deleted immediately after a successful download, after payment cancellation, or — at the latest — automatically removed by the background cleanup routine within 6 hours of upload.
- Session data (selected options, pending modification request, entered VIN / engine / ECU serial / speed values): held in an in-memory server-side session that expires after 30 minutes of inactivity, after which it is discarded.
- Technical/diagnostic logs (IP address, browser type, timestamps, error messages, processing events) collected via Application Insights: retained for up to 90 days for service reliability, debugging, and abuse prevention.
- Acceptance and acknowledgement records (Terms of Service acceptance and per-transaction acknowledgements) captured in logs: retained together with the diagnostic logs above (up to 90 days). For paid transactions, the corresponding acknowledgement is also evidenced by the payment record kept by Stripe.
- Payment records (transaction metadata such as amount, date, Stripe session/payment IDs): retained as required by Lithuanian accounting and tax law (10 years). Full card details are never stored by this Service; they are held by Stripe under its own retention rules.
- Support correspondence (e.g., emails sent to the contact address): retained for up to 12 months after the matter is resolved.
6. Payments (Stripe)
Payments are processed by Stripe Payments Europe, Ltd. ("Stripe"). I do not store your full payment card details. Stripe acts as an independent data controller for the payment data it collects and is subject to its own privacy policy: https://stripe.com/privacy.
7. Recipients and sub-processors
I may share limited data with the following categories of recipients:
- Hosting / infrastructure provider: Microsoft Ireland Operations Ltd. — the Service is deployed to Microsoft Azure App Service in the West Europe region (data centres located in the Netherlands).
- Payment processor: Stripe Payments Europe, Ltd. (Ireland).
- Error monitoring and diagnostic telemetry: Microsoft Azure Application Insights (part of Azure Monitor), used solely for server-side error tracking and performance diagnostics. No advertising or marketing analytics provider is used.
- Email provider used for support correspondence: Google Ireland Ltd. (Gmail), where you contact the support email address.
- Authorities or third parties where required by law or to protect my legal rights.
8. International data transfers
The primary processing of uploaded files and diagnostic telemetry takes place inside the European Economic Area (EEA), in the Azure West Europe region. However, some service providers (including Stripe and Microsoft) may process limited data outside the EEA, including in the United States — for example for support, administration, or sub-processor operations. Where this happens, transfers are protected by appropriate safeguards under GDPR Chapter V, such as the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.
9. Security
I apply reasonable technical and organisational measures to protect uploaded files and related data during transmission and processing, including:
- encryption in transit (HTTPS/TLS) with HTTP Strict Transport Security (HSTS) enforced in production,
- storage of uploaded and generated files only in a temporary server folder, with automatic deletion as described in Section 5,
- session cookies marked HttpOnly and configured as essential, with anti-forgery (CSRF) protection on form submissions,
- access controls on the hosting environment and least-privilege administrative access,
- no storage of full payment card data on this Service — card data is handled exclusively by Stripe.
However, no internet-based service can guarantee absolute security.
10. Your rights under the GDPR
You have the right to:
- Access the personal data I hold about you (Art. 15),
- Rectify inaccurate data (Art. 16),
- Erase your data (Art. 17),
- Restrict processing (Art. 18),
- Data portability (Art. 20),
- Object to processing based on legitimate interests (Art. 21),
- Withdraw consent at any time where processing is based on consent (Art. 7),
- Lodge a complaint with a supervisory authority. In Lithuania, this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI) — https://vdai.lrv.lt.
To exercise these rights, contact me at z.salcius.sg@gmail.com. I will respond within one month, as required by Art. 12(3) GDPR.
11. Your responsibility for uploaded content
You must not upload files unless you have the legal right to use and modify them. If your files contain personal data, vehicle identifiers, equipment identifiers, or other sensitive information, you confirm that you are authorised to submit that data for processing.
12. Cookies and tracking
The Service uses only cookies and similar technologies that are strictly necessary for it to function. No advertising, marketing, profiling, or third-party analytics cookies are used, and no separate cookie consent banner is therefore required under the EU ePrivacy rules.
Specifically:
- Session cookie (set by this Service) — used to keep your selected options, pending modification request, and acceptance state during your visit. Marked HttpOnly and treated as essential. Expires after 30 minutes of inactivity or when the browser session ends.
- Anti-forgery cookie / token (set by this Service) — used to protect form submissions against cross-site request forgery (CSRF). Strictly necessary.
- Stripe cookies — when you proceed to payment you are redirected to Stripe Checkout (hosted by Stripe). Stripe sets its own cookies on its own domain for payment processing and fraud prevention, governed by Stripe's privacy policy linked in Section 6.
Server-side diagnostic telemetry (Application Insights) is used in this Service without the optional client-side JavaScript snippet, so it does not set browser cookies on your device.
13. Children
The Service is not directed at children under 16 and I do not knowingly collect their personal data.
14. Changes to this Policy
This Privacy Policy may be updated from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated through the Service.
15. Contact
For privacy, data protection, or file handling questions, contact:
- Email: z.salcius.sg@gmail.com
- Phone: +370 6209 0002 (support in English)