Chiptuningfile
← Back to home

Trust & Security

Last updated: 22 June 2026

This page is maintained by Dynochiptuningfile (also operating as Portalchiptuningfile) to answer common security and privacy questions about the dealer portal. It describes the controls we have enabled today. It is editable project content and is not an independent certification or audit report.

Shared responsibility

Dynochiptuningfile is responsible for the application code, access controls and data handling described below. The portal runs on the Lovable platform, which provides the underlying hosting, database, authentication and email delivery infrastructure. Our dealers are responsible for keeping their account credentials confidential and only uploading files for vehicles they are authorised to work on.

Access & authentication

Every dealer signs in with their own e-mail address and password, or with Google single sign-on. Passwords are stored as salted hashes by the authentication provider — we never see or store the plain password. Sessions are issued as short-lived bearer tokens that are automatically refreshed by the browser client.

Administrative actions in the portal (approving payments, uploading tuned files, replying to support, managing dealers) are restricted to accounts with an explicit admin role. The role is stored in a separate access-control table and enforced server-side on every request.

Data collection & use

We process the account, billing, vehicle, file and communication data needed to deliver the tuning service and to comply with our legal obligations. Full details, retention periods and lawful bases are described in our Privacy statement.

Original and tuned ECU files are uploaded to a private storage bucket. They are only accessible through short-lived signed URLs that are generated on demand for the dealer who owns the file or for an authenticated admin.

Database protection

Every table that holds dealer or customer data has row-level security enabled. Dealers can only read and modify their own rows; cross-dealer access is blocked at the database layer, not only in the UI. Sensitive fields on a tuning request (status, credits consumed, file paths, admin notes) can only be changed by an admin account.

Privileged server operations (refunds, credit adjustments, account deletion, admin updates) are exposed as audited server-side functions that re-check the caller's role before running.

Payments & invoices

Card and Apple Pay / Google Pay payments are processed by Revolut Merchant. We do not see or store card numbers. Bank transfers are approved manually by an admin after the funds are received. Every successful payment generates an invoice that is stored in the dealer's account and can be downloaded at any time.

E-mail

Account, support and transactional e-mails are sent through the Lovable email infrastructure from our verified sender domain notify.portalchiptuningfile.com. Bounces and unsubscribe requests are recorded automatically so we stop sending to addresses that no longer want our messages. We do not run marketing or newsletter campaigns from this portal.

Subprocessors

We rely on a small number of subprocessors to operate the portal: Lovable (hosting, database, authentication, e-mail), Revolut (payments), and Google (Sign-in for dealers who choose it). Communication with these services happens over TLS.

Data retention & deletion

Dealers can request deletion of their account from the account page. When an account is deleted, the dealer profile, support tickets and uploaded files are removed. Invoices and the underlying payment records are retained for the period required by Dutch tax law (currently 7 years) and are no longer linked to an active account afterwards.

Reporting a security issue

If you believe you have found a vulnerability or are seeing unexpected access to data, please contact us through the contact form or via the support chat inside your dealer dashboard. We will acknowledge serious reports within a few business days.

Compliance

We process personal data in line with the EU General Data Protection Regulation (GDPR). This page is not a SOC 2, ISO 27001 or PCI DSS certification statement. We do not claim independent audit coverage; if you need formal documentation for a procurement review, please reach out via the contact form.