1) Who We Are
BENC ELEKTRONIK (trading as “Benc Motorsport”) (“we”, “us”, “our”) develops and sells the "Wreet" file calculator for repairing car electronics.
- Website: https://benc-motorsport.com
- Product: Wreet (software)
- Data Controller: BENC ELEKTRONIK (trading as Benc Motorsport)
- Registered/Operating Country: Croatia (EU)
- VAT ID: HR46540246369
- Contact: info@benc-motorsport.com
2) Data We Collect
- Contact & Account Data — name, email, company, VAT details (if provided), and messages sent to support.
- Transaction Data — pre-order selections, prices, currency, timestamps. Payment card data is handled by our payment processor (see Payments).
- Technical Data (Web) — device/browser information, public IP address, HTTP headers, approximate network-based location, and server logs used for security, performance, and debugging. Approximate location is inferred from network information; this Policy does not claim that Wreet collects GPS or precise device location.
- Login & Licensing Records — login dates and times, activation and deactivation events, hardware identifiers, public IP addresses, approximate network-based location, license-validation events, and registered-device history.
- Usage & Processing Records — feature usage, API requests, upload and download history, file-processing history, security events, error events, performance metrics, and related operational logs. We do not use ECU file contents for advertising.
- Marketing Preferences — opt-in to emails, unsubscribes, and related communication settings.
-
Desktop App Identifiers & Device Binding —
technical signals used to derive a persistent, Wreet-specific hardware identifier, including (for example) Windows Machine GUID, SMBIOS/board UUID, and CPU identifier, which are combined and
cryptographically hashed into a unique hardware ID; your computer name and OS username; a non-exportable device key stored on your device (only its public key is sent to us);
and request metadata such as headers (
X-Hardware-ID,X-App-Client) and cookies used for licensing, authentication, security, and enforcement of the two-computer limit. Navigation and requests inside the desktop app are limited to our own domains and services. - Security & Integrity Signals — information derived from checks for debuggers, instrumentation/profilers, and certain remote-control/screen-sharing tools. These checks are primarily performed locally to protect against tampering and unauthorized access. Where necessary, we may log that an instrumentation or integrity issue was detected.
- Contract-Signing Data — first name, last name, email (from your account), street address, postal code, city, country, agreement checkbox, drawn signature (PNG/base64), typed full name, and a generated PDF of the signed agreement.
3) How We Use Data
- Provide and improve Wreet; fulfill orders/pre-orders; deliver updates and support.
- Validate licenses and device binding, enforce the two-computer limit, detect account or license sharing, and investigate disputed usage.
- Generate and store legally binding digital agreements (subscription contracts).
- Analyze login, activation, location, processing, performance, and normal usage patterns for security, fraud prevention, support, troubleshooting, and to detect or investigate abuse, tampering, reverse engineering, or sharing.
- Process payments and send purchase confirmations, service messages, and critical notices.
- Comply with legal obligations (invoicing, accounting, tax/VAT, record-keeping).
- With consent: send product news, promotions, onboarding tips, and other marketing communications.
4) Legal Bases (GDPR)
- Contract — to deliver the services/features you request, manage your account, and conclude/perform subscription agreements.
- Legitimate Interests — product improvement, ensuring service reliability, information security, license validation, device binding, and targeted anti-abuse and anti-tampering measures.
- Consent — optional marketing emails and certain non-essential cookies or analytics where required.
- Legal Obligation — tax, accounting, regulatory compliance, and retention of contract records and related evidence.
Where processing is based on our legitimate interests, we have carried out a Legitimate Interests Assessment (LIA) to ensure that such processing is necessary, proportionate, and balanced against the rights and freedoms of data subjects. We apply safeguards such as data minimization, hashing or derivation of identifiers, limited retention, and access controls to reduce privacy impact.
5) Desktop App & Contract Signing
5.1 Desktop App Identifiers & Device Binding
The Wreet Desktop App is designed as a secure shell that only loads our own web application on approved domains. To protect the service and enforce licensing, the app:
- Derives a Wreet-specific hardware ID from certain system identifiers (such as Windows Machine GUID, SMBIOS UUID, and CPU identifier). These values are combined and hashed into a token (e.g.
wreet1-…) before being used or transmitted. - Generates a non-exportable cryptographic device key (ECDSA P-256). The private key remains on your device; the public key may be sent to our servers to enable secure device verification.
- Includes headers such as
X-Hardware-IDandX-App-Client, and a secure cookie, on requests to our services for authentication, licensing, anti-fraud and integrity checks. - Restricts in-app navigation to our service domain; external links are opened in your system browser, not inside Wreet.
These measures allow us to recognize compliant clients, detect cloned or tampered builds, and link a subscription to authorized devices without exposing raw hardware identifiers more than necessary.
A subscription may be registered on up to two computers belonging to the same customer or registered business. To enforce that limit and detect sharing, we may compare hardware identifiers with public IP address, approximate network-based location, login and activation history, license-validation events, and normal usage patterns. Exact IP matching is not required because IP addresses change. Regular use from unrelated distant countries may prompt verification, suspension of the second activation, or an access restriction. Normal temporary travel is allowed where legitimate use can be verified.
We design these mechanisms in accordance with the principle of data minimization. Raw system identifiers are not stored where derived or hashed values are sufficient, and hardware-related data is used solely for licensing, security, and integrity purposes and not for marketing, profiling, or tracking users across unrelated services.
5.2 Contract Signing (Digital Agreement)
When you sign the Service Subscription Agreement, we collect: your first name, last name, email, address (street, postal code, city, country), your acceptance checkbox, your drawn signature (PNG/base64) and typed full name. We generate a PDF of the agreement containing this information. PDFs are stored securely (e.g., in Azure Blob Storage), typically under a filename derived from your email (or similar identifier), and are retained as part of our contractual and legal records.
5.3 Telemetry, Anti-Abuse & Remote-Control Detection
We may use login dates and times, activation and deactivation events, hardware identifiers, public IP addresses, approximate network-based location, license-validation events, feature usage, API requests, upload and download history, file-processing history, and security and error logs to verify licenses, enforce the two-computer limit, detect account sharing, prevent fraud, provide support, troubleshoot problems, investigate disputed usage, and maintain service integrity.
The desktop app locally checks for certain remote-control or screen-sharing tools (e.g., AnyDesk, TeamViewer, VNC variants and similar) by comparing running process names against a predefined list. If such software is detected:
- Wreet may log you out and close the application to protect your data and our service.
- The check is performed locally; we do not transmit a full list of your running processes. Only the fact that a disallowed condition exists may be logged or used to enforce our security policy.
These checks do not involve continuous monitoring of user behavior, keystrokes, screen contents, or communications. They are limited to determining the presence or absence of predefined technical conditions required to protect the integrity and security of the Wreet software and services.
5.4 Anti-Debugging & Integrity Protection
To prevent tampering, the desktop app may:
- Detect active debuggers, profilers, or known instrumentation frameworks.
- Check for suspicious modules or abnormal timing behavior that suggests instrumentation.
- Verify that the running binary matches an expected integrity fingerprint obtained from our server.
If such conditions are detected, the app may refuse to run, perform a logout, and/or record a minimal diagnostic log entry. These checks are aimed solely at protecting the security and integrity of Wreet and our users.
5.5 Automated Security Decisions
Certain security and integrity measures within Wreet are applied automatically, such as temporary access restrictions, session termination, or refusal to run the application where integrity or licensing violations are detected.
These measures are necessary to protect our services, intellectual property, and users. Where such actions have a significant effect, users may contact us to request information, express their point of view, or seek human review of the decision.
6) Cookies & Tracking
We use necessary cookies or similar browser storage for authentication, security, requested website functions, and remembering your cookie-consent choice. Necessary technologies operate without optional consent where permitted by law. Optional external media, such as the Google Maps embed on our Contact page, remains blocked until you allow the External Media category. When enabled, the external provider may receive your IP address and device/browser information and may set its own cookies. We do not currently enable optional analytics cookies. If optional analytics are introduced, they will not load before the required consent is obtained. You can accept or reject optional services through the consent banner and change your selection at any time by using the Cookie Settings button.
7) Payments
Payments are processed by third-party providers (e.g., PayPal). We do not store full payment card details on our servers. Your payment data is handled under the processor’s own terms and privacy notices.
8) Sharing & Disclosure
- Service Providers — hosting (e.g., Microsoft Azure), Google Apps Script endpoints used by website forms and checkout/order workflows, payment processors such as PayPal, email delivery, logging/monitoring, and customer support tools. Their access is limited to what is necessary to perform services for us.
- Legal — where necessary to comply with law, enforce our terms, investigate suspected fraud, abuse, or security incidents, or protect our rights, users, or the public.
- Business Transfers — in connection with a merger, acquisition, or sale of assets, in which case data may be transferred under appropriate safeguards.
9) Data Retention
- Contract Data and Signed PDFs — retained for the duration of your subscription/relationship and for mandatory legal/accounting periods and defense of legal claims.
- Hardware IDs, Device Keys, IP/Location Signals, Activation History, and Licensing Data — retained as long as reasonably necessary for licensing, enforcement of the two-computer limit, security, integrity protection, dispute investigation, and enforcement of our terms.
- Usage and Security Logs — retained for operational and security purposes, typically for limited periods, unless longer retention is required for incident investigation, legal purposes, or statutory obligations.
When data is no longer required, we take steps to securely delete or irreversibly anonymize it.
10) Security
- Use of TLS/HTTPS for communication with our services.
- Encryption at rest for sensitive data stored in our infrastructure where appropriate.
- Use of Windows DPAPI and non-exportable keys for protecting certain secrets on the client device.
- Hashing and tokenization of hardware identifiers before or during transmission (we work with derived identifiers rather than relying on raw values wherever possible).
- Restriction of the desktop app’s embedded browser to our own domains; external links open in the user’s default browser.
- Automatic denial of risky WebView2 permissions (such as built-in basic auth prompts or certain device access) within the desktop shell.
- Integrity checks, anti-debugging, and remote-control detection mechanisms to prevent unauthorized access, tampering, or abuse.
- Access controls and least-privilege principles for staff and systems handling personal data.
No method of transmission or storage is 100% secure, but we actively maintain and improve technical and organizational measures to protect your information.
11) Your Rights (EEA/UK)
- Access your personal data.
- Request correction of inaccurate or incomplete data.
- Request deletion of your data, subject to legal/contractual retention requirements.
- Request restriction of processing in certain circumstances.
- Object to processing based on our legitimate interests.
- Request data portability where applicable.
- Withdraw consent at any time where processing is based on consent (this does not affect prior lawful processing).
- Lodge a complaint with your local supervisory authority.
Please note that certain data may need to be retained despite a deletion request where required to comply with legal obligations, establish, exercise or defend legal claims, or enforce our contractual terms, including the prevention of fraud, abuse, or unauthorized use of the software.
To exercise your rights, contact us at info@benc-motorsport.com.
12) International Transfers
We aim to process and store data in the EEA (for example, using Azure EU regions such as Germany West Central). Where data is transferred outside the EEA/UK, we rely on appropriate safeguards (such as Standard Contractual Clauses) or other mechanisms permitted by applicable law.
13) Children’s Privacy
Wreet is intended for professional and business use. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.
14) Pre-Purchase Digital Agreement
15) Changes to This Policy
We may update this Policy from time to time. We will update the “Effective date” above and, where appropriate, notify you of significant changes through the website, within the Wreet app, or by email.
16) Contact Us
Questions about this Policy or your data?
- Email: info@benc-motorsport.com
- Company: BENC ELEKTRONIK (trading as Benc Motorsport), Croatia (EU) — VAT ID: HR46540246369