This Privacy Policy describes how Trackr Technologies ("Trackr", "we", "us") collects, uses, discloses, and protects information when you use the Trackr action-tracker application — our website, iOS app, Android app, and associated APIs (the "Service").
We've written this policy to be readable. If any clause is unclear, write to privacy@trackr.com and we'll explain or update.
1. Who we are
Trackr is operated by Trackr Technologies, a company registered in [Company jurisdiction]. The data controller for the purposes of GDPR, UK GDPR, and comparable laws is Trackr Technologies.
2. What we collect
2.1 Information you give us
- Account information — name, email address, password (stored as a one-way bcrypt hash, never reversible).
- Organisation information — company name, timezone, your role within the organisation.
- Action and meeting content — titles, descriptions, notes, due dates, assignments, files you upload as attachments.
- Communication — messages you send to support@trackr.com and responses to in-app feedback prompts.
2.2 Information collected automatically
- Technical metadata — IP address, device type, operating system, app version, browser user agent — logged in server access logs and retained for 90 days for security and debugging.
- Authentication tokens — we store a SHA-256 hash of your session token on the server; the token itself lives only in your browser cookie or mobile keychain.
- Push notification tokens — if you enable push notifications, we store the Firebase Cloud Messaging (FCM) or Apple Push Notification service (APNs) token associated with your device.
- Crash and performance data — if you opt in, we collect anonymised crash logs to diagnose bugs.
2.3 Information we do not collect
- We do not track you across other companies' apps or websites.
- We do not sell personal data to anyone. Ever.
- We do not use your content to train machine-learning models.
- We do not access your camera, microphone, photos, or location unless you explicitly trigger a feature that requires it.
3. How your data is protected
Security is the reason our customers trust Trackr with sensitive leadership information. The specifics:
- Field-level encryption at rest. Action titles, descriptions, notes, meeting titles, file metadata, and names are encrypted with AES-256-CBC using a per-deployment key that is never stored in the database. Even a full database dump looks like ciphertext to an attacker.
- TLS 1.2+ in transit. Every byte exchanged between your device and our servers is encrypted over HTTPS.
- Hashed credentials. Passwords use
password_hash()with bcrypt (cost 12). We cannot recover your password if you forget it — you must reset it. - Biometric lock. On mobile, you can require Face ID / Touch ID / fingerprint to open the app, adding a layer even if your phone is unlocked.
- Scoped access tokens. Session tokens are bound to a user + organisation and expire automatically.
- Audit logging. Every change to an action or meeting is logged with the user and IP address that made it.
- Least-privilege access. Only a small, named set of Trackr engineers can access production systems, and every access is logged.
4. How we use your data
| Purpose | What we use |
|---|---|
| Running the Service | Account info, action/meeting content, session tokens |
| Sending reminders you've asked for | Email, push token, due dates |
| Security and fraud prevention | IP address, device metadata, access logs |
| Customer support | Your messages, your account identifier |
| Billing (paid plans only) | Company name, billing address, payment identifier issued by our payment processor |
| Improving the product | Aggregated, anonymised usage patterns only |
5. Legal bases (GDPR / UK GDPR)
- Contract — processing needed to deliver the Service you signed up for.
- Legitimate interests — securing our Service, preventing abuse, debugging.
- Legal obligation — retaining tax, accounting, and billing records.
- Consent — push notifications, optional analytics, marketing emails. Withdrawable at any time.
6. Sharing with third parties
We share only the minimum necessary to run the Service. Our current sub-processors:
| Sub-processor | Purpose | Data seen |
|---|---|---|
| Cloudflare R2 | File attachment storage | Encrypted file blobs; no plaintext names |
| ZeptoMail / Brevo | Transactional email delivery | Recipient email + subject + body of the specific email |
| Firebase Cloud Messaging (Google) | Android push notifications | FCM token + opaque payload |
| Apple Push Notification service | iOS push notifications | APNs token + opaque payload |
| Our hosting provider | Running the application and database | Encrypted data at rest; TLS in transit |
We do not share your data with advertisers. We do not share it with data brokers. We do not share it with anyone else without a court order — and if one arrives, we review it carefully and notify you unless legally prohibited from doing so.
7. International transfers
Trackr operates primarily from servers in [region]. Some sub-processors may process data in other jurisdictions (for example, Google and Apple). Where transfers leave the EEA or UK, we rely on Standard Contractual Clauses as approved by the European Commission and the UK ICO.
8. Data retention
- Account data — kept for as long as your account is active.
- Closed action items — retained indefinitely so historic records remain searchable, but you can delete them individually at any time.
- Access logs — 90 days.
- Backup copies — encrypted backups retained for 30 days after your account is deleted, then permanently erased.
- Billing and tax records — 7 years, as required by law.
9. Your rights
Wherever you live, you have these rights over your data. Exercise any of them by emailing privacy@trackr.com from the email address on your account.
- Access — request a copy of the personal data we hold about you.
- Rectification — correct anything that's wrong.
- Erasure — delete your account. You can do this yourself at trackr.com/delete-account.
- Portability — export your data in a machine-readable format (CSV / JSON).
- Restriction — ask us to pause processing while a dispute is resolved.
- Objection — object to any processing we do on the basis of legitimate interests.
- Withdraw consent — for anything you consented to (push, analytics, marketing).
- Complain — to your local data-protection regulator (e.g. the UK ICO, Ireland's DPC).
10. Children
Trackr is not intended for use by anyone under 16 years of age. If you believe a minor has created an account, contact us and we'll delete it.
11. Cookies & local storage
We use a single first-party cookie (trackr_token) to keep you signed in. We do not use third-party tracking or advertising cookies. On mobile, the equivalent token is stored in the platform keychain.
12. Changes to this policy
If we make material changes, we'll notify you by email and in-app at least 30 days before the change takes effect. Minor clarifications (typos, reformatting) we publish silently.
13. Contact us
Questions, concerns, or requests:
- Email: privacy@trackr.info
- Security reports: security@trackr.info
Prefer the short version? Trackr does not sell your data, does not train AI on your data, encrypts your sensitive information, and lets you delete everything in one click via the deletion page. Everything else in this policy is the precise legal version of those sentences.