// LEGAL
PRIVACY_POLICY
Last updated: February 25, 2026 · Effective immediately
WHAT_WE_NEVER_COLLECT
- ✕ Your prompts, chats, or AI conversations
- ✕ Any text you type into AI tools
- ✕ AI-generated responses or content
- ✕ Browsing history outside of supported AI tool domains
- ✕ Payment card data (handled exclusively by Stripe)
1. DATA CONTROLLER
The data controller responsible for processing your personal data is:
We do not currently have a mandatory Data Protection Officer (DPO). For all privacy-related enquiries, contact us at privacy@aitrackr.io.
2. PERSONAL DATA WE COLLECT
2.1 Account Data
When you register or sign in:
- Full name and email address
- Profile picture URL (Google OAuth only — fetched from Google's CDN, not stored by us)
- Password (bcrypt-hashed, cost factor 12 — we never store plaintext passwords)
- Account creation timestamp and last login
2.2 Subscription Data
Information you manually enter about your AI subscriptions:
- Subscription name, provider, monthly cost, billing cycle
- Next billing date, category, features list, URL, notes
2.3 Usage Metadata (Chrome Extension — Pro plan only)
If you install the Chrome extension, we collect only:
- Domain of the AI tool visited (e.g.,
chat.openai.com) - Duration of the session in seconds
- Model or feature selected (inferred from page structure, e.g., "GPT-4o")
- A randomly-generated session ID (no link to any conversation content)
- Session timestamp
The extension does NOT read, store, transmit, or infer any text, prompts, responses, or page content.
2.4 Payment Data
All payment processing is handled by Stripe, Inc. We never see or store card numbers, CVVs, or bank details. We receive from Stripe only: your Stripe customer ID, subscription status (FREE/PRO), current plan price ID, and subscription period end date.
2.5 Technical / Log Data
Standard server logs include:
- IP address (used for rate limiting, retained max 7 days in logs)
- HTTP request method, path, status code, timestamp
- Browser user-agent string
We do not use cookies for analytics or advertising. See our Cookie Policy.
3. LEGAL BASIS FOR PROCESSING (GDPR ART. 6)
Processing your account data, subscription data, and usage logs to deliver the service you subscribed to.
Retaining transaction records for tax and accounting obligations (typically 7–10 years depending on jurisdiction).
Processing server logs for security, fraud prevention, rate limiting, and service reliability. Our legitimate interest is outweighed only where your fundamental rights take precedence — you may object at any time.
Sending marketing emails (product updates, tips). You can withdraw consent at any time via Settings → Email Preferences or by clicking "Unsubscribe" in any email.
4. DATA RETENTION
| DATA TYPE | RETENTION PERIOD | BASIS |
|---|---|---|
| Account & profile | Until deletion request + 30 days grace | Contract |
| Subscription records | Until deletion or account closure | Contract |
| Usage logs (extension) | Lifetime of account; deleted with account | Contract |
| Audit logs (GDPR actions) | 90 days | Legal obligation |
| Server / IP logs | Max 7 days rolling | Legitimate interest |
| Billing records (Stripe) | 7 years (tax compliance) | Legal obligation |
| Marketing consent records | Until withdrawal + 3 years | Legal obligation |
After you request account deletion, your data is soft-deleted immediately (you cannot log in) and hard-deleted within 30 days via an automated cron job, except where legal retention obligations require longer storage.
5. RECIPIENTS & THIRD-PARTY PROCESSORS
We share personal data only with the following processors under GDPR-compliant Data Processing Agreements (DPAs):
We do not sell your personal data to any third party. We do not use advertising networks or behavioural tracking tools.
6. INTERNATIONAL DATA TRANSFERS
Our primary server infrastructure is hosted by Hetzner Online GmbH in Germany (EU), meaning your data is stored within the European Economic Area (EEA) by default.
Stripe and Google are US-based companies. Data transfers to them are based on the EU–US Data Privacy Framework (DPF), an adequacy decision by the European Commission. Resend transfers are covered by Standard Contractual Clauses (SCCs) approved under Art. 46(2)(c) GDPR.
You may request a copy of the applicable transfer safeguards by emailing privacy@aitrackr.io.
7. YOUR RIGHTS UNDER GDPR (ART. 15–22)
As a data subject in the EEA, you have the following rights, which you can exercise at any time:
Obtain a copy of all personal data we hold about you.
→ Settings → Data & Privacy → Export Data
Correct inaccurate or incomplete personal data.
→ Settings → Profile
Request deletion of your personal data ("right to be forgotten").
→ Settings → Data & Privacy → Delete Account
Request that we restrict processing of your data in certain circumstances.
→ Email privacy@aitrackr.io
Receive your data in a structured, machine-readable format (JSON).
→ Settings → Data & Privacy → Export Data
Object to processing based on legitimate interests or for direct marketing.
→ Settings → Email Preferences or email us
We do not make decisions based solely on automated processing that produce legal or similarly significant effects.
→ N/A
We will respond to all verified requests within 30 days (extendable by a further 60 days for complex requests, with notification). There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.
8. RIGHT TO LODGE A COMPLAINT
If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. You may contact the data protection authority in your EU member state, or the authority where AiTrackr is established.
Information Commissioner's Office (ICO) — UK
Website: ico.org.uk
Slovenian Information Commissioner (IP RS) — if established in Slovenia
Website: ip-rs.si
Update with the DPA of the country where your business is registered.
We would appreciate the opportunity to address your concerns before you approach a supervisory authority. Please contact us first at privacy@aitrackr.io.
9. SECURITY MEASURES
- All data transmitted via TLS 1.3 (HTTPS enforced)
- Passwords hashed with bcrypt (cost factor 12)
- API keys are per-user, stored as hashed values, rate-limited (100 req/15 min)
- Database hosted on encrypted Hetzner VPS in Germany
- No third-party tracking scripts, no analytics cookies
- Automated daily database backups with 30-day retention
- CSRF protection on all state-changing endpoints
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in compliance with GDPR Art. 33–34.
10. CHILDREN'S DATA
AiTrackr is not directed at persons under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at privacy@aitrackr.io and we will delete such information promptly.
11. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to registered users if the changes materially affect their rights
- Where required by law, obtain fresh consent
Continued use of the service after changes become effective constitutes acceptance of the updated policy.
12. CONTACT US
Privacy & Data Protection Enquiries
Email: privacy@aitrackr.io
General: hello@aitrackr.io
We aim to respond within 48 hours and resolve all requests within 30 days.