Privacy Policy

The data controller responsible for processing your personal data on this website is:

[COMPANY NAME]
[STREET ADDRESS]
[POSTAL CODE] [CITY]
[COUNTRY]

Email: [PRIVACY EMAIL — e.g., privacy@trackosteps.com]
Telephone: [PHONE NUMBER]

For all questions regarding data protection, please contact us via the email above.

We collect personal data only when necessary and in compliance with applicable data protection laws.

2.1 When You Visit Our Website

When you visit our marketing website, we use Plausible Analytics to understand how visitors interact with our content. Plausible is a privacy-friendly analytics tool that:

• Does not use cookies
• Does not store any data on your device
• Does not collect personal data
• Does not track you across websites or sessions
• Stores all data on EU servers (Falkenstein, Germany)

Plausible generates aggregated, anonymous statistics from your IP address and User-Agent using a daily-rotated cryptographic hash. This data cannot be traced back to individual users. The hash salt is rotated and deleted every 24 hours.

Independent legal assessment confirms Plausible's GDPR and TTDSG compliance: https://plausible.io/data-policy

2.2 When You Sign Up for the Service

When you create an account on our SaaS platform (app.trackosteps.com), we collect:

• Name and email address
• Company name and business address
• Billing information (processed by our payment provider)
• Service usage data (orders, deliveries, drivers)

Note: Our marketing website (trackosteps.com) and SaaS application (app.trackosteps.com) are separate. Account creation, login, and personal data processing happen on the SaaS application — see its privacy policy for details.

2.3 When You Contact Us

If you contact us via email, contact form, or demo request, we collect the information you voluntarily provide (name, email, company, message). We use this data solely to respond to your inquiry.

We process your personal data based on the following legal grounds under GDPR Article 6:

• Consent (Art. 6(1)(a) GDPR): When you explicitly opt in (e.g., newsletter signup)
• Contract performance (Art. 6(1)(b) GDPR): When processing is necessary to provide the service you requested
• Legal obligation (Art. 6(1)(c) GDPR): When required by law (e.g., tax records)
• Legitimate interest (Art. 6(1)(f) GDPR): For website security and aggregated analytics

All personal data is stored securely on EU-based servers. We retain personal data only as long as necessary:

• Account data: For the duration of your subscription + 90 days after cancellation
• Billing records: 10 years (German tax law requirement)
• Support correspondence: 3 years
• Aggregated analytics: 365 days

After these periods, data is permanently deleted or anonymized.

We do not sell your personal data. We share data only with:

• Service providers acting as data processors under GDPR Article 28 (e.g., hosting provider, payment processor)
• Legal authorities when required by law
• Business successors in the event of a merger or acquisition (with proper notice)

All processors are contractually bound by data processing agreements (DPAs) and operate within the EU or EEA.

You have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of your personal data
• Right to rectification (Art. 16): Correct inaccurate data
• Right to erasure (Art. 17): Request deletion ("right to be forgotten")
• Right to restriction (Art. 18): Limit how we process your data
• Right to portability (Art. 20): Receive your data in a machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time

To exercise any of these rights, contact us at [PRIVACY EMAIL]. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Germany, this is the [BUNDESBEAUFTRAGTE FÜR DEN DATENSCHUTZ — relevant state authority].

Our marketing website uses no cookies for tracking, analytics, or marketing. The only cookies that may be set are:

• Strictly necessary cookies for site functionality (e.g., session cookies for the CMS, set only on /cp/ admin paths)

No consent banner is required because we do not use cookies that require consent under TTDSG §25 or GDPR. See our Cookie Policy for full details.

All your personal data is processed and stored within the European Union (EU) or European Economic Area (EEA). We do not transfer personal data to third countries outside the EU/EEA without your explicit consent or a valid legal mechanism (Standard Contractual Clauses, etc.).

We implement appropriate technical and organizational measures to protect your data:

• TLS encryption for all data in transit
• Encrypted storage at rest
• Regular security audits
• Access controls and authentication
• Data minimization principles

Our services are intended for businesses and adults. We do not knowingly collect personal data from children under 16.

We may update this privacy policy to reflect changes in our practices or legal requirements. The "Last Updated" date at the top of this page indicates when changes took effect. Material changes will be communicated via email to active users.