Privacy Policy — Trackmate.io

1. Introduction

This Privacy Policy describes how the operator of Trackmate.io (the “Service”) collects, processes, stores, and discloses personal data in connection with the provision of its SaaS analytics and operations dashboard. The Service is operated by a company registered in the Netherlands; full legal details are set out in Section 19 of this document.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the data practices described in this policy. If you do not agree, you must discontinue use of the Service immediately.

We are committed to processing personal data in a lawful, fair, and transparent manner in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”), the Dutch Implementation Act (Uitvoeringswet AVG), and all other applicable data protection legislation. Where users are located outside the European Economic Area (“EEA”), we apply standards equivalent to those required by the GDPR.

This policy applies to all personal data processed in connection with the Service, including data provided directly by users, data collected automatically through use of the Service, and data retrieved from third-party platforms that users choose to connect to their account.

2. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

“Service” — The Trackmate.io SaaS platform, including all software, interfaces, APIs, features, and related services provided by us.
“Controller” — The natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.
“Processor” — A natural or legal person who processes personal data on behalf of the Controller.
“Customer” — A business or individual entity that has subscribed to and uses the Service.
“User” or “End User” — A natural person authorized by a Customer to access and use the Service.
“Third-party data subject” — A natural person whose personal data is contained in a Customer's connected third-party systems (e.g., a consumer who placed an order in the Customer's Shopify store), who is not a direct user of the Service.
“Customer Data” — All data, including personal data, that a Customer imports into, generates through, or makes available to the Service via connected integrations or direct input.
“Sub-processor” — A third party engaged by us to process personal data on behalf of a Customer.
“Personal Data” — Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
“Processing” — Any operation performed on personal data, including collection, recording, storage, use, disclosure, or deletion.

3. Roles Under GDPR

3.1 We as Controller

We act as an independent data controller with respect to personal data of our own Users and Customers, including account registration data, billing data, usage and log data, and support communications. In this capacity, we determine the purposes for which that data is processed and are fully responsible for ensuring lawful processing thereof.

3.2 We as Processor

When Customers connect third-party platforms (such as Shopify, Google Ads, or other integrations) to the Service, we access and process data from those platforms purely on the Customer's instruction and on their behalf. In respect of personal data relating to the Customer's own end customers and third-party data subjects, the Customer is the data controller and we act solely as a data processor. We do not make independent determinations regarding the purposes or means of processing such data; we process it only to the extent necessary to display it within the Service interface to the Customer.

3.3 No Independent Use of Customer Data

We do not analyze, profile, sell, or otherwise use Customer Data for any purpose beyond the technical operation of the Service. Customer Data processed on behalf of a Customer does not become our data; it remains the Customer's data at all times.

4. Personal Data We Collect

4.1 Data You Provide Directly

Account and registration data: Full name, email address, company name, job title, password (stored in hashed and salted form only — we never store plaintext passwords).
Billing and payment data: Billing name, billing address, VAT number where applicable. Payment card details are collected and processed exclusively by our payment processor (Stripe, Inc.) and are never transmitted to or stored on our systems.
Support and communications: Content of messages, emails, or other communications you send to us, including support requests and feedback.
Configuration and preferences: Dashboard settings, notification preferences, team member roles and permission configurations, integration settings.

4.2 Data Collected Automatically

Log and access data: IP address, browser type and version, operating system, pages and features accessed, timestamps, HTTP response codes, referring URLs.
Session data: Authentication session identifiers stored in cookies (see Section 10).
Device and environment data: Screen resolution, device type, timezone — collected solely for the purpose of correctly rendering the Service interface.

4.3 Data Retrieved from Third-Party Integrations

When you connect a third-party integration (including but not limited to Shopify, Google Ads, Gorgias, Klaviyo, Zendesk, Reamaze, and ParcelPanel), we retrieve data from those platforms via their respective APIs on your instruction. This data is processed solely to display it within your dashboard and may include, depending on which platforms you connect:

Order data: order IDs, order values, order status, fulfillment information, product details, discount codes used.
Customer data: customer names, email addresses, shipping and billing addresses, purchase history, customer tags.
Financial and payment data: revenue figures, refund data, Shopify payment processing fees, dispute information, payout records.
Advertising and analytics data: campaign names, ad spend figures, impression and click data, conversion metrics.
Customer service data: support ticket summaries, customer message counts, response times.
Subscription and logistics data: subscription plan details, shipment tracking statuses.

Important: All third-party data is retrieved and processed solely on your instruction as Customer. If you disconnect an integration, we immediately cease retrieving data from that source. We do not retain third-party synced data beyond what is technically necessary for the operation of the Service, and we delete it within 90 days of disconnection or account termination.

5. Legal Bases for Processing

All processing of personal data by us is based on one of the following legal bases under Article 6 GDPR:

Processing Activity	Legal Basis	Details
Account creation and management	Art. 6(1)(b) — Contract	Necessary to provide the Service pursuant to our agreement
Billing and invoicing	Art. 6(1)(b) — Contract	Necessary for the subscription relationship
Retention of financial records	Art. 6(1)(c) — Legal obligation	Dutch tax law (Artikel 52 AWR) requires 7-year retention
Security monitoring, fraud prevention	Art. 6(1)(f) — Legitimate interests	Protecting the integrity and security of the Service
Service improvement and debugging	Art. 6(1)(f) — Legitimate interests	Maintaining and improving the technical performance of the Service
Marketing emails (opt-in only)	Art. 6(1)(a) — Consent	Only where you have explicitly opted in; withdrawable at any time
Processing Customer Data on behalf of Customers	Art. 6(1)(b) + Art. 28 — Contract / Processor role	Pursuant to the Data Processing Agreement

6. How We Use Your Data

We use the personal data we collect solely for the following purposes:

To create, maintain, and authenticate user accounts.
To provide, operate, maintain, and improve the Service.
To process subscription payments, issue invoices, and manage billing.
To send transactional communications strictly related to your use of the Service (account notifications, security alerts, invoices, service status updates).
To respond to support requests and provide customer service.
To monitor the security, stability, and performance of the Service and to detect, investigate, and prevent fraud, abuse, and unauthorized access.
To comply with applicable legal obligations.
To enforce our Terms of Service and this Privacy Policy.

We do not use personal data for automated profiling, automated decision-making with legal or significant effects, or for any purpose unrelated to the operation and improvement of the Service.

7. No Sale of Personal Data

We do not sell, rent, lease, or otherwise transfer personal data — including Customer Data and data of third-party data subjects — to any third party for commercial consideration or for that third party's own marketing or business purposes. This applies without exception, regardless of whether such data relates to Users, Customers, or end customers of our Customers.

We do not use Customer Data or third-party data subject data to build advertising profiles, to serve targeted advertising to any person, or to train machine learning models for purposes unrelated to operating the Service.

8. Data Sharing and Disclosure

8.1 Sub-processors

We engage the following categories of sub-processors in the delivery of the Service. All sub-processors are bound by data processing agreements and are subject to appropriate safeguards for international data transfers where applicable:

Sub-processor	Purpose	Location	Transfer Mechanism
Supabase, Inc.	Relational database hosting and authentication infrastructure	United States	Standard Contractual Clauses (SCCs)
Stripe, Inc.	Payment processing and subscription management	United States	Standard Contractual Clauses (SCCs)
Vercel, Inc.	Application hosting, serverless compute, edge delivery	United States	Standard Contractual Clauses (SCCs)
Google LLC	Google Ads API access (Customer-authorized)	United States	Standard Contractual Clauses (SCCs)
Shopify Inc.	Shopify API access for order and store data (Customer-authorized)	Canada / United States	Adequacy decision (Canada) / SCCs

8.2 Disclosure Required by Law

We may disclose personal data to competent authorities, courts, or law enforcement agencies where required to do so by applicable law, court order, or binding governmental directive. Where permitted by law, we will attempt to notify the relevant Customer or User of any such disclosure in advance.

8.3 Protection of Rights

We may disclose personal data where we reasonably believe in good faith that such disclosure is necessary to protect our rights, property, or safety, or that of our users or the public, provided such disclosure is proportionate and minimized to what is strictly necessary.

8.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or a substantial portion of our assets, personal data held by us may be transferred as part of that transaction. We will provide reasonable advance notice to affected users and Customers and, to the extent possible, ensure continuity of data protection commitments.

8.5 No Other Disclosure

We do not share personal data with any third party other than as described in this Section 8. In particular, we do not share personal data with data brokers, advertisers, or any entity for purposes unrelated to the provision of the Service.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to any applicable legal retention obligations. The following retention periods apply:

Data Category	Retention Period	Basis
Account and profile data	Duration of active subscription + 2 years after termination	Contractual necessity; dispute resolution
Billing and invoice records	7 years from date of transaction	Dutch tax law (Artikel 52 AWR); EU VAT obligations
Log and security data	12 months from creation	Security monitoring; incident investigation
Support communications	3 years from last interaction	Legitimate interests; warranty / dispute purposes
Third-party synced data (Customer Data)	Only stored while integration is actively connected; deleted within 90 days of disconnection or account termination	Processor role; Customer instruction
Database backups	Up to 30 days rolling backup window	Business continuity
Anonymized/aggregated analytics	Indefinite (no personal data retained)	Cannot identify individuals; not subject to retention limits

Upon expiry of the applicable retention period, we delete or irreversibly anonymize personal data. Upon written request following account termination, we can accelerate deletion subject to any overriding legal retention obligations.

10. Cookies and Local Storage

The Service uses a strictly limited set of storage technologies, all of which are technically necessary for the Service to function. We do not use any cookies or local storage mechanisms for advertising, tracking, or analytics purposes.

Cookie / Storage	Purpose	Duration
Authentication session cookie	Maintains your authenticated session so you remain logged in	Session end or up to 7 days (with “Remember me”)
CSRF protection token	Prevents cross-site request forgery attacks on form submissions and API calls	Session duration
OAuth state cookie	Validates the integrity of OAuth authorization flows when connecting third-party integrations	10 minutes (temporary)
Browser local storage	Stores UI preferences such as selected currency and date range settings — contains no personal data	Persists until cleared by user

We do not set any third-party cookies. You may disable cookies through your browser settings; however, disabling session cookies will prevent you from logging in and using the Service.

11. Data Processing Agreement

By accepting our Terms of Service, Customers enter into a data processing agreement (“DPA”) with us as required by Article 28 GDPR, pursuant to which we act as a data processor for Customer Data. The key terms of this DPA are as follows:

Instruction: We process Customer Data only on documented instructions from the Customer and for no other purpose.
Confidentiality: All personnel authorized to process Customer Data are bound by contractual confidentiality obligations.
Security: We maintain appropriate technical and organizational security measures as described in Section 12.
Sub-processing: We engage sub-processors only as listed in Section 8.1 and impose data protection obligations on them equivalent to those in this DPA.
Data subject rights: We assist Customers in responding to data subject rights requests relating to Customer Data processed on their behalf, to the extent technically feasible.
Deletion and return: Upon termination, we delete or return Customer Data as directed by the Customer, subject to legal retention obligations.
Audits: We make available upon reasonable written request all information necessary to demonstrate compliance with Article 28 GDPR and permit Customer-conducted audits (subject to reasonable confidentiality protections).
Breach notification: We notify Customers without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer Data processed on their behalf.

A standalone DPA document is available upon written request.

12. Security Measures

We implement and maintain a comprehensive set of technical and organizational security measures designed to protect personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure. These measures include, without limitation:

Encryption of all data in transit using TLS 1.2 or higher.
Encryption of data at rest using AES-256 encryption.
Database-level Row-Level Security (RLS) ensuring that each Customer can access only their own data.
Hashed and salted password storage; plaintext passwords are never stored or logged.
Strict least-privilege access controls for all internal systems and personnel.
Regular security reviews and dependency vulnerability audits.
Automated session expiry and re-authentication requirements.
Secure, isolated environments for development, staging, and production.

Notwithstanding the foregoing, no method of electronic transmission or storage is completely immune to security risks. While we apply commercially reasonable and industry-standard measures, we cannot guarantee absolute security against all possible threats. In the event of a personal data breach, we will comply with our notification obligations under applicable law.

13. Data Accuracy and Display Disclaimer

The Service retrieves and displays data from third-party platforms and APIs on the Customer's behalf. We have no control over the accuracy, completeness, timeliness, or integrity of data held by those third-party platforms or transmitted via their APIs. Accordingly:

We make no representations or warranties regarding the accuracy or completeness of any data displayed within the Service.
We are not responsible for errors, omissions, or discrepancies arising from third-party APIs, platform outages, API version changes, or data processing delays on the part of third-party platforms.
Data displayed in the Service is provided for informational purposes only. Customers should independently verify any data before relying on it for business, financial, legal, or operational decisions.

We accept no liability for any loss or damage arising from reliance on data displayed in the Service that originates from third-party sources.

14. International Data Transfers

The Service is operated from the Netherlands and data is processed within the European Economic Area (“EEA”) and by sub-processors located in third countries, including the United States. Where personal data is transferred outside the EEA to a country that has not received an adequacy decision from the European Commission, we ensure that appropriate safeguards are in place in accordance with Chapter V GDPR, specifically:

Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).
Transfer Impact Assessments (TIAs) conducted as required to assess and address risks associated with transfers to specific third countries.

Copies of the applicable SCCs or references thereto are available upon written request.

15. Your Rights Under GDPR

Where we act as a data controller (in respect of your own account data), you have the following rights under the GDPR, exercisable at no cost and without undue delay:

Right of access (Art. 15): Obtain confirmation of whether we process your personal data and receive a copy thereof.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data concerning you.
Right to erasure (Art. 17): Request deletion of your personal data where processing is no longer necessary, where consent has been withdrawn, or where processing is unlawful — subject to overriding legal retention obligations.
Right to restriction of processing (Art. 18): Request that we temporarily suspend or restrict processing of your personal data in certain circumstances.
Right to data portability (Art. 20): Receive personal data you have provided to us in a structured, commonly used, machine-readable format.
Right to object (Art. 21): Object to processing of your personal data carried out on the basis of legitimate interests, on grounds relating to your particular situation.
Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right not to be subject to automated decision-making (Art. 22): We do not carry out any automated decision-making that produces legal or similarly significant effects.

To exercise any of the above rights, submit a written request to the contact address provided in Section 19. We will respond within 30 days of receipt of your request. We may request reasonable verification of your identity before processing any request.

You also have the right to lodge a complaint with the competent supervisory authority at any time. The lead supervisory authority for the Netherlands is the Autoriteit Persoonsgegevens.

Note for third-party data subjects: If you are an individual whose personal data appears in our Service because you are a customer of one of our Customers (e.g., your order data appears in a Shopify store connected to Trackmate), we act as a processor on behalf of that Customer. Please direct any rights requests to the relevant store operator directly. We will assist them in fulfilling such requests upon their documented instruction.

16. Children's Privacy

The Service is intended exclusively for use by businesses and professionals. It is not directed to, and we do not knowingly collect personal data directly from, individuals under the age of 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take reasonable steps to delete such data promptly. If you have reason to believe that a child has provided us with personal data, please contact us.

17. Third-Party Links and Integrations

The Service may contain links to, or integrate with, third-party websites, services, or applications. This Privacy Policy applies only to the Service and does not govern the data practices of any third party. We have no responsibility or liability for the content, privacy policies, or data practices of any third-party websites or services, including those accessible via integrations. We encourage you to review the privacy policies of any third-party services you use in connection with the Service.

18. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, the Service, applicable law, or for other operational, legal, or regulatory reasons. We will notify you of any material changes by sending an email notification to the address associated with your account at least 14 days before the updated policy takes effect.

The “Effective date” at the top of this page indicates when the current version was last revised. We encourage you to review this policy periodically. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the revised terms.

19. Contact and Legal Entity Details

For any questions, requests, or complaints regarding this Privacy Policy or our data processing practices, please contact us using the details below. We will respond to all privacy-related inquiries within 30 days.

Trackmate.io is operated by:

MLRD Commerce

Aadijk 35a, 7702 PP Almelo, Netherlands

KvK (Chamber of Commerce): 99204126

Email: mlrdcommerceapp@gmail.com

Supervisory authority: Autoriteit Persoonsgegevens · autoriteitpersoonsgegevens.nl