Privacy Policy - Strackr.com

Table of Content

Purpose and Scope
Principles applicable to the protection of Personal Data
Legal basis for the processing of Personal Data
Role of STRACKR
Categories of Personal Data processed
1. As Data Controller
2. As Data Processor
Purpose and legal base for processing
1. Processing as a Data controller
2. Processing as a Data processor
Recipients of Personal Data
Third-party service providers
Security of Personal Data
Transfer outside the EU
Data Subjects Rights
1. Principles
2. Exercising your rights
  1. Data Protection Officer (DPO)
  2. Complaints to the CNIL
Personal Data of minors
Independent responsibility
Statistics and analytics
Cookies
Updating the Privacy Policy
Annex 1 - List of third-party service providers

1. Purpose and Scope

At STRACKR, protecting your Personal Data is a priority. STRACKR may process Personal Data of Clients, Authorized Users and Website visitors.

The purpose of this Personal Data Protection Policy (hereinafter the “Privacy Policy”) is thus to provide you with clear and transparent information about how we collect, use, store, process, share, and protect your Personal Data, in strict compliance with the applicable regulations, namely:

the EU General Data Protection Regulation 2016/679 (hereinafter the “GDPR”);
the French Law No. 78-17 of January 6, 1978 on information technology, files, and civil liberties, amended by the Law of June 20, 20218 (hereinafter the “French Data Protection Act”);
and the recommendations of the French National Commission for Information Technology and Freedoms (hereinafter the “CNIL”).

The Privacy Policy applies to all services offered through :

the Website https://strackr.com and its subdomains;
the Application available via Apple Store and Google Play;
the subscription-based Service provided to Clients.

It applies to anyone using the Website or Application, including Clients, Authorized Users and visitors to the Website.

By using the Website or the Service, you acknowledge that you have been informed of the processing of your Personal Data in accordance with this Privacy Policy.

The Privacy Policy forms an integral part of the contractual terms governing the relationship between STRACKR and its Clients, together with the Subscription Agreement, Terms, the Cookie Policy and the Data Processing Agreement.

Any term hereby used with capital letters in this Privacy Policy are defined in the Terms.

2. Principles applicable to the protection of the Personal Data

In accordance with article 5 of the GDPR, your Personal Data is processed following the principles stated below:

Lawfulness, fairness, and transparency: Personal Data is collected and processed in a lawful, fair, and transparent manner. Data Subjects are clearly informed of the purposes of the processing, their rights, and the identity of the data controllers.
Purpose limitation: data is collected for specific, explicit, and legitimate purposes. It is not used subsequently in a manner incompatible with those purposes.
Data minimization: only data that is necessary for the purposes pursued is collected. STRACKR is committed to not collecting excessive or irrelevant data.
Accuracy and updating: measures are in place to ensure that data is accurate, complete, and, where necessary, updated. Any inaccurate data is corrected or deleted as soon as possible.
Storage limitation: data is only stored for as long as is necessary to achieve the purposes of the processing, or in accordance with legal and regulatory obligations.
Security, integrity, and confidentiality: STRACKR implements appropriate technical and organizational measures to ensure data security and prevent unauthorized access, loss, alteration, or unauthorized disclosure.
Accountability: STRACKR is able to demonstrate, at any time, that its processing complies with the applicable principles. This requirement is reflected in rigorous documentation, the maintenance of a processing register, the performance of impact assessments (PIA), and the awareness of teams.
Respect for individual rights: Data Subjects may exercise their rights (access, rectification, erasure, objection, restriction, portability, withdrawal of consent) at any time, under the conditions provided for by law and under this Privacy Policy. STRACKR facilitates the exercise of these rights and responds to requests within the required time limits.

3. Legal basis for the processing of the Personal Data

In accordance with Article 6 of the GDPR, the processing and collection of your Personal Data by STRACKR is alternatively based on one or more of the following legal grounds:

Consent: Where required by applicable law, STRACKR relies on the Data Subject’s prior, free, specific, informed and unambiguous consent. This may apply, in particular, to: the sending of optional marketing communications; or the the use of non-essential cookies or similar technologies (where applicable). Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Performance of the Contract: processing is necessary for the performance of the Contract between you and STRACKR or for the implementation of pre-contractual measures at your request (e.g., creation and management of Accounts, provision of Services, management of subscription and billing, customer support, access control and authentication mechanisms)
Legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by STRACKR, except where such interests are overridden by the rights and freedoms of the Data Subject. Such legitimate interests include, in particular:
ensuring the security, integrity and availability of the Website, Application and Service;
fraud prevention and detection;
prevention of unauthorized access;
internal analytics and improvement of the Service;
business-to-business communications relating to similar services;
management and defense of legal claims.
Compliance with legal obligations: Processing is necessary for compliance with a legal obligation to which the data controller is subject (e.g., accounting and tax obligations, record-keeping requirements, responses to lawful requests from competent authorities).

STRACKR does not process Personal Data on the basis of a public interest mission or the exercise of official authority within the meaning of Article 6(1)(e) GDPR, nor on the basis of vital interests within the meaning of Article 6(1)(d) GDPR.

4. Role of STRACKR

In accordance with Article 4 of the GDPR:

the “controller” is the natural or legal person who determines the purposes and means of processing personal data;
the “processor” is the natural or legal person who processes personal data on behalf of the controller.

In the context of providing Services via the Website and the Application, STRACKR processes your Personal Data in its capacity as:

a “Data Controller”, when processing Personal Data for its own purposes, including but not limited to :
account creation / management and user authentication;
subscription management and billing;
customer relationship management;
technical support and service communication;
platform security and fraud prevention,
internal analytics and service improvement.
a “Data Processor”, when processing Personal Data strictly on behalf of the Client in order to provide the Service and within the meaning of Article 28 of the GDPR. In this context, the Client is the Data Controller, meaning that STRACKR processes Personal Data solely in accordance with the Client’s documented instructions and the processing is governed by the DPA. This may occur when Clients use STRACKR’s platform to aggregate, analyse, or manage their own data.

5. Categories of Personal Data processed

5.1. As Data Controller

When acting as Data Controller, STRACKR may process the following information, without it being limited to :

Account and identification data (first and last name, professional email address, company name, account identifiers, encrypted authentication credentials;
Billing and contractual data : billing address, VAT number, subscription details, transaction history, payment confirmation data;
Support and communication data: support service requests, emails, chat conversations, diagnostic information provided voluntarily.
Data collected through trackers, cookies or other similar technologies (see Cookie Policy);.

5.2. As Data Processor

When acting as Data Processor, STRACKR may process, depending on the Client’s use of the Service and the data made available through connected Third-Party Platforms:

identification data relating to the Client, Authorized Users or business contacts (such as name, professional email address or role);
Personal Data included in Affiliate Data made available through Third-Party Platforms and connected by the Client;
technical identifiers, account credentials, API keys or tokens necessary for the aggregation and synchronization of data;
any other Personal Data contained in Client Data transmitted, uploaded or connected to the Service by or on behalf of the Client.

In such cases, STRACKR :

does not determine the purposes or means of processing;
does not use Personal Data contained in Client Data for its own purposes, except where required to comply with applicable legal obligations or as otherwise permitted under the Data Processing Agreement.
does not collect end-user tracking data;
processes such data solely to provide the Service.

The respective rights and obligations of the Parties regarding such processing are governed by the Data Processing Agreement (DPA), which forms an integral part of the contractual framework between STRACKR and the Client.

6. Purpose and legal base for processing

In accordance with Articles 5, 6, 13 and 30 of the GDPR, the tables below detail, in function of each type of data collected, the purpose of processing, the legal basis for processing, the recipients of this data, and the period for which the personal data will be stored, called data retention period.

Two scenarios are presented: when STRACKR acts (a) as a Data Controller and (b) as a Data Processor on behalf of a Client. In both cases, no data is disclosed to third parties for commercial purposes.

6.1. Processing as a Data Controller

When STRACKR acts as the data controller, it determines the purposes and means of processing your Personal Data.

Type of Collected Data	Purpose	Legal Basis (art. 6 GDPR)	Recipients	Data RetentionPeriod
Account identification data (name, email address, company name, job title)	Account creation, user management, customer relationship management	Performance of the contract Legitimate interest (preventing fraud, abuse of Service and Free Trial)	Internal authorized personnel; hosting provider	Duration of contract or Free Trial not converted into paid subscription + 2 years
Login credentials (email, encrypted password)	User authentication and platform security	Performance of the contractLegitimate interest	Hosting and security service providers	Deleted upon account deletion. For free trial accounts not converted: connection data deleted after 3 months
Billing and invoicing data (billing address, VAT number, payment status)	Invoicing, accounting, tax compliance	Performance of the contractLegal obligation	Accounting providers; tax authorities where required	10 years starting from the end of the financial year in which the invoice was issued
Technical logs (IP address, access timestamps, device/browser metadata)	Security monitoring, fraud prevention, system integrity	Legitimate interest (security)	Hosting and infrastructure providers	Up to 12 months starting from the date of collection (may be retained longer where necessary for legal claims).
Support communications (emails, helpdesk tickets, attachments)	Customer support and dispute management	Performance of the contract Legitimate interest (exercise or defense of legal claims).	Customer support software providers	3 years starting from the date the support request is marked closed
Essential website technical data (strictly necessary cookies)	Website functionality and security	Legitimate interest	Hosting provider	Duration necessary for technical operation; in any event no longer than 13 months from placement where applicable.

6.2. Processing as a data processor

When providing its affiliate data aggregation services, STRACKR processes personal data strictly on behalf of its Clients and under documented instructions. In such a case, STRACKR does not decide on the purposes of the processing of Personal Data. The Client determines purpose and legal basis.

The retention periods indicated below are binding only on STRACKR. The latter does not determine the retention period for your Client Data applied by Third-Party Platforms, who may retain it for a longer period. For any questions regarding Personal Data retained by Third-Party Providers in their capacity as data controllers, it is advisable to contact them directly.

Type of Collected Data	Purpose	Legal Basis	Recipients	Data Retention
Affiliate platform data (publisher identifiers, transaction references, commission data)	Aggregation, normalization, and structured reporting within STRACKR dashboard	Determined by Client	Client; infrastructure providers	Duration of the contract + 3 months following effective date of Contract termination
Transaction metadata (timestamps, order references, campaign identifiers)	Consolidation and synchronization of affiliate data	Determined by Client	Client; infrastructure providers	Duration of the contract + 3 months following effective date of Contract termination
Identifiers received from affiliate platforms	Data structuring and reporting	Determined by Client	Client; infrastructure providers	Duration of the contract
API credentials / access tokens provided by Client to connect third-party affiliate platforms	Technical synchronization and automated retrieval of affiliate data	Determined by Client	Infrastructure providers	Duration of the contractFor free trial accounts not converted: deleted within 3 months following the end date of the trial period.

7. Recipients of Personal Data

Your Personal Data may be transmitted to the following recipients:

hosting providers ,
STRACKR’s personnel, strictly within the limits of their duties;
Third-Party Service providers and subcontractors (e.g. payment service providers, customer support service providers, IT and infrastructure providers), only to the extent necessary for the performance of the Contract or the implementation of pre-contractual measures taken at the Client’s request;
legal, accounting and audit advisors ;
competent administrative or judicial authorities where legally required.

The list of STRACKR subcontractors is provided in Appendix 1. Access to Personal Data by these subcontractors is limited to the operational needs necessary for the provision of Services, in accordance with contractually defined instructions.

Third-Party Service providers acting on behalf of STRACKR are contractually bound by appropriate data protection obligations.

No Personal Data is transferred or sold to third parties.

8. Third-party service providers

STRACKR relies on carefully selected third-party service providers to operate, secure, and improve the Services.

These providers may process Personal Data on behalf of STRACKR in accordance with Article 28 of the GDPR where STRACKR acts as Controller.

Each third-party service provider is contractually bound by a written DPA requiring:

Processing only on documented instructions from STRACKR;
Implementation of appropriate technical and organizational security measures;
Confidentiality obligations;
Compliance with applicable data protection laws;
Assistance with Data Subject rights and security obligations where applicable.

Where Personal Data is transferred outside the European Economic Area (EEA), STRACKR ensures that appropriate safeguards are implemented in accordance with Chapter V GDPR.

The current list of third-party service providers is set out in Annex 1 below.

9. Independent responsibility

When STRACKR provides its affiliate data aggregation services, it processes Personal Data exclusively on behalf of and under the documented instructions of the Client.

The Client represents and warrants that it has determined a valid legal basis under Article 6 of the GDPR for the collection, disclosure, and processing of any personal data made accessible to STRACKR through third-party affiliate networks, partner platforms, analytics tools, or other services connected at the Client’s initiative.

Each Third-Party Platform connected to the Service remains independently responsible for its own compliance with applicable data protection laws, including the determination of its legal basis for processing.

Nothing in the use of the Service shall be interpreted as creating joint controllership between STRACKR and the Client with respect to affiliate data processed on the Client’s behalf. STRACKR does not determine the purposes for which Affiliate Data is collected by Third-Party Platforms, nor the categories of Personal Data included therein. STRACKR’s role is limited to providing technical aggregation and visualization functionalities as instructed by the Client.

10. Security of Personal Data

In accordance with Article 24 and 32 of the GDPR, STRACKR implements strict and appropriate technical and organizational measures to ensure the security of your Personal Data, such as:

end-to-end data encryption (AES-256);
multi-factor authentication (MFA);
SSL/TLS protocols for secure transmission
geo-redundant storage and disaster recovery
regular compliance checks
continuous monitoring measures and internal tests.

In accordance with Article 28 of the GDPR, when STRACKR works with third-party service providers or subcontracts, it ensures they are bound by contractual obligations consistent with Article 28 of the GDPR and providing sufficient guarantees regarding the implementation of appropriate technical and organisational measures to ensure the protection of Personal Data.

11. Transfer outside of the EU

In the context of providing the Website, the Application and the Service, STRACKR may host, process or engage service providers or sub-processors whose operations involve transfers of Personal Data outside the European Union or the EEA.

Such transfers may occur, for example, in connection with cloud infrastructure and hosting services; system monitoring and logging tools; payment processing services; customer support tools; security and fraud prevention services; technical maintenance or software providers.

Where Personal Data is transferred outside the EU/EEA, STRACKR ensures that such transfers are carried out in compliance with Chapter V of the GDPR, including the European Commission Standard Contractual Clauses (SCCs) and are subject to appropriate safeguards ensuring a level of protection essentially equivalent to that guaranteed within the European Union

STRACKR carefully selects its service providers and ensures that appropriate contractual, technical and organizational measures are implemented to protect Personal Data.

Where STRACKR acts as a data processor on behalf of a Client, international transfers of Client Data are governed by the Data Processing Agreement (DPA).

Data Subjects may request further information regarding international data transfers and applicable safeguards by contacting STRACKR at: contact@strackr.com.

12. Data Subject Rights

12.1. Principles

In accordance with Articles 15 to 22 of the GDPR, as a Data Subject, you have the following rights:

Right of access: you have the right to obtain confirmation that personal data that concerns you is being processed by STRACK as well as to access said data and all information relating to its processing (purpose, categories of data, retention period, etc.).
Right of rectification: if some of your data is inaccurate or incomplete, you can request that it be corrected or updated.
Right to erasure (in certain cases): in certain cases (for example, when the data is no longer necessary for the purposes pursued, or when you withdraw your consent), you may request the deletion of your data. However, this right may be limited, in particular when processing is required to comply with a legal obligation;
Right to restriction of processing: you may request the temporary suspension of the use of your data, in particular if you contest its accuracy, if the processing is unlawful, or if you have exercised your right to object.
Right to object: you may object at any time to the processing of your data for reasons relating to your particular situation. You may also object at any time to receiving commercial communications.
Right to data portability: when processing is based on your consent or on a contract, you may request to receive your data in a structured, commonly used, and machine-readable format, or to have it transmitted directly to a third party, where technically feasible.
Right to not be subject to automating decision making: when processing is based on your consent, you may withdraw it at any time, without justification, and without this affecting the lawfulness of the processing carried out prior to withdrawal.

12.2. Exercising Data Subject’s rights

1) Requests to STRACKR

Where STRACKR acts as Data Controller, requests relating to the exercise of your rights may be addressed to STRACKR at: contact@strackr.com.

Where STRACKR acts as Data Processor on behalf of a Client, the relevant Client acts as Data Controller within the meaning of Article 4(7) GDPR. Any request coming from a Data Subject relating to Personal Data processed in that context must be addressed directly to the relevant Client. STRACKR will assist the Client in responding to such requests in accordance with Article 28 GDPR.

Where Personal Data is processed by Third-Party Platforms acting as independent Data Controllers, requests must be directed to such third parties in accordance with their respective privacy policies.

2) Complaints to the CNIL

You have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data constitutes a violation of applicable data protection legislation. This complaint may be lodged in the Member State where you usually reside, where you work, or where the alleged infringement took place.

You can consult the full list of national data protection authorities within the European Union on the website of the European Data Protection Board.

In France, if you believe that your rights have not been respected, you can submit a complaint free of charge, except for postage costs, to the CNIL:

Website: www.cnil.fr
Postal address: 3 Place de Fontenoy, 75007 Paris

13. Personal Data of minors

The Website, the Application and the Service are intended exclusively for professional use and are not directed at minors.

STRACKR does not knowingly collect or process Personal Data relating to individuals under the age of eighteen (18).

Clients are responsible for ensuring that they do not transmit to STRACKR Personal Data relating to minors in violation of applicable laws and regulations.

14. Statistics and analytics

STRACKR may collect and analyze certain technical data in order to measure the performance, security and proper functioning of the Website, the Application and the Service.

Statistics are generated using the following tools and mechanisms: (i) Openpanel, used for website visit statistics and general usage analytics; (ii) server-side logs; and (iii) Datadog, used for system monitoring and technical log analysis. These tools are implemented in a manner that does not involve behavioral advertising, cross-site tracking or marketing profiling. No advertising analytics tools (such as Google Analytics) are used.

The data processed for statistical and monitoring purposes may include:

page visits and navigation events;
timestamps;
device and browser type;
technical performance indicators;
IP addresses for security and fraud detection purposes.

IP addresses are processed for system integrity and security monitoring and are retained within monitoring systems (including Datadog) for a maximum period of three (3) days, unless extended retention is strictly necessary in the context of a security incident investigation.

Processing of such statistical and technical data is based on STRACKR’s legitimate interest, notably in

ensuring the security, integrity and availability of its systems;
detecting malicious activity or unauthorized access attempts;
monitoring system performance;
improving the reliability and functionality of the Service.

Where statistical data is further used for product improvement, internal reporting or business analytics, STRACKR prioritizes the use of aggregated or anonymized data.

STRACKR does not use statistical data for advertising purposes and does not sell Personal Data.

15. Cookies

STRACKR uses cookies and similar technologies in connection with the Website and certain features of the Service, in particular to:

ensure the technical functioning and security of the Website, including session management and authentication;
facilitate access to the Service and maintain user sessions;
generate usage statistics and improve the performance and reliability of the Service.

Certain third-party service providers, such as payment and support tools, may also use cookies when their functionalities are activated (for example, during payment processing or when using the support chat).

Cookies that are strictly necessary for the operation of the Website and the delivery of services expressly requested by the user do not require prior consent under applicable regulations.

Non-essential cookies are only placed after obtaining your consent, in accordance with the regulations in force.

For detailed information about the categories of cookies used, their purposes, retention periods, third-party access and how to manage your preferences, please refer to our Cookie Policy available here: [Link to Cookie Policy].

16. Updating the Privacy Policy

The Privacy Policy may be updated to reflect any legal, regulatory, jurisprudential, or technical developments. In the event of a substantial change, STRACKR undertakes to inform you in writing at least fifteen (15) days before the new provisions come into force. Beyond this period, any continued use of the services offered by STRACKR will constitute acceptance of the updated version of the Policy.

The current version of the Privacy Policy is the one published online, accessible at any time from the Website or Application. This version is binding between the parties. You are invited to refer to it regularly.

17. Annex 1 - List of third-party service providers

The following table lists third-party service providers who may have access and process Personal Data, strictly as necessary for the provision of their respective services.

The categories of data listed are limited to what is necessary for the specific service provided.

This Annex may be updated to reflect operational changes.

Where STRACKR acts as Processor on behalf of a Client, certain providers listed above may qualify as Sub-Processors within the meaning of Article 28(2) GDPR.

Third-party service provider	Country of processing / data hosting	Service Provided	Category of Personal Data Processed	Guarantees implemented
OVHcloud	European Union	Cloud hosting and infrastructure	Account data, authentication data, usage data, technical logs	Article 28 Data Processing Agreement; EU data hosting
Crisp	European Union	Customer support messaging	Account email address; content of support communications	Article 28 DPA; EU hosting where available; Standard Contractual Clauses (SCCs) if applicable
Datadog	European Union and/or United States	Infrastructure monitoring and security monitoring	IP address; system event logs	Article 28 DPA; SCCs where applicable
OpenPanel	European Union and/or United States	Website Visit Statistics	Browsing Data	Product analytics (service usage measurement)
Stripe	European Union and/or United States	Payment processing	Billing email; billing address; transaction data (processed directly by Stripe)	SCCs and additional safeguards where applicable
Postmark	United States, possible EU routing	Transactional email delivery (account verification, service notifications)	Email address; limited message content	Article 28 DPA; SCCs where applicable