Privacy Policy

For customer account, billing, support, and marketing-site data, TrackLayer is usually the controller. For event data that merchants send into TrackLayer, the merchant is the controller and TrackLayer is the processor acting on documented instructions.

We collect account identifiers, workspace settings, authentication logs, billing metadata handled by Stripe, support messages, security logs, and event payloads configured by merchants. Event payloads may include hashed contact fields, cookie or click identifiers, consent state, IP address, user agent, order metadata, and destination responses.

We process data to provide the service, authenticate users, secure infrastructure, bill subscriptions, deliver configured events, diagnose data quality, answer support requests, and meet legal obligations. GDPR legal bases include contract necessity, legitimate interests, legal obligation, and consent where required for optional marketing communications.

Merchant event retention is configurable by plan and workspace settings, commonly 30, 90, or 365 days. Account, invoice, security, and audit records are retained only as long as needed for service operation, legal compliance, dispute resolution, and security evidence.

We use vetted subprocessors for hosting, database, authentication, payments, email, monitoring, and support. The current list is published at /legal/subprocessors. Where international transfers require safeguards, we use appropriate mechanisms such as EU Standard Contractual Clauses.

TrackLayer applies TLS in transit, infrastructure encryption at rest where available, role-based access controls, least-privilege production access, audit logging, secret redaction, backups, monitoring, vulnerability management, and incident response procedures.

Subject to applicable law, individuals may request access, correction, deletion, restriction, portability, objection, or withdrawal of consent. If a request concerns merchant-controlled event data, we may direct the requester to the merchant controller. Contact privacy@tracklayer.io.

Privacy contact: privacy@tracklayer.io. Legal entity: Digital Soft Distribution s.r.o., Bratislava, Slovakia.