Privacy Policy

Last updated: 27 June 2026

This Privacy Policy explains how Trackly (“we”, “us”, or “our”) collects, uses, and protects your personal information when you visit our website or use our services.

1. Information We Collect

1.1 Information You Provide Directly

  • Email address — when you join our waitlist or contact us.
  • Tracker data — any metrics, events, or notes you enter into the app.
  • Any other information you choose to share.

1.2 Usage Data (Collected Automatically)

  • Technical data: IP address, browser type, device type and operating system, language settings.
  • Session data: pages you visit, actions you take (clicks, navigation, session duration).
  • Cookies and identifiers: an anonymous session identifier stored in your browser to recognise returning visits.

1.3 Interaction Replays — With Your Consent Only

If you give explicit consent via the cookie banner, we may record video replays of your interactions with app pages (mouse movements, clicks, scrolling). This helps us understand where users encounter difficulties and improve the product experience.

Interaction Replays are linked to your User ID solely to allow us to analyse behaviour in context — for example, to understand what actions precede a specific problem. This data is used exclusively for internal product analytics and is never shared with third parties for advertising or profiling purposes.

Important:

  • Recordings are linked to your User ID for analytical purposes only — we use this to study interaction patterns, not to identify you personally.
  • All text fields (passwords, tracker inputs, etc.) are automatically masked — their content is never captured.
  • Session recordings are stored for no more than 90 days.
  • You can withdraw consent at any time — via cookie settings on the website or through Settings → Privacy in the app.

2. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

PurposeLegal basis
Waitlist management, launch notificationsYour explicit consent (Art. 6(1)(a) GDPR)
Anonymous analytics without User ID — page views and actions when consent is not givenOur legitimate interest in improving the product (Art. 6(1)(f) GDPR)
Behavioural analytics linked to User ID — when consent is givenYour explicit consent (Art. 6(1)(a) GDPR)
Interaction Replays linked to User ID — when consent is givenYour explicit consent (Art. 6(1)(a) GDPR)
Responding to support requestsYour consent / performance of a contract
Compliance with legal obligationsLegal obligation (Art. 6(1)(c) GDPR)

3. Cookies and Similar Technologies

We use cookies and browser local storage to operate the website and for analytics.

Cookie Categories

CategoryPurposeBasis
EssentialWebsite operation (authentication, session state)No consent required
AnalyticsAnonymous usage data collected without consent (legitimate interest); full behavioural analytics linked to your User ID when consent is given (PostHog)Legitimate interest / Your consent
Interaction ReplaysVideo recording of interface interactions linked to your User ID, used exclusively for UX research and product improvement (PostHog)Your explicit consent

On your first visit you will see a consent banner with three options: allow all, reject all, or customise. You can update your preferences at any time:

  • on the website — via the “Cookie Settings” link in the footer;
  • in the app — via Settings → Privacy in your account (changes take effect immediately, without a page reload).

Disabling analytics cookies does not affect the functionality of the app.

4. Analytics and Interaction Replays (PostHog)

We use PostHog — a product analytics platform — to measure product usage and improve the user experience.

What PostHog Collects

Without your consent (anonymous, legitimate interest):

  • An anonymous random identifier not linked to your account
  • Pages you visit and actions you take
  • Device and browser characteristics
  • IP address (used to determine country; anonymised where required)

With your consent (linked to your account):

  • Your User ID — to link events and recordings to your account for analytical purposes only
  • All of the above, attributed to your account
  • Video recording of interface interactions (Interaction Replays) — linked to your User ID exclusively for UX research and product improvement

Where Data Is Stored

We use PostHog Cloud EU — servers located in Frankfurt, EU. Your data does not leave the European Union.

Data Processing Agreement

PostHog acts as a Data Processor in our relationship. We have entered into a Data Processing Agreement (DPA) in accordance with GDPR requirements.

For details: PostHog Privacy Policy and PostHog DPA.

5. Third-Party Service Providers

We share data with trusted service providers only to the extent necessary to operate the service:

ProviderPurposeData location
SupabaseDatabase, user data storage and authenticationEU
VercelWeb app hosting and CDNGlobal (CDN), with encryption
PostHog EUProduct analytics and Interaction ReplaysEU (Frankfurt)
ResendSending transactional emails (registration confirmation, account deletion notifications, etc.)USA (Standard Contractual Clauses)

We do not sell your personal information to third parties.

6. International Data Transfers

Most data is processed within the EU. Where data is transferred outside the EU (for example, via Vercel CDN or Resend), we take steps to ensure an adequate level of protection in accordance with applicable law, including Standard Contractual Clauses (SCCs).

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes described in this policy:

  • Email address (waitlist): until product launch or until you unsubscribe.
  • Account data: for the duration of the account. Deleted immediately upon confirmation of a deletion request.
  • Analytics events: up to 1 year (anonymised data — indefinitely).
  • Interaction Replays: up to 90 days.

After the retention period expires, we delete or anonymise the data.

Backups: Personal data is deleted from the live database immediately upon confirmation of a deletion request. We also maintain automated backups for service reliability purposes, which are not used for operational processing. These backups are automatically deleted within 30 days, after which your data is permanently gone.

8. Your Rights (GDPR)

If you are located in the EU or EEA, you have the following rights:

  • Right of access and portability — download a copy of all your data (profile, trackers, entries, consent settings) in JSON format via Settings → General → Download my data. The file is generated immediately.
  • Right to rectification — edit your profile data at any time via Settings → General.
  • Right to erasure (“right to be forgotten”) — delete your account and all associated data via Settings → General → Delete my account. After confirmation, your data is permanently deleted and a confirmation is sent to your email address. If you experience any difficulties, contact us at support@trackly-app.com.
  • Right to restriction and right to object — manage what data we collect via Settings → Privacy. Disabling analytics or interaction replays takes effect immediately.
  • Right to object to legitimate interest processing — we collect anonymous analytics on the basis of legitimate interest even without your consent. You have the right to object to this processing at any time by contacting us at support@trackly-app.com. We will assess your objection and stop processing unless we have compelling legitimate grounds that override your interests.
  • Right to withdraw consent — withdraw any previously given consent at any time via Settings → Privacy, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — if you believe we are violating your rights, you may lodge a complaint with the relevant supervisory authority. In Spain and the EU: Agencia Española de Protección de Datos (AEPD). If you are located in another EU country, contact your national DPA.

For matters that cannot be resolved through the app — contact us at support@trackly-app.com. We typically respond within 24 hours. In cases of high volume or unforeseen circumstances, this may be extended, but no later than 30 days from receipt of your request.

9. Data Security

We take reasonable technical and organisational measures to protect your data:

  • data in transit is encrypted (TLS/HTTPS);
  • access to production systems is restricted;
  • passwords are hashed; we do not store payment card data.

No method of transmission or storage is completely secure. In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within the timeframes required by law.

10. Children's Privacy

Our service is not directed to individuals under the age of 16, and we do not knowingly collect data from children. If you believe a child has provided us with their data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy. We will notify you of any material changes by email to your registered account address no later than 14 days before the changes take effect. The date of the last update is always shown at the top of this document. We recommend reviewing this document periodically.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we commit to:

  • notifying the relevant supervisory authority (AEPD) within 72 hours of becoming aware of the breach;
  • notifying you without undue delay if the breach is likely to result in significant consequences for your rights or freedoms.

13. Marketing Communications

If you receive emails from us about product updates or news, each such email contains an unsubscribe link. Unsubscribing from marketing emails does not affect transactional messages (registration confirmation, account deletion notifications, etc.).

14. Users in the United States

If you are located in the United States (including California, Virginia, Colorado, or other states with privacy legislation), your rights to access, correct, delete, and port your data are available through the same tools described in Section 8 of this policy. We do not sell your personal data to third parties and do not share it for advertising purposes.

15. Contact

Email: support@trackly-app.com
Website: trackly-app.com