Privacy Policy

Trackk LLC ("we", "us", or "our") operates Trackk, available at trackk.dev. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have regarding your data.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service. This policy is incorporated into and governed by our Terms of Service.

We collect information in the following categories:

Account information. When you register, we collect your email address, hashed password, and optionally your name or GitHub username (if you sign up via OAuth). This is stored in our authentication provider, Supabase.

Project data. Information you enter about your projects, including project names, descriptions, phases, milestones, notes, stack choices, and URLs. This data belongs to you and is stored in our Supabase database.

Integration credentials. API tokens and keys you provide to connect GitHub, Vercel, Supabase, Stripe, Cloudflare, and other services. These are stored encrypted in your account metadata and are used solely to fulfil your dashboard requests.

Usage and telemetry data. Standard server-side request logs, including IP addresses, browser type, pages visited, and interaction timestamps. We do not run client-side analytics scripts at this time.

Billing data. Payment information is handled directly by Stripe, Inc. We do not store card numbers or full payment details on our servers. We receive billing event webhooks (subscription created, cancelled, renewed) from Stripe to maintain your subscription status.

Notification preferences. Your email notification settings and vacation mode preferences, stored in your account profile.

We use the information we collect to:

• Provide, operate, and maintain the Trackk platform
• Authenticate you and keep your account secure
• Display your project progress, commit activity, deployment status, and revenue metrics
• Connect to and fetch data from your linked third-party services on your behalf
• Send weekly digest emails, onboarding nudges, and encouragement notifications (subject to your preferences)
• Process your subscription payments via Stripe
• Improve the reliability and performance of the Service
• Respond to your support requests and communications
• Comply with applicable legal obligations

We do not sell your personal data, use it to train AI models, or share it with advertisers.

When you connect external services to Trackk, you authorise us to access data from those services on your behalf using the credentials you provide. The data we read depends on the integration:

• GitHub — repository commit history, branch names, and contributor metadata
• Vercel — deployment status, production URLs, and billing charges
• Supabase — project list and connection status (no row-level data is read)
• Stripe — subscription revenue, customer counts, and MRR metrics
• Cloudflare — account billing usage and zone information

Your use of each connected service is subject to that service's own privacy policy and terms of service. We recommend reviewing those policies. You can disconnect any integration at any time from the Settings section of your dashboard, after which we will stop fetching data from that service.

We rely on the following third-party service providers ("sub-processors") to operate the Service. Each processes data only as instructed by us and in accordance with their own privacy practices:

We do not sell, rent, or trade your personal data. We may share your data only in the following limited circumstances:

Service providers. We share data with sub-processors listed above as necessary to provide the Service.

Legal requirements. We may disclose your information if required to do so by law or in response to valid legal process (such as a subpoena or court order).

Business transfers. In the event of a merger, acquisition, or sale of all or substantially all assets of Trackk LLC, user data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

With your consent. We may share your information in other ways if you give us explicit consent to do so.

We retain your account data and project information for as long as your account is active. If you delete your account, your personal data and project content will be permanently removed from our systems within 30 days, except where retention is required by applicable law (for example, billing records for tax purposes).

Server-side access logs are retained for up to 90 days for security and debugging purposes, after which they are automatically purged.

Integration credentials (API tokens) are deleted immediately when you disconnect the relevant integration or delete your account.

We take the security of your data seriously. Measures we apply include:

• All data in transit is encrypted using TLS 1.2 or higher
• Integration tokens and API keys are stored encrypted at rest in Supabase
• Database access is controlled by Supabase Row Level Security (RLS) policies
• Production secrets are stored as environment variables in Vercel, never in source code
• We support multi-factor authentication (MFA) for your Trackk account

Despite these measures, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to hello@trackk.dev and we will respond promptly.

Trackk uses a minimal number of cookies necessary to operate the Service:

• Authentication cookies — set by Supabase to maintain your logged-in session. These are strictly necessary and expire when you sign out or after a configurable idle period.
• Theme preference — a small localStorage entry to remember your light/dark mode choice. This never leaves your device.

We do not use third-party advertising cookies, cross-site tracking pixels, or behavioural analytics scripts. We do not participate in any advertising networks.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — ask us to correct inaccurate or incomplete data
• Deletion — request that we delete your account and personal data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing of your personal data in certain circumstances
• Restriction — request that we restrict processing of your data

To exercise any of these rights, contact us at hello@trackk.dev. We will respond within 30 days. Some requests may require identity verification before we can process them.

California residents may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected and the right to opt out of the sale of personal information. We do not sell personal information.

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us at hello@trackk.dev and we will take steps to delete it promptly.

Trackk LLC is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the US or other countries where our service providers operate.

We rely on appropriate legal mechanisms for cross-border data transfers, including Standard Contractual Clauses (SCCs) where applicable. By using the Service, you acknowledge and consent to such transfers.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and/or by displaying a prominent notice on the Service. The "Effective date" at the top of this page will always reflect the date of the most recent version.

Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must stop using the Service and may delete your account.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: