This Policy explains what personal data Trakys Own (“we”) collects, why, who we share it with, and what rights you have. We aim to collect as little as possible.
1. Who is the data controller
The data controller for personal data processed through Trakys is Mark Semikhov Software. Trakys is a product brand; the legal operator is the sole proprietorship listed on our Imprint page. Contact: [email protected].
2. What we collect and why
| Data | Why | Legal basis (GDPR) |
|---|---|---|
| Email, password hash, display name | Account authentication, password reset | Performance of contract |
| IP address, user-agent, login timestamps | Security, abuse prevention, audit trail | Legitimate interest |
| Tasks, notes, transactions, files you upload | To run the Service for you | Performance of contract |
| Billing identifiers (Stripe customer ID, subscription ID, invoice metadata, card brand/last 4 if provided by Stripe) | Subscription handling, invoices, fraud prevention, support | Performance of contract / legal obligation (tax) |
| Email opt-in choices | Optional product updates or marketing communications, if you opt in | Consent (you can withdraw anytime) |
We do not run third-party ad trackers, behavioural analytics, or sell your data to anyone.
3. Cookies
We set a session cookie required to keep you logged in. It is classified as “strictly necessary” under EU ePrivacy rules and does not require consent. See our Cookie Policy for details.
4. Who we share data with (subprocessors)
- Railway — cloud hosting and Postgres infrastructure
- Stripe — payment processing, invoices, billing records, fraud controls
- Google Workspace SMTP — transactional email delivery
- S3-compatible object storage — file uploads
Each provider operates under its own privacy terms and a Data Processing Agreement with us. We rely on Standard Contractual Clauses for transfers of EU personal data outside the EEA where required.
5. Retention
Account data is kept while the account is active. After deletion we remove or anonymize your data within a commercially reasonable period, except billing, accounting, and tax records that we must keep under applicable law, and records reasonably needed for security, fraud prevention, or dispute resolution. Retention periods may vary by country, but can extend up to the maximum period required for accounting, tax, chargeback, or fraud-prevention purposes. Server logs are kept up to 90 days.
6. Your rights
Depending on your jurisdiction, including the GDPR in the EEA, UK GDPR, applicable US state privacy laws, and Ukrainian privacy law:
- Access: request a copy of your data
- Rectification: correct inaccurate data
- Erasure: delete your account and data
- Portability: download your data in a structured format
- Object / restrict: stop certain processing (for example marketing)
- Withdraw consent: at any time, with no effect on past lawful processing
- Lodge a complaint with your local data protection authority
To exercise any of these, email [email protected].
7. Security
Passwords are hashed with PBKDF2-SHA256 (600 000 iterations). All traffic runs over TLS. Session cookies are signed and HTTPS-only. Backups are encrypted at rest. Access to production systems is limited. That said, no system can be guaranteed 100% secure.
8. Children
The Service is not intended for users under 16. We do not knowingly collect data from children. If you believe we have, please contact us and we will delete it.
9. Changes
If we make material changes to this Policy, we will use reasonable efforts to notify you by email or in-app. The current version is dated above.