Skip to content
OnTrackio

Privacy Policy

What personal data we handle, why, and the rights you have over it. Written to be read, not to hide behind.

Effective 31 May 2026 · Controller: OnTrackio ITAM UAB (Lithuania) · Contact privacy@ontrackio.com

1. Who we are and the two roles we play

This policy explains how OnTrackio ITAM UAB ("OnTrackio", "we", "us") handles personal data. We wear two hats:

  • Controller for data about our own prospects, customers, partners, and website visitors — the accounts, billing contacts, and email addresses we use to run the business.
  • Processor for the data our customers put into the platform about their own people. We handle that strictly on the customer's documented instructions under our Data Processing Agreement (DPA), which is requested and signed separately.

Sections 2–7 below describe the controller side. Section 8 summarises the processor side; the DPA governs it in full.

2. What we collect as controller, and why

Account and sign-up data. Your name, work email, workspace name, a hashed password, any MFA secrets or passkey credentials you enrol, and the IP address and browser user-agent of your sessions. We use this to provision and secure your workspace, contact you about your account, and detect fraud. Legal basis: performance of a contract (GDPR Article 6(1)(b)). Kept for the life of the account plus 90 days.

Billing data. Your billing email, subscription status, invoice references, and the last four digits of a payment card (full card data is held by Stripe, never by us). We use this to manage your subscription and show your billing history. Legal basis: performance of a contract.

Email-delivery events. When we send a transactional email, we record the address plus bounce and complaint metadata so we stop emailing addresses that fail and comply with anti-spam rules. Legal basis: legitimate interest (Article 6(1)(f)). Kept 180 days, then aggregate-only.

Website usage. This site sets no tracking or advertising cookies and runs no third-party analytics. Our CDN (AWS CloudFront) keeps standard server access logs — your IP address, the page requested, and your user-agent — in the EU for up to 90 days, used only for security and operations under legitimate interest (Article 6(1)(f)). Fonts are served from an EU-hosted, cookie-free provider. We don't build a profile of you for marketing.

3. Where your data lives

All core platform data is stored in AWS eu-central-1 (Frankfurt, Germany). There is no US fallback and no cross-region replication outside the EU for the platform itself.

4. International transfers

Two narrow flows can leave the EU, each under EU Standard Contractual Clauses with supplementary measures:

  • Billing — payment processing involves Stripe; billing contact details may be processed by Stripe under its Article 28 terms.
  • AI features (opt-in only) — if you turn on an AI feature, the input you choose to send is processed by Anthropic (US). You can supply your own Anthropic key so the contract is directly yours, and Anthropic's API terms exclude that content from model training. AI features are off unless you enable them.

5. Sub-processors

We keep the current list of sub-processors, their purpose, and their region on our Security page. We give 30 days' notice before a material change so you can object.

6. Your rights

Under the GDPR (Articles 12–22) you can ask us to give you access to your personal data, correct it, erase it, restrict or object to its processing, or hand it to you in a portable format. To exercise any of these:

  • Email your request to privacy@ontrackio.com, or
  • if you have a workspace account, export your own records in-app from your profile.

We respond within 30 days (Article 12(3)). If we process data your employer put into the platform, we'll route your request to them as the controller. You also have the right to complain to your local supervisory authority — in Lithuania, the State Data Protection Inspectorate (VDAI).

7. How long we keep things, and security

Retention in short: account data for the life of the account plus 90 days; email-delivery events for 180 days; customer (tenant) data for as long as the customer's retention setting says (default 365 days, 30-day minimum). On termination, customer data is exported on request within 30 days and deleted within 60 days by dropping the isolated per-tenant database, unless the law requires us to keep it.

Security measures include encryption at rest (AWS KMS) and in transit (TLS 1.2+), database-per-tenant isolation, role-based access control, enforced MFA, and an audit log on every change. More detail is on the Security page.

8. Data we process on your behalf

When you use the platform, you are the controller of your own people's records — employee and asset data, endpoint-agent telemetry, and anything you put into an AI feature — and we are your processor under the DPA. We minimise where we can: the agent hashes browsed domains (SHA-256) and never transmits full URLs, and AI features are opt-in. Request the DPA from privacy@ontrackio.com.

9. Changes to this policy

We review this notice at least annually and when our data flows change materially. We'll post the updated version here with a new effective date. Questions go to privacy@ontrackio.com.