Privacy Policy

Who we are

alphaTrack ("alphaTrack", "we", "us", "our") is a family of personal-tracking web apps operated by [OPERATOR LEGAL NAME], [JURISDICTION]. This policy explains what personal data we collect, why, who we share it with, and the choices you have. Questions about privacy can be sent to feedback@alphatrack.net.

For the purposes of the EU/UK GDPR, alphaTrack is the data controller for your account data and the content you store in the trackers.

Information we collect

Account information

• Your email address.
• A password, stored only as a salted scrypt hash — we never store or see your plaintext password.
• Account timestamps (when you signed up, when your email was verified).

Content you create

Whatever you record in the trackers you use — for example health and fasting logs, weights, watchlists and watched history, RSS and YouTube subscriptions, book and game libraries, tasks, notes, podcast progress, and financial transactions. This content is yours; we store it so the apps can show it back to you.

Technical data

• Session records: an opaque session token, plus the IP address and browser user-agent captured when a session is created, used to keep you signed in and to help detect abuse.
• Server logs needed to run and secure the service.

Payment data

Payments are handled by our merchant of record, Lemon Squeezy (see Sub-processors). We do not receive or store your full card details. We retain only a billing reference, your subscription status, and renewal/expiry dates so we can grant or lapse access.

How we use your data

• To provide the trackers and keep you signed in across them (single sign-on).
• To send transactional email — email verification and password resets. We do not send marketing email.
• To take payment, manage your subscription and free trial, and grant or revoke access accordingly.
• To secure the service (rate limiting, abuse detection) and to back up data so it survives hardware failure.

Our legal bases (GDPR) are: performance of a contract (running your account and trackers), legitimate interests (security, backups, preventing abuse), and legal obligation (tax records held by our merchant of record).

Cookies

alphaTrack uses only strictly-necessary cookies. We do not use advertising, analytics, or cross-site tracking cookies.

• at_session — keeps you signed in. HttpOnly and Secure.
• at_csrf — protects forms against cross-site request forgery.

Both are scoped to the .alphatrack.net domain so a single sign-in works across every tracker subdomain. Because they are essential to providing a service you asked for, they do not require consent, but we disclose them here for transparency. Lemon Squeezy may set its own cookies on its checkout pages, governed by its policy.

Sub-processors

We share the minimum data necessary with these service providers:

• Hetzner — cloud hosting. Stores the servers and databases where all account data and tracker content live.
• Lemon Squeezy — merchant of record and payment processing. Receives your email and payment details to take payment and issue invoices; acts as the seller of record for tax purposes.
• Resend — transactional email delivery. Receives your email address and the contents of verification and password-reset messages.
• Backblaze B2 — encrypted off-site database backups. Holds copies of the databases (including tracker content) for disaster recovery.

We do not sell your personal data, and we do not share it with third parties for their own marketing.

Third-party content lookups

Some trackers look up metadata from external catalogues as you search. These providers receive the search terms you type (and standard request metadata such as your IP), but not your account identity or other personal data:

• mTrack — TheTVDB and TMDB (TV and movie metadata).
• yTrack — the YouTube Data API (channel and video metadata).
• bTrack — Google Books and OpenLibrary.
• gTrack — RAWG and BoardGameGeek.

Data retention

We keep your account data and tracker content for as long as your account exists. When you delete your account, your sign-on data (user record, sessions, entitlements, verification tokens) is removed immediately, and the content held in each tracker is purged shortly afterwards. Encrypted backups roll off on their normal retention schedule (currently 30 daily and 12 monthly snapshots). Our merchant of record retains billing and tax records for the period required by law.

Your rights

Depending on where you live, you may have the right to:

• Access and export your data — signed-in users can download their data as JSON from the account page.
• Delete your account and data — available from the account page; this is irreversible.
• Correct inaccurate data — most content is editable directly in the apps.
• Object to or restrict certain processing, and to lodge a complaint with your local data-protection authority.

To exercise a right we don't expose in-app, email feedback@alphatrack.net.

Security

All traffic is served over HTTPS. Passwords are hashed with scrypt. Cookies are HttpOnly/Secure and forms are CSRF-protected. No system is perfectly secure, but we take reasonable measures to protect your data and to recover it via off-site backups.

International transfers

Some sub-processors listed above may process data outside your country, including in the United States. Where required, such transfers rely on appropriate safeguards (for example, Standard Contractual Clauses).

Children

alphaTrack is not directed at children under 16, and we do not knowingly collect their data. If you believe a child has created an account, contact us and we will remove it.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected by the "Last updated" date above; significant changes affecting how we use your data will be communicated by email where appropriate.

Contact

Privacy questions and requests: feedback@alphatrack.net.