PyroTrack LogoPyroTrack

Privacy Policy

Last updated: April 6, 2026

Data Controller: Mustafa Bolat (operating as PyroTrack), Netherlands

Contact: info@pyrotrack.com

This Privacy Policy explains how PyroTrack ("we", "us", "our") collects, uses, stores, and shares your personal data, and describes your rights under the General Data Protection Regulation (GDPR) (EU) 2016/679.

1. Data Controller Identity

2. Personal Data We Collect

Account Data

  • Full name
  • Email address
  • Encrypted password (we cannot read plaintext passwords)
  • Profile information you provide

Business and Financial Data

  • Company name (if applicable)
  • Business address
  • VAT number (if applicable)
  • Invoice data (client names, amounts, dates)
  • Income and expense records you enter

Technical and Usage Data

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages or features accessed and timestamps
  • Referring URLs

Payment Data

Payments are processed by Stripe. We do not collect or store your credit card number, CVV, or full card details. Stripe's privacy policy is available at stripe.com/privacy.

Communications Data

If you contact us by email or support form, we retain the content of that correspondence.

3. Legal Basis for Processing (Art. 6 GDPR)

  • Account creation and management: Performance of contract (Art. 6(1)(b))
  • Service delivery and features: Performance of contract (Art. 6(1)(b))
  • Processing payments: Performance of contract (Art. 6(1)(b))
  • Analytics and service improvement: Legitimate interest (Art. 6(1)(f))
  • Transactional communications: Performance of contract (Art. 6(1)(b))
  • Marketing communications: Consent (Art. 6(1)(a))
  • Legal compliance and fraud prevention: Legal obligation (Art. 6(1)(c))

4. How We Use Your Data

  • Create and manage your account
  • Provide, maintain, and improve the Service
  • Process and confirm payments
  • Respond to support requests
  • Send transactional communications (billing receipts, subscription confirmations)
  • Comply with legal and regulatory obligations
  • Detect and prevent fraud and abuse

We will not sell, rent, or share your personal data with third parties for their own marketing purposes.

5. Data Retention

We retain personal data only for as long as necessary:

  • Account data: Duration of account + 2 years after deletion
  • Business and financial data: 7 years (Dutch accounting law, Art. 52 AWR)
  • Technical and usage logs: 90 days
  • Payment records: 7 years (legal obligation)
  • Support communications: 2 years
  • Marketing consent records: Until withdrawal

After the retention period, data is securely deleted or anonymized.

6. Sub-Processors and International Transfers

We use the following sub-processors that may process your personal data:

  • Supabase — Database, authentication — EU (primary) / US — Safeguard: Standard Contractual Clauses (SCCs)
  • Vercel — Hosting and deployment — US / Global CDN — Safeguard: Standard Contractual Clauses (SCCs)
  • Stripe — Payment processing — US — Safeguard: Standard Contractual Clauses (SCCs)

Where data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR) or adequacy decisions where available.

7. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
  • Right to Restriction (Art. 18): Request that we limit the processing of your data in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of your rights, contact us at info@pyrotrack.com — we will respond within 30 days.

Right to Lodge a Complaint

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Dutch supervisory authority:

Autoriteit Persoonsgegevens (AP)

Website: autoriteitpersoonsgegevens.nl

8. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

10. Security

We implement appropriate technical and organizational security measures, including:

  • Encrypted connections (TLS/HTTPS)
  • Encrypted passwords (not readable by us)
  • Role-based access controls
  • Sub-processor security programs (Supabase, Vercel, Stripe)

No security system is impenetrable. In the event of a personal data breach affecting your rights and freedoms, we will comply with notification obligations under Articles 33 and 34 GDPR.

11. Cookies

PyroTrack uses cookies to maintain login sessions, remember preferences, and analyze usage. Please see our Cookie Policy for full details.

12. External Links

The Service may contain links to external websites. This Privacy Policy does not apply to those third-party sites. We are not responsible for their privacy practices.

13. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you by email or by a prominent in-app notice. The revised date at the top of this page indicates the latest version.

14. Contact

For all privacy-related questions and to exercise your rights:

Email: info@pyrotrack.com