Privacy policy

This policy explains how Tramplo handles personal data of:

• Visitors to tramplo.com and its subdomains.
• People who create or administer a Tramplo customer organization.
• People who contact Tramplo by email.

If you are an employee whose employer uses Tramplo to monitor you, the relevant notice is at /legal/privacy/employees. In that situation Tramplo is the processor and your employer is the controller.

Tramplo is the data controller for the personal data described in this policy. Contact: info@tramplo.com. The brand is "Trackemplo"; the operating domain is tramplo.com.

• Account data: name, work email, hashed password, organization name, IP address at signup. Used to operate your account and to log the deployment attestation.
• Billing data: handled by Stripe. Tramplo never sees full card numbers; we receive only billing metadata (last 4 digits, customer id, invoice numbers).
• Email correspondence: if you email us, the message and your email address are kept in our inbox until they are no longer needed.
• Server logs: request method, path, status code, timestamp, IP address, and user-agent. Used for security and operational monitoring. Retained for up to 30 days.
• Cookies: see /legal/cookies. We use a single strictly-necessary session cookie.

• Performance of a contract for account, billing, and support.
• Legitimate interest for security logging, fraud prevention, and improving the service.
• Legal obligation for tax, accounting, and responding to lawful requests from authorities.
• Consent where we explicitly ask for it (we do not currently rely on consent for any of the data above).

• Account data: while the account is active, plus 30 days after closure.
• Billing records: 7 years to meet tax-record obligations.
• Email: until no longer relevant (typically 24 months).
• Server logs: up to 30 days.

The full list of subprocessors is at /legal/subprocessors. We do not sell personal data, and we do not share it for advertising.

Tramplo's primary infrastructure is in Germany / EU. Some subprocessors (notably Stripe) operate globally. Where personal data is transferred outside the EEA / UK to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses, with the UK ICO Addendum where the UK is involved.

Depending on where you live you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data (subject to legal retention duties).
• Object to processing based on legitimate interest.
• Restrict processing in certain circumstances.
• Receive your data in a portable format.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local data-protection authority (for example, the ICO in the UK, the CNIL in France, the BfDI in Germany, the KVKK in Türkiye, the OAIC in Australia, or the OPC in Canada).

Send any request to info@tramplo.com. We aim to respond within 30 days.

If you are a California resident, you have the right to know what personal data we collect, to delete it, to correct it, and to opt out of any sale or sharing for targeted advertising. Tramplo does not sell personal data and does not share personal data for cross-context behavioural advertising. To exercise a right, email info@tramplo.com.

Tramplo's privacy officer can be reached at info@tramplo.com. Decisions about personal data of Quebec residents are made under our standard processes; we do not currently use automated decision-making.

• TLS 1.2 or higher for all client-server traffic.
• argon2id for passwords; SHA-256 for API tokens.
• Database not exposed to the public internet.
• Rate limiting on authentication endpoints.
• Audit logging for sensitive actions.

Tramplo is intended for workplace use by adults. We do not knowingly collect data from children under 16. If you believe a child's data has reached our systems, email us and we will remove it.

We will email account admins at least 30 days before a material change and update the effective date above for any change.

Privacy questions or requests: info@tramplo.com.