Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how Tracksheets ("we", "us") processes personal data when you use the website https://tracksheets.kutter.li (the "Service").

We process personal data in accordance with the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Controller

Martin Kutter Hanfgartenstrasse 36 8626 Ottikon (Gossau ZH) Switzerland Email: info@tracksheets.com

For all data protection enquiries, please contact us at the email address above.

2. Data we process

2.1 Account data

When you create an account, we collect:

  • Email address
  • Password (stored only as a salted hash; we never see your plain-text password)
  • Name, if you provide one
  • Account creation date

Purpose: to operate your account, authenticate you, and let you access purchased sheets. Legal basis: performance of a contract (Art. 6(1)(b) GDPR; Art. 31(1) revFADP).

2.2 Purchase and billing data

When you buy credits or sheets, we — together with our payment processor Stripe — process:

  • Order details (items, price, currency, time)
  • Billing details you provide
  • A payment reference returned by Stripe

Card numbers and other payment instrument details are processed directly by Stripe and are not stored on our servers.

Purpose: to process your purchase, issue receipts, and comply with accounting law. Legal basis: performance of a contract; legal obligation (Swiss Code of Obligations, accounting retention).

2.3 Download and usage data

  • Which sheets you have purchased
  • Download history (timestamps, IP address)

Purpose: to make purchased sheets available to you and prevent abuse. Legal basis: performance of a contract; legitimate interest.

2.4 Server logs

Our hosting provider records technical access data:

  • IP address
  • Date and time of the request
  • Requested URL
  • User-agent string
  • Referrer

Purpose: security, abuse prevention, error diagnosis. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Retention: typically up to 30 days, longer only where required for a specific security investigation.

2.5 Contact form

If you write to us through the contact form, we process the information you submit (name, email, message) to answer your enquiry. We delete or archive the data once the matter is resolved, subject to any legal retention obligations.

3. Cookies

We use only strictly necessary cookies to operate the site — for example your login session and CSRF token. We do not use marketing, advertising, or analytics cookies. Because these cookies are strictly necessary, no separate consent is required.

4. Third parties (processors and recipients)

We use the following providers, who process data on our behalf:

Provider Purpose Location Safeguards
Infomaniak Network SA Hosting Switzerland Swiss data centre; revFADP applies directly
Stripe Payments Europe Ltd Payment processing Ireland (EU) / global Data Processing Agreement; Standard Contractual Clauses for non-EU transfers
Resend, Inc. Transactional email (e.g. download links, password reset) USA Data Processing Agreement; Standard Contractual Clauses (Art. 46 GDPR)

We do not sell or rent personal data. We disclose data to authorities only where required by law.

5. International transfers

Data processed by Stripe and Resend may be transferred outside Switzerland and the EU/EEA. These transfers rely on the EU Standard Contractual Clauses and the corresponding Swiss FDPIC-approved amendments, providing an adequate level of protection.

6. Retention

We retain personal data only as long as necessary for the purposes set out above, plus any statutory retention period — in particular 10 years for accounting documents under Swiss law. Account data is deleted within a reasonable period after account closure, subject to those retention obligations.

7. Your rights

Under revFADP and GDPR you have the right to:

  • access your personal data,
  • have inaccurate data corrected,
  • have your data deleted ("right to be forgotten"), subject to legal retention,
  • object to or restrict certain processing,
  • receive your data in a portable format,
  • withdraw any consent at any time, without affecting prior processing.

To exercise these rights, write to info@tracksheets.com. We may ask you to verify your identity.

You also have the right to lodge a complaint with a supervisory authority:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, https://www.edoeb.admin.ch
  • EU/EEA: the supervisory authority of your country of residence

8. Security

We use technical and organisational measures appropriate to the risk, including TLS/HTTPS for all traffic, password hashing, access controls, and regular updates. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

9. Changes to this policy

We may update this policy from time to time. Material changes will be announced on the Service. The "Last updated" date at the top indicates the current version.

10. Contact

Questions about this Privacy Policy: info@tracksheets.com.