Privacy Policy
Your privacy matters to us. Here's how we handle your data.
Last updated: December 30, 2025
Quick Summary
- ✅ Your data is stored securely on encrypted servers
- ✅ We never sell your personal information to third parties
- ✅ You control who sees your profile information
- ✅ You can delete your account and data at any time
- ✅ We only collect data necessary to provide our service
- ✅ Voice recordings are processed in real-time and never stored
- ✅ AI features use your data only for the specific feature you request
1. What Information We Collect
We collect information that you provide directly to us:
Account Information
- • Full name and username
- • Email address
- • Password (encrypted)
- • Profile picture (optional)
Profile Details
- • University/Organization
- • Location (city, country)
- • Timezone
- • Skills and interests
Activity Data
- • Goals and milestones
- • Journal entries
- • Messages with partners
- • XP and achievements
Voice & AI Data
- • Voice recordings (processed, not stored)
- • AI verification requests
- • Milestone completion proofs
Technical Data
- • Browser type and version
- • Push notification tokens
- • Last login timestamps
- • Session information
2. How We Use Your Information
We use your information to:
- Provide and maintain the TrackMates service
- Match you with compatible accountability partners
- Send notifications about partner activity and verifications
- Display your profile to potential partners (based on your settings)
- Track your progress and maintain streaks
- Improve our matching algorithm and features
- Send important service updates and security alerts
- Process voice input to create tasks (audio is transcribed in real-time and immediately discarded)
- Use AI to verify milestone completions when you request it
3. Who Can See Your Information
Public to Other Users
- • Full name and username
- • Profile picture
- • University/Organization
- • City and country
- • Skills and interests
- • XP level and badges
Visible to Partners Only
- • Your active goals and milestones
- • Public journal entries
- • Direct messages
- • Streak information
Private (Never Shared)
- • Email address
- • Password
- • Private journal entries
- • Push notification tokens
4. Data Storage & Security
Where is my data stored?
- Your data is stored on secure PostgreSQL databases hosted by Supabase
- Profile images are stored on Amazon S3 with encryption at rest
- Our application runs on Microsoft Azure Container Apps in West Europe
- All data transmission uses HTTPS/TLS encryption
Security measures:
- Passwords are hashed using bcrypt (never stored in plain text)
- JWT tokens with secure session management
- Regular security updates and monitoring
- • Access controls and authentication on all API endpoints
- • All direct messages are encrypted server-side for enhanced security
5. How Long We Keep Your Data
- Active accounts: Data is retained as long as your account is active
- Deleted accounts: Data is permanently deleted within 30 days
- Messages: Encrypted server-side and retained for 7 days, or for the duration of the partnership, whichever is shorter
- Journal entries: Retained until you delete them or your account
- Analytics data: Anonymized after 12 months
6. Your Rights (GDPR & CCPA)
You have the right to:
Access
Request a copy of all your personal data
Rectify
Correct any inaccurate information
Delete
Request deletion of your account and data
Portability
Export your data in a machine-readable format
To exercise any of these rights, please contact us at rishabh.bhatia@rwth-aachen.de
7. Third-Party Services
We use the following third-party services:
- Supabase: Database hosting (EU region)
- Amazon S3: Profile image storage
- Resend: Email notifications
- Microsoft Azure: Application hosting
- Google APIs: OAuth authentication and Calendar synchronization
- Groq: Voice-to-text transcription for task creation (audio processed in real-time, not stored)
- Google Gemini: AI-powered milestone verification (only processes data you explicitly submit for review)
These services have their own privacy policies and we ensure they meet GDPR requirements. We do not sell or share your personal data with advertisers or data brokers.
Voice & AI Processing
- • Voice Input: Audio is sent directly to Groq for transcription. We do not store recordings—they are processed in real-time and immediately discarded.
- • AI Verification: When you request AI review of a milestone, we send only the relevant proof (text/images) to Google Gemini. This data is not used to train AI models.
8. Google User Data
Our application uses Google APIs to provide features such as Google Calendar synchronization.
What we access
If you enable Google Calendar sync, TrackMates access yours basic profile information (email, name) and calendar events. We only request the minimum scopes necessary: https://www.googleapis.com/auth/calendar.events.
How we use it
We use this data only to sync your TrackMates tasks to your Google Calendar and to display your schedule within the app. We do NOT store your full calendar data on our servers; we only store references to the events we create or modify.
Data Protection
Your Google OAuth tokens are encrypted at rest. We do not share your Google User Data with third parties, except as necessary to provide the calendar sync feature (i.e., sending data back to Google).
TrackMates' use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
9. Contact Us
If you have questions about this privacy policy or your data, contact us:
Email: rishabh.bhatia@rwth-aachen.de
Response time: Within 48 hours
9. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will send you an email notification.
By using TrackMates, you agree to this Privacy Policy.