Last updated: 28 April 2026.
This policy explains what personal data ZTrack collects, why, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and equivalent regimes (UK GDPR, California CCPA). It applies to the ZTrack website (ztrack.fr), the ZTrack API (api.ztrack.fr) and the ZTrack desktop application across Windows, macOS and Linux.
The data controller for personal data processed through ZTrack is the operator of the ZTrack project, contactable at contact@ztrack.fr. For the purposes of GDPR Article 27, this email is the single point of contact for data-protection enquiries, including subject access requests, rectification requests and erasure requests.
If you create an account we store: email address, hashed password (Argon2id, never plain text), display name, account type (Standard or Business), and the timestamps of account creation and last login. We additionally store any business-account fields you provide (company name, billing email, VAT number, billing address). Legal basis: performance of contract (GDPR Art. 6(1)(b)).
When you activate a paid plan on a device we record the machine hostname, operating system and version, CPU model, RAM amount and a salted machine fingerprint. This is used to enforce per-seat limits and to let you self-deactivate a device. Legal basis: legitimate interest in preventing license abuse (GDPR Art. 6(1)(f)). You can clear all device data by signing out, which also removes the fingerprint server-side after a 3-hour cooldown.
Payments are processed by Stripe Payments Europe Ltd. (Stripe). We never see or store your full card number; Stripe returns to us only a customer ID, a subscription ID, the amount, the currency and the billing country (used by Stripe Tax for EU VAT). Stripe's privacy policy at stripe.com/privacy describes their handling. Legal basis: performance of contract (GDPR Art. 6(1)(b)) and legal obligation for tax records (GDPR Art. 6(1)(c)).
The API logs every request with: timestamp, HTTP method, path, status code, response time, X-Request-Id, IP address (truncated to /24 for IPv4 and /48 for IPv6 after 7 days) and user agent. Logs are retained for 30 days for security forensics, then deleted. Legal basis: legitimate interest in operating the service securely (GDPR Art. 6(1)(f)).
Every transactional email we send (verification, password reset, purchase receipt, refund notification, deletion confirmation, data-export readiness) is recorded in a sent-emails log with the recipient address, message ID, send status and any error message. Retained for 90 days, then deleted. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
We do not use Google Analytics, Plausible, Umami or any third-party analytics on this website. The admin panel computes its own internal usage statistics from API logs and database aggregates — none of these statistics leave our infrastructure. There are no tracking cookies on the marketing site.
If we enable Google AdSense on the marketing site or in the desktop application's free-plan pre-roll, Google may set cookies and read device identifiers to serve and measure ads. Google is an independent data controller for these processes; their handling is described at policies.google.com/technologies/ads. EU/UK/CH visitors see a consent prompt before any AdSense cookie is set, in compliance with the e-Privacy Directive and the IAB TCF v2.2 framework. Personalised advertising is opt-in; declining still shows ads but only contextual ones. Legal basis: consent (GDPR Art. 6(1)(a)) for personalised ads, legitimate interest (GDPR Art. 6(1)(f)) for non-personalised contextual ads.
The marketing site uses one strictly necessary cookie group: a session-token cookie set after sign-in (httpOnly, Secure, SameSite=Lax, 24-hour TTL) and a refresh-token cookie (httpOnly, Secure, SameSite=Lax, 30-day TTL). These are essential for authentication and are exempt from prior consent under the e-Privacy Directive. If AdSense is enabled, Google sets additional advertising cookies — those are subject to consent as described in section 2.7 above.
You have the right to: access (request a copy of all personal data we hold about you), rectify (correct inaccurate data), erase (delete your account and associated data), restrict processing, port your data (machine-readable export) and object to processing based on legitimate interest. Exercise any of these rights by emailing contact@ztrack.fr; we respond within 30 days. You also have the right to lodge a complaint with your national data-protection authority (in France, the CNIL at cnil.fr).
Personal data is stored on EU-based infrastructure (OVHcloud, France). When sub-processors are based outside the EEA (e.g. Google for AdSense), transfers rely on the EU-US Data Privacy Framework or, where the framework does not apply, the European Commission's Standard Contractual Clauses.
Material changes are announced 30 days in advance via email to active subscribers and a banner on the marketing site. The "Last updated" date at the top of this page reflects the latest revision.