Trackeno is built by developers for developers. We approach data with the same precision we apply to game mechanics: clear rules, transparent logic, and intentional design. This policy isn’t just legal boilerplate—it’s the technical documentation for how we steward the data that powers your analytics.
We treat data like player telemetry: every signal must have a purpose. We don’t hoard; we sample, aggregate, and anonymize by default.
We capture in-app interactions—level completions, item purchases, session duration—via our SDK. Events are timestamped with millisecond precision and tied to a anonymized user_id that rotates per app install.
Figure: Real-time event stream processing pipeline.
Device model, OS version, network type, and crash logs. This is non-personal data essential for diagnosing stability issues. We never capture IMEI, MAC addresses, or precise GPS coordinates.
For developer accounts, we collect contact information (email, name) and payment details (handled by Stripe, not stored on our servers). For end-users, no persistent accounts are created unless you opt into a service like Leaderboards.
Even with clear documentation, certain data handling mistakes lead to compliance issues or corrupted analytics. Here’s what we see most often.
Feeding email addresses or device IDs into event streams without clear consent.
Fix: Use salted hashes or strictly anonymized IDs. Never mix PII with analytics events.
Not re-affirming consent after major app updates or policy changes.
Fix: Implement a consent management flow (CMP) and log version of consent given.
Pulling raw data logs via API without filtering for a single user's request.
Fix: Use our user-specific export endpoint. It auto-filters and anonymizes other records.
Apple/Google require data usage descriptions in store listings.
Fix: We provide a ready-to-use copy block for your App Privacy section.
Transparency is part of our architecture. Here are the tough questions from developers, investors, and legal teams—answered clearly.
No. We provide analytics infrastructure; the insights belong to the app developer. We do not, and will not, act as a data broker.
Primary servers are in Frankfurt, Germany (AWS). Backups are encrypted and stored in the same region. We do not replicate PII outside the EU.
We are fully GDPR compliant. User requests for access/deletion are handled automatically via our DPO portal with a 30-day SLA.
We can guarantee we follow industry best practices: TLS 1.3, SOC 2 Type II in progress, regular penetration tests. No system is 100% secure, but ours is meticulously maintained.
Raw events: 30 days. Aggregated metrics: 24 months (for trend analysis). You can request shorter retention per your app's needs.
Three people: CTO, Lead DevOps, and our DPO. Access is logged and requires MFA. No contractor access to production data.
Yes. Use our API endpoint `DELETE /v1/users/{user_id}`. This triggers a cascading delete across our event streams and backups. We provide a confirmation hash.
For any questions about this privacy policy, data processing, or to exercise your data rights, contact our Data Protection Officer directly.
Istiklal Caddesi No: 123, Beyoğlu,
Istanbul, Turkey
Mon-Fri: 9:00-18:00 (TRT)
Response Time: We acknowledge all data requests within 24 hours. Complex inquiries may require up to 5 business days for a full response.
