Privacy Policy

Stand: 29.05.2026

1. Verantwortlicher

Verantwortlich für die Datenverarbeitung auf dieser Website ist:

Jens Freudenau
Eisenacher Straße 66
10823 Berlin
Germany

2. Erhebung und Speicherung personenbezogener Daten

2.1 Beim Besuch der Website

Beim Aufrufen unserer Website werden durch den auf Ihrem Endgerät zum Einsatz kommenden Browser automatisch Informationen an den Server unserer Website gesendet. Diese Informationen werden temporär in einem sog. Logfile gespeichert. Folgende Informationen werden dabei ohne Ihr Zutun erfasst und bis zur automatisierten Löschung gespeichert:

IP address of the requesting computer
Date and time of access
Name and URL of the retrieved file
Website from which access is made (referrer URL)
Verwendeter Browser und ggf. das Betriebssystem Ihres Rechners

Rechtsgrundlage ist Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse am sicheren und stabilen Betrieb der Website).

2.2 Bei einer Bestellung

TrackToPrint kann ohne Registrierung und ohne Anlegen eines Kundenkontos genutzt werden. Bei einer Bestellung erheben wir folgende Daten zur Vertragsabwicklung:

First and last name
Email address
Liefer- und ggf. Rechnungsadresse
Bestelldetails (Produkt, Format, Preis, Bestelldatum)

Rechtsgrundlage ist Art. 6 Abs. 1 lit. b DSGVO (Vertragserfüllung).

2.3 Bei der Erstellung von Postern aus GPX-Dateien

Kern unseres Dienstes ist die Erstellung personalisierter Poster aus GPX-Dateien (GPS Exchange Format). Diese Dateien enthalten in der Regel:

Geografische Koordinaten (Längen- und Breitengrade) Ihrer Aktivität
Zeitstempel zu den einzelnen Trackpunkten
Optional: Höhendaten, Herzfrequenz, Trittfrequenz und weitere Sportmetriken
Optional: Name der Aktivität, Datum und Uhrzeit

Verarbeitung ausschließlich in Ihrem Browser: Die von Ihnen ausgewählte GPX-Datei wird <strong>nicht auf unsere Server hochgeladen</strong>. Das Parsen der Datei und die Generierung der Kartenvisualisierung erfolgen vollständig lokal in Ihrem Webbrowser auf Ihrem Endgerät. Wir erhalten zu keinem Zeitpunkt Zugriff auf Ihre vollständigen GPX-Daten oder das daraus resultierende Bewegungsprofil.

Hinweis zu Standortdaten: GPX-Dateien enthalten detaillierte Bewegungsprofile, aus denen sich Aufenthaltsorte, gewohnheitsmäßige Strecken und ggf. der Wohnort ableiten lassen. Da die Verarbeitung ausschließlich lokal in Ihrem Browser erfolgt, verbleiben diese sensiblen Daten auf Ihrem Endgerät.

Erst im Moment der Bestellung wird das finale, gerenderte Poster als Bilddatei bzw. PDF an unseren Server übermittelt und von dort direkt an unseren Druckdienstleister (siehe Abschnitt 5 – Gelato) weitergegeben. Die ursprüngliche GPX-Datei selbst verlässt Ihren Browser nicht.

Beim Aufruf des Konfigurators werden zur Darstellung der Karte technisch notwendige Daten an den Kartendienst Mapbox übermittelt (siehe Abschnitt 5 – Mapbox).

Rechtsgrundlage für die Übermittlung des fertigen Posters zur Bestellabwicklung ist Art. 6 Abs. 1 lit. b DSGVO (Vertragserfüllung).

2.4 Bei der Nutzung der Strava-Integration

Als Alternative zum manuellen Upload einer GPX-Datei bieten wir Ihnen die Möglichkeit, Ihr Strava-Konto mit TrackToPrint zu verbinden, um Aktivitäten direkt aus Strava als Grundlage für Ihr Poster zu verwenden. Die Nutzung dieser Funktion ist optional.

Ablauf der Verbindung (OAuth 2.0): Nach Ihrer Zustimmung werden Sie zur Authentifizierung an Strava weitergeleitet. Wir fordern dabei die Berechtigungen <code>read</code> und <code>activity:read_all</code> an, um Ihre Aktivitäten lesen zu können. Nach erfolgreicher Autorisierung erhalten wir von Strava einen Access Token und einen Refresh Token. Folgende Daten werden temporär gespeichert und mit Ihrer aktuellen Browser-Session verknüpft:

Strava-Athleten-ID (strava_id)
Access Token und Refresh Token
Ablaufzeitpunkt des Access Tokens

Abruf von Aktivitäten: Nach erfolgreicher Verbindung rufen wir Ihre Aktivitätsliste live über die Strava-API ab (/athlete/activities). Diese Liste wird nicht dauerhaft gespeichert, sondern nur im Arbeitsspeicher zur Anzeige im Konfigurator gehalten.

Import einer Aktivität: Wählen Sie eine Aktivität für ein Poster aus, laden wir über die Strava Streams API die GPS-Koordinaten, Zeitstempel, Höhendaten und Distanzwerte der ausgewählten Aktivität. Aus diesen Daten generieren wir eine GPX-Datei, die <strong>temporär</strong> unter <code>storage/public/gpx/</code> abgelegt wird. Diese Datei wird gelöscht, sobald Ihr Browser sie geladen und verarbeitet hat. Zusätzlich löscht ein stündlicher Cronjob alle Strava-GPX-Dateien, die älter als 60 Minuten sind. Die rohen JSON-Daten von Strava werden zu keinem Zeitpunkt persistent gespeichert.

Die weitere Verarbeitung erfolgt anschließend wie unter Abschnitt 2.3 beschrieben (Kartenrendering im Browser, Übermittlung des fertigen Posters bei Bestellung).

Trennung der Verbindung: Sie können die Verbindung zu Strava jederzeit trennen. Dabei wird der Token bei Strava widerrufen (<code>/oauth/deauthorize</code>) und die oben genannten Felder werden gelöscht. Alternativ können Sie den Zugriff auch direkt in Ihren <a href="https://www.strava.com/settings/apps" target="_blank" rel="noopener">Strava-Kontoeinstellungen</a> widerrufen. Eine Trennung erfolgt zudem automatisch mit Ablauf Ihrer Browser-Session.

The legal basis for Strava OAuth is Article 6(1)(a) of the GDPR (consent), based on your authorisation during the OAuth flow, and Article 6(1)(b) of the GDPR (performance of a contract) for the subsequent creation of the poster. You may withdraw your consent at any time by disconnecting the service, with effect for the future.

3. Purposes of data processing

We process your personal data for the following purposes:

Provision of the TrackToPrint service (poster configuration and creation)
Processing of orders, including payment and dispatch
Sending transactional emails (order confirmation, dispatch notification, invoice)
Communication regarding your order
Compliance with statutory retention obligations (in particular Section 147 of the German Fiscal Code (AO) and Section 257 of the German Commercial Code (HGB))
Security, error analysis and service improvement

4. Legal basis

Your data is processed on the following legal grounds:

Art. 6 Abs. 1 lit. a DSGVO – Consent (e.g. Strava connection)
Art. 6 Abs. 1 lit. b DSGVO – Performance of the contract (provision of the service, order processing)
Art. 6 Abs. 1 lit. c DSGVO – Legal obligation (retention requirements)
Art. 6 Abs. 1 lit. f DSGVO – Legitimate interest (security, error analysis)

5. Disclosure of data to third parties and data processors

Your personal data will not be disclosed to third parties for any purposes other than those set out below.

Hosting (Hetzner)

Our server infrastructure is operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.

Personal data is processed exclusively in German and Finnish data centres, i.e. within the EU or the EEA. Processing is carried out on the basis of a data processing agreement in accordance with Article 28 of the GDPR. Hetzner is certified to ISO 27001 (information security).

The legal basis for Hetzner is Article 6(1)(b) of the GDPR (performance of a contract) and Article 6(1)(f) of the GDPR (legitimate interest in the secure operation of the service). Further information: https://www.hetzner.com/de/legal/privacy-policy

Data backup (Hetzner Storage Share)

To safeguard the stored data, we carry out automated backups on a daily basis. The backup data is transmitted in encrypted form and stored in a Nextcloud storage share provided by Hetzner Online GmbH. The data is stored exclusively in data centres in Germany and Finland.

The backups are used solely for the purpose of data recovery in the event of data loss and are not used for any other purpose. Backup files are automatically deleted after 30 days. The legal basis for this is Article 6(1)(f) of the GDPR (legitimate interest in data security).

Printing and dispatch (Gelato)

We use the print-on-demand service to produce and dispatch the posters you have ordered Gelato Gelato ASA, Schweigaards gate 33, 0191 Oslo, Norway.}

The following data is transmitted to Gelato for order processing:

Recipient's name and delivery address
Email address (for shipping notifications)
Order details (format, material, quantity)
The final poster file (PDF)

The original GPX data is not to Gelato. Gelato produces the posters at regional printing centres within the EU, where logistically possible. Norway is part of the EEA; transfers are subject to the same level of data protection as within the EU.

The legal basis for Gelato is Article 6(1)(b) of the GDPR (performance of a contract). Processing is carried out on the basis of a data processing agreement in accordance with Article 28 of the GDPR. Further information: https://www.gelato.com/legal/privacy-policy

Map display (Mapbox)

We use the map service to display the interactive preview in the poster configurator Mapbox Mapbox, Inc., 740 15th Street NW, 5th Floor, Washington, D.C. 20005, USA.}

When the configurator is launched, map tiles are loaded from Mapbox servers. In doing so, technically necessary data is transmitted to Mapbox, in particular:

IP address
Requested map sections (coordinates of the displayed region)
Browser and device information (user agent)

Mapbox is part of the EU-US Data Privacy Framework (DPF) certified, which ensures an adequate level of data protection for transfers to the US in accordance with Article 45 of the GDPR. In addition, standard data protection clauses are in place in accordance with Article 46(2)(c) of the GDPR.

The legal basis for Mapbox is Article 6(1)(f) of the GDPR (legitimate interest in providing a functional map display) and Article 6(1)(b) of the GDPR when using the configurator as part of an order. Further information: https://www.mapbox.com/legal/privacy

Email delivery (Brevo)

We use the service to send transactional emails (e.g. order confirmations, dispatch notifications) Brevo Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.}

For this purpose, Brevo processes email addresses and the content of the emails sent (e.g. the recipient’s name, order details). This processing takes place exclusively on servers located within the EU.

The legal basis for Brevo is Article 6(1)(b) of the GDPR (performance of a contract). Processing is carried out on the basis of a data processing agreement in accordance with Article 28 of the GDPR. The data processing agreement is available as an annex to Brevo’s Terms of Use: https://www.brevo.com/legal/termsofuse/#annex

Payment processing (Mollie)

We use the following service to process payments Mollie Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands.}

Depending on the payment method selected (e.g. SEPA direct debit, Sofortüberweisung, PayPal, credit card), Mollie processes your name, email address, billing address and the data required for the respective payment method. Sensitive payment details are entered directly with Mollie; we do not have access to full credit card details. Data processing takes place within the EU.

The legal basis for Mollie is Article 6(1)(b) of the GDPR (performance of a contract). Processing is carried out on the basis of a data processing agreement in accordance with Article 28 of the GDPR. Further information: https://www.mollie.com/de/privacy

Error monitoring (Sentry)

We use the service to identify and resolve technical issues Sentry Functional Software, Inc., trading as Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.}

We use only the Sentry’s EU region (de.sentry.io). Error data is processed and stored in data centres within the European Union. Under normal circumstances, no data is transferred to the USA.

Sentry automatically collects technical information when an error occurs in our application. This includes, in particular:

Technical error message and stack trace
URL of the page accessed
Browser and device information (user agent)
Time stamp of the error

We have configured Sentry so that no personal data is collected by default (option send_default_pii = false). In particular, neither the user’s IP address, nor logged-in user IDs, nor the contents of cookies or request bodies are transmitted to Sentry.

The legal basis for Sentry is Article 6(1)(f) of the GDPR (legitimate interest in a stable and error-free application). Processing is carried out on the basis of a data processing agreement in accordance with Article 28 of the GDPR. Further information: https://sentry.io/privacy/

Strava integration

If you use the optional Strava integration, data will be exchanged with Strava, Inc., 3rd Floor, 208 Utah Street, San Francisco, CA 94103, USA.

Strava acts as an independent data controller for data processing within its platform; you yourself have a direct contractual relationship with Strava and have agreed to its own privacy policy. The following data is exchanged as part of the integration:

From us to Strava: OAuth authentication requests using our client ID
From Strava to us: Strava Athlete ID, access/refresh token, list of your activities and – for the selected activity – GPS coordinates, timestamps, elevation and distance data

Data will only be transferred to Strava once you have given your explicit consent during the OAuth flow. Strava processes the data in the USA. Strava is covered by the EU-US Data Privacy Framework (DPF) certified, which ensures an adequate level of data protection for transfers to the US in accordance with Article 45 of the GDPR.

The legal basis for the Strava integration is Article 6(1)(a) of the GDPR (consent). You can withdraw this consent at any time by disconnecting the link in the configurator or directly in your Strava settings revoke.

Further information on data protection at Strava: https://www.strava.com/legal/privacy

6. Cookies

We use cookies on our website. These are small files that your browser automatically creates and stores on your device. Cookies do not cause any damage to your device and do not contain any viruses.

We use the following types of cookies:

Session cookies: For registration, the shopping basket and use of the configurator (technically necessary)
CSRF token: To protect against cross-site request forgery attacks (technically necessary)
Cookies from the payment service provider: Mollie may set its own cookies for fraud prevention purposes during the payment process

The legal basis for technically necessary cookies is Section 25(2)(2) of the TDDDG in conjunction with Article 6(1)(f) of the GDPR.

7. Your rights

You have the following rights in relation to the personal data we hold about you:

Right to information (Art. 15 DSGVO)
Right to rectification (Art. 16 DSGVO)
Right to erasure (Art. 17 DSGVO)
Right to restriction of processing (Art. 18 DSGVO)
Right to data portability (Art. 20 DSGVO)
Right to object (Art. 21 DSGVO)
Right to withdraw consent (Art. 7 Abs. 3 DSGVO)

You also have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data. The supervisory authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.

8. Data security

During your visit to our website, we use the widely adopted SSL (Secure Sockets Layer) protocol in conjunction with the highest level of encryption supported by your browser. All data is transmitted in encrypted form.

Sensitive data such as Strava tokens is stored in encrypted form in our database. Payment details are entered exclusively via our payment service provider (see Section 5 – Mollie); we ourselves do not have access to full credit card or bank account details.

9. Retention period

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it was collected or for as long as statutory retention periods apply.

Customer details (name, address, email): for the purposes of order processing and for the duration of the statutory retention periods
GPX files (uploaded manually): are processed exclusively in the user’s browser and are not stored on our servers
GPX files (generated from Strava): stored temporarily; deleted after processing by the browser, or at the latest after 60 minutes via an hourly cron job
Strava OAuth tokens: only for the duration of the browser session or until the user actively disconnects
Rendered poster files: are transmitted to Gelato for order processing and retained as part of the order documentation in accordance with commercial law retention requirements
Order details and invoices: 10 years in accordance with section 147 of the German Fiscal Code (AO) and section 257 of the German Commercial Code (HGB)
Log files: usually a maximum of 14 days
Error logs (Sentry): up to 90 days
Backup data: 30 days

Once the relevant period has expired, the data will be deleted, provided there are no further legal obligations to retain it.

10. Changes to this privacy policy

We reserve the right to amend this privacy policy to ensure that it always complies with current legal requirements or to reflect changes to our services. The new privacy policy will then apply to your next visit.

11. Contact

If you have any questions regarding the collection, processing or use of your personal data, or if you wish to request information, correction, restriction or erasure of data, please contact:

E-Mail: support@tracktoprint.com