Track To Print
Legal

Privacy Policy.

Status: 14.07.2026

01 — Data controller

The data controller for this website is:

Jens Freudenau

Eisenacher Straße 66

10823 Berlin, Germany

E-Mail: support@tracktoprint.com

02 — Collection and storage of personal data

2.1 When visiting the website

When you visit our website, the browser used on your device automatically sends information to our website’s server. This information is temporarily stored in a log file. The following information is collected automatically and stored until it is automatically deleted:

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which access is made (referrer URL)
  • The browser you are using and, if applicable, your computer’s operating system

Legal basis: Article 6(1)(f) of the GDPR

2.2 When placing an order

TrackToPrint can be used without registering or creating a customer account. When you place an order, we collect the following data for the purpose of processing the contract:

  • First and last name
  • Email address
  • Delivery address and, if applicable, billing address
  • Order details (product, format, price, order date)

Legal basis: Article 6(1)(b) of the GDPR

2.3 When creating posters from GPX files

At the heart of our service is the creation of personalised posters from GPX files (GPS Exchange Format). These files usually contain:

  • Geographical coordinates (longitude and latitude) of your activity
  • Timestamps for the individual track points
  • Optional: elevation data, heart rate, cadence and other sports metrics
  • Optional: Name of the activity, date and time

Processed entirely within your browser: The GPX file you have selected will not be uploaded to our servers. The file is parsed and the map visualisation is generated entirely locally in your web browser on your device.

Note regarding location data: GPX files contain detailed movement profiles from which it is possible to deduce a person’s whereabouts, usual routes and, where applicable, their place of residence. As the processing takes place exclusively locally in your browser, this sensitive data remains on your device.

It is only at the moment of ordering that the final, rendered poster is sent to our server as an image file or PDF and forwarded from there directly to our printing service provider. The original GPX file itself does not leave your browser.

Legal basis: Article 6(1)(b) of the GDPR

2.4 When using the Strava integration

As an alternative to manually uploading a GPX file, we offer you the option of linking your Strava account to TrackToPrint. Use of this feature is optional.

Connection process (OAuth 2.0): Once you have given your consent, you will be redirected to Strava for authentication. We will request the following permissions: read and activity:read_all . The following data is stored temporarily:

  • Strava Athlete ID (strava_id)
  • Access token and refresh token
  • Expiry time of the access token

If you select an activity for a poster, the GPS data is temporarily stored under storage/public/gpx/ stored and automatically deleted once processed or after 60 minutes at the latest.

Disconnection: You can disconnect from Strava at any time. This will revoke the token with Strava and delete the fields mentioned. Alternatively, you can do this directly in your Strava account settings.

Legal basis: Article 6(1)(a) of the GDPR (consent), Article 6(1)(b) of the GDPR (performance of a contract)

03 — Purposes of data processing
  • Provision of the TrackToPrint service (poster configuration and creation)
  • Processing of orders, including payment and dispatch
  • Sending transactional emails (order confirmation, dispatch notification, invoice)
  • Communication regarding your order
  • Compliance with statutory retention obligations (in particular Section 147 of the German Fiscal Code (AO) and Section 257 of the German Commercial Code (HGB))
  • Security, error analysis and service improvement
04 — Legal basis
  • Art. 6 Abs. 1 lit. a DSGVO – Consent (e.g. Strava connection)
  • Art. 6 Abs. 1 lit. b DSGVO – Performance of the contract (provision of the service, order processing)
  • Art. 6 Abs. 1 lit. c DSGVO – Legal obligation (retention requirements)
  • Art. 6 Abs. 1 lit. f DSGVO – Legitimate interest (security, error analysis)
05 — Disclosure of data to third parties and data processors

Your personal data will not be disclosed to third parties for any purposes other than those set out below.

Hosting (Hetzner)

Our server infrastructure is operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Data processing takes place exclusively in German and Finnish data centres (EU/EEA). Hetzner is ISO 27001 certified.

Art. 6 Abs. 1 lit. b + f DSGVO https://www.hetzner.com/de/legal/privacy-policy

Data backup (Hetzner Storage Share)

To safeguard the stored data, we carry out automated backups on a daily basis. The backup data is transferred in encrypted form and stored in a Nextcloud storage share provided by Hetzner Online GmbH. Backup files are automatically deleted after 30 days.

Art. 6 Abs. 1 lit. f DSGVO

Printing and dispatch (Gelato)

For production and dispatch, we use Gelato ASA, Schweigaards gate 33, 0191 Oslo, Norwegen. Gelato is provided with your name, delivery address, email address and the final poster file (PDF). The original GPX data is not sent to Gelato. Norway is part of the EEA.

Art. 6 Abs. 1 lit. b DSGVO https://www.gelato.com/legal/privacy-policy

Map display (Mapbox)

To display the interactive preview, we use Mapbox, Inc., Washington, D.C., USA. When the configurator is launched, your IP address, map sections and browser information are transmitted to Mapbox. Mapbox is certified under the EU-US Data Privacy Framework (DPF).

Art. 6 Abs. 1 lit. f + b DSGVO https://www.mapbox.com/legal/privacy

Email delivery (Brevo)

We use the following to send transactional emails Brevo (Sendinblue GmbH), Köpenicker Straße 126, 10179 Berlin. Brevo processes email addresses and the content of the emails sent exclusively on servers located within the EU.

Payment processing (Mollie)

We use the following payment processing services Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam. Depending on the payment method, Mollie processes your name, email address, billing address and payment-related details. We do not have access to full credit card details.

Art. 6 Abs. 1 lit. b DSGVO https://www.mollie.com/de/privacy

Error monitoring (Sentry)

To detect technical errors, we use Sentry (EU-Region de.sentry.io). Data processing takes place in data centres within the EU. We use send_default_pii = false — Neither IP addresses nor user IDs are transmitted.

Art. 6 Abs. 1 lit. f DSGVO https://sentry.io/privacy/

Strava integration

If you use the optional Strava integration, data will be exchanged with Strava, Inc., San Francisco, CA 94103, USA. Strava is certified under the EU-US Data Privacy Framework (DPF). Data will only be transferred once you have given your explicit consent via the OAuth flow. strava.com/legal/privacy

Art. 6 Abs. 1 lit. a DSGVO
06 — Cookies

We use technically necessary cookies on our website. We use the following types of cookies:

  • Session cookies: For registration, the shopping basket and use of the configurator (technically necessary)
  • CSRF token: To protect against cross-site request forgery attacks (technically necessary)
  • Cookies from the payment service provider: Mollie may set its own cookies for fraud prevention purposes during the payment process

Legal basis: Section 25(2)(2) of the TDDDG in conjunction with Article 6(1)(f) of the GDPR

07 — Your rights

You have the following rights in relation to the personal data we hold about you:

  • Right to information (Art. 15 DSGVO)
  • Right to rectification (Art. 16 DSGVO)
  • Right to erasure (Art. 17 DSGVO)
  • Right to restriction of processing (Art. 18 DSGVO)
  • Right to data portability (Art. 20 DSGVO)
  • Right to object (Art. 21 DSGVO)
  • Right to withdraw consent (Art. 7 Abs. 3 DSGVO)

You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59–61, 10555 Berlin.

08 — Data security

During your visit to our website, we use the widely adopted SSL protocol in conjunction with the highest level of encryption supported by your browser. All data is transmitted in encrypted form.

Sensitive data such as Strava tokens is stored in encrypted form in our database. Payment details are entered directly with our payment service provider (Mollie); we do not have access to full credit card or bank account details.

09 — Retention period

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it was collected or for as long as statutory retention periods apply.

  • Customer details (name, address, email): Order processing time + statutory retention obligations
  • GPX files (uploaded manually): Exclusively in the browser, not on our servers
  • GPX files (generated by Strava): Temporary; deleted after processing, at the latest after 60 minutes
  • Strava OAuth tokens: Duration of the browser session or until the connection is actively terminated
  • Order details and invoices: 10 years in accordance with section 147 of the German Fiscal Code (AO) and section 257 of the German Commercial Code (HGB)
  • Log files: Up to 14 days
  • Error logs (Sentry): A maximum of 90 days
  • Backup data: 30 days
10 — Changes to this privacy policy

We reserve the right to amend this privacy policy to ensure that it always complies with current legal requirements or to reflect changes to our services. The new privacy policy will then apply to your next visit.

11 — Contact

If you have any questions regarding the collection, processing or use of your personal data, or if you wish to request information, correction, restriction or erasure of data, please contact:

support@tracktoprint.com

Status: 14.07.2026