Privacy Policy.
Status: 14.07.2026
The data controller for this website is:
2.1 When visiting the website
When you visit our website, the browser used on your device automatically sends information to our website’s server. This information is temporarily stored in a log file. The following information is collected automatically and stored until it is automatically deleted:
- —IP address of the requesting computer
- —Date and time of access
- —Name and URL of the retrieved file
- —Website from which access is made (referrer URL)
- —The browser you are using and, if applicable, your computer’s operating system
Legal basis: Article 6(1)(f) of the GDPR
2.2 When placing an order
TrackToPrint can be used without registering or creating a customer account. When you place an order, we collect the following data for the purpose of processing the contract:
- —First and last name
- —Email address
- —Delivery address and, if applicable, billing address
- —Order details (product, format, price, order date)
Legal basis: Article 6(1)(b) of the GDPR
2.3 When creating posters from GPX files
At the heart of our service is the creation of personalised posters from GPX files (GPS Exchange Format). These files usually contain:
- —Geographical coordinates (longitude and latitude) of your activity
- —Timestamps for the individual track points
- —Optional: elevation data, heart rate, cadence and other sports metrics
- —Optional: Name of the activity, date and time
Processed entirely within your browser: The GPX file you have selected will not be uploaded to our servers. The file is parsed and the map visualisation is generated entirely locally in your web browser on your device.
Note regarding location data: GPX files contain detailed movement profiles from which it is possible to deduce a person’s whereabouts, usual routes and, where applicable, their place of residence. As the processing takes place exclusively locally in your browser, this sensitive data remains on your device.
It is only at the moment of ordering that the final, rendered poster is sent to our server as an image file or PDF and forwarded from there directly to our printing service provider. The original GPX file itself does not leave your browser.
Legal basis: Article 6(1)(b) of the GDPR
2.4 When using the Strava integration
As an alternative to manually uploading a GPX file, we offer you the option of linking your Strava account to TrackToPrint. Use of this feature is optional.
Connection process (OAuth 2.0): Once you have given your consent, you will be redirected to Strava for authentication. We will request the following permissions: read and activity:read_all . The following data is stored temporarily:
- —Strava Athlete ID (strava_id)
- —Access token and refresh token
- —Expiry time of the access token
If you select an activity for a poster, the GPS data is temporarily stored under storage/public/gpx/ stored and automatically deleted once processed or after 60 minutes at the latest.
Disconnection: You can disconnect from Strava at any time. This will revoke the token with Strava and delete the fields mentioned. Alternatively, you can do this directly in your Strava account settings.
Legal basis: Article 6(1)(a) of the GDPR (consent), Article 6(1)(b) of the GDPR (performance of a contract)
- —Provision of the TrackToPrint service (poster configuration and creation)
- —Processing of orders, including payment and dispatch
- —Sending transactional emails (order confirmation, dispatch notification, invoice)
- —Communication regarding your order
- —Compliance with statutory retention obligations (in particular Section 147 of the German Fiscal Code (AO) and Section 257 of the German Commercial Code (HGB))
- —Security, error analysis and service improvement
- — Art. 6 Abs. 1 lit. a DSGVO – Consent (e.g. Strava connection)
- — Art. 6 Abs. 1 lit. b DSGVO – Performance of the contract (provision of the service, order processing)
- — Art. 6 Abs. 1 lit. c DSGVO – Legal obligation (retention requirements)
- — Art. 6 Abs. 1 lit. f DSGVO – Legitimate interest (security, error analysis)
Your personal data will not be disclosed to third parties for any purposes other than those set out below.
Hosting (Hetzner)
Our server infrastructure is operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Data processing takes place exclusively in German and Finnish data centres (EU/EEA). Hetzner is ISO 27001 certified.
Data backup (Hetzner Storage Share)
To safeguard the stored data, we carry out automated backups on a daily basis. The backup data is transferred in encrypted form and stored in a Nextcloud storage share provided by Hetzner Online GmbH. Backup files are automatically deleted after 30 days.
Printing and dispatch (Gelato)
For production and dispatch, we use Gelato ASA, Schweigaards gate 33, 0191 Oslo, Norwegen. Gelato is provided with your name, delivery address, email address and the final poster file (PDF). The original GPX data is not sent to Gelato. Norway is part of the EEA.
Map display (Mapbox)
To display the interactive preview, we use Mapbox, Inc., Washington, D.C., USA. When the configurator is launched, your IP address, map sections and browser information are transmitted to Mapbox. Mapbox is certified under the EU-US Data Privacy Framework (DPF).
Email delivery (Brevo)
We use the following to send transactional emails Brevo (Sendinblue GmbH), Köpenicker Straße 126, 10179 Berlin. Brevo processes email addresses and the content of the emails sent exclusively on servers located within the EU.
Payment processing (Mollie)
We use the following payment processing services Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam. Depending on the payment method, Mollie processes your name, email address, billing address and payment-related details. We do not have access to full credit card details.
Error monitoring (Sentry)
To detect technical errors, we use Sentry (EU-Region de.sentry.io). Data processing takes place in data centres within the EU. We use send_default_pii = false — Neither IP addresses nor user IDs are transmitted.
Strava integration
If you use the optional Strava integration, data will be exchanged with Strava, Inc., San Francisco, CA 94103, USA. Strava is certified under the EU-US Data Privacy Framework (DPF). Data will only be transferred once you have given your explicit consent via the OAuth flow. strava.com/legal/privacy
We use technically necessary cookies on our website. We use the following types of cookies:
- — Session cookies: For registration, the shopping basket and use of the configurator (technically necessary)
- — CSRF token: To protect against cross-site request forgery attacks (technically necessary)
- — Cookies from the payment service provider: Mollie may set its own cookies for fraud prevention purposes during the payment process
Legal basis: Section 25(2)(2) of the TDDDG in conjunction with Article 6(1)(f) of the GDPR
You have the following rights in relation to the personal data we hold about you:
- — Right to information (Art. 15 DSGVO)
- — Right to rectification (Art. 16 DSGVO)
- — Right to erasure (Art. 17 DSGVO)
- — Right to restriction of processing (Art. 18 DSGVO)
- — Right to data portability (Art. 20 DSGVO)
- — Right to object (Art. 21 DSGVO)
- — Right to withdraw consent (Art. 7 Abs. 3 DSGVO)
You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59–61, 10555 Berlin.
During your visit to our website, we use the widely adopted SSL protocol in conjunction with the highest level of encryption supported by your browser. All data is transmitted in encrypted form.
Sensitive data such as Strava tokens is stored in encrypted form in our database. Payment details are entered directly with our payment service provider (Mollie); we do not have access to full credit card or bank account details.
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it was collected or for as long as statutory retention periods apply.
- — Customer details (name, address, email): Order processing time + statutory retention obligations
- — GPX files (uploaded manually): Exclusively in the browser, not on our servers
- — GPX files (generated by Strava): Temporary; deleted after processing, at the latest after 60 minutes
- — Strava OAuth tokens: Duration of the browser session or until the connection is actively terminated
- — Order details and invoices: 10 years in accordance with section 147 of the German Fiscal Code (AO) and section 257 of the German Commercial Code (HGB)
- — Log files: Up to 14 days
- — Error logs (Sentry): A maximum of 90 days
- — Backup data: 30 days
We reserve the right to amend this privacy policy to ensure that it always complies with current legal requirements or to reflect changes to our services. The new privacy policy will then apply to your next visit.
If you have any questions regarding the collection, processing or use of your personal data, or if you wish to request information, correction, restriction or erasure of data, please contact:
support@tracktoprint.comStatus: 14.07.2026