Privacy Policy

Last updated: February 8, 2026

1. Data Controller

The controller of your personal data is:
E-Sence SOFT Paweł Zawadzki
Brwinowska 51b, 05-822 Milanówek, Poland
NIP (Tax ID): 5213203876
Email: info@brasstrack.app

2. What Data We Collect

Account data

Email address, display name, and profile picture (if signing in with Google). Collected during registration via Clerk.

Payment and subscription data

For paid plans, we process transaction and subscription metadata received from Paddle, including: selected plan, subscription status, amount, currency, payment and renewal dates, and transaction/subscription identifiers. BrassTrack does not have access to full payment card details (such as full card number or CVV).

User-generated content

Shooting sessions, firearms, ammunition, maintenance records, and uploaded photos. Stored in Convex.

Automatically collected data

Server logs (IP address, browser type, operating system, timestamps) collected by Vercel. Language preference and basic aggregated website analytics events (Vercel Web Analytics in cookieless mode).

Cookies

We use strictly necessary authentication session cookies (Clerk) and a language preference cookie (lang) on the website. No marketing cookies are used, and Vercel Web Analytics runs on the landing page in cookieless mode (without analytics cookies).

3. Purpose and Legal Basis

• Providing the BrassTrack service — contract performance (Art. 6(1)(b) GDPR)
• Authentication and account management — contract performance
• Storing and displaying your content — contract performance
• Handling payments, subscriptions, and billing — contract performance (Art. 6(1)(b) GDPR)
• Meeting tax and accounting obligations — legal obligation (Art. 6(1)(c) GDPR)
• Security and abuse prevention — legitimate interest (Art. 6(1)(f) GDPR)

4. Data Sharing

We use the following third-party services (sub-processors):

• Clerk (clerk.com) — authentication and user management
• Convex (convex.dev) — database, backend logic, file storage
• Vercel (vercel.com) — application and landing page hosting
• Paddle (paddle.com) — payment processing, subscriptions, and billing (Paddle Privacy Policy)
• Google Fonts — font delivery on the landing page

Sub-processors located outside the EEA, including in the US, operate under Standard Contractual Clauses (SCCs) or equivalent safeguards for EU-US data transfers.

We do not sell your data to third parties. Data may be disclosed if required by Polish or EU law.

5. Data Retention

• Account data and user-generated content: retained while the account is active; deleted within 30 days of an account deletion request.
• Payment and subscription data (transaction metadata): retained for the active account period and for the period required by tax and accounting regulations (typically up to 5 years, where applicable).
• Server logs (Vercel): retained per Vercel's standard policy.
• Authentication data (Clerk): removed upon account deletion.

6. Your Rights

Under GDPR, you have the right to:

• Access your data (Art. 15)
• Rectify incorrect data (Art. 16)
• Erase your data (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)

To exercise any of these rights, contact: info@brasstrack.app.

For data processed directly by Paddle, exercising some rights may require contacting Paddle directly under its own privacy policy: www.paddle.com/legal/privacy.

Account deletion is currently handled via email request.

You also have the right to lodge a complaint with the supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland — uodo.gov.pl.

7. Security

• All data is transmitted over HTTPS.
• Passwords are hashed and managed by Clerk — never stored directly by BrassTrack.
• Access to production data is restricted to the administrator.

8. Changes to This Policy

The administrator reserves the right to update this policy. Users will be notified of material changes via an in-app notice.