Tracuto Privacy Policy
Effective date: May 10, 2026 Legal bundle version: 2026-05-10 Controller: KOHA-TECH Sp. z o.o., ul. Nowy Świat 33/13, 00-029 Warszawa, Poland (KRS: 0001183713, NIP: 5253054129, REGON: 542256381, share capital: PLN 5,000)
This Privacy Policy describes how KOHA-TECH Sp. z o.o. (operating under the trade name “Tracuto,” “we,” “us”) processes personal data when you use our website, dashboard, and APIs (the “Service”).
If you are a visitor to a customer’s website that uses Tracuto tracking, that customer’s privacy notice governs collection on that property. We process such data on behalf of our customers as a processor under our Data Processing Agreement.
1. Who we are
Controller: KOHA-TECH Sp. z o.o. ul. Nowy Świat 33/13 00-029 Warszawa, Poland
KRS: 0001183713 · NIP: 5253054129 · REGON: 542256381 · Share capital: PLN 5,000
Privacy & data protection: [email protected] Legal correspondence: [email protected]
EU/UK representative: Not applicable — KOHA-TECH Sp. z o.o. is established in the EEA (Poland). We will appoint an Article 27 UK GDPR representative if and when we target UK data subjects.
Data Protection Officer (DPO): A statutory DPO is not currently appointed. We will appoint an independent external DPO if our processing meets the GDPR Article 37(1)(b) threshold and publish their contact here. Until then, all data-protection inquiries should be sent to [email protected].
2. Personal data we process about Dashboard Users and account contacts
| Category | Examples | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account & profile | Email, name, organization name, password, authentication identifiers | Create and secure accounts; provide the Service | Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests (security) |
| Billing | Billing address, plan, payment-processor customer reference, invoice metadata. We do not store full card numbers — payments are handled by our payment processor. | Charge for paid plans; issue invoices | Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation (tax/accounting) |
| Usage & technical | IP address, device/browser type, timestamps, dashboard pages viewed, diagnostic logs | Operate, secure, debug, and improve the Service | Art. 6(1)(f) legitimate interests; Art. 6(1)(b) contract |
| Support | Messages you send us | Respond to requests | Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests |
| Legal acceptance | Version of the Terms / Privacy / DPA bundle you accepted, plus the timestamp of acceptance | Demonstrate consent to the Terms / Privacy / DPA | Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation |
We do not sell your dashboard account data to third-party advertisers. Marketing emails (if any) include an opt-out.
3. Customer Data (visitors to our customers’ websites)
When you (the Customer) install the Tracuto script/SDK on your site, we process Customer Data about your visitors on your documented instructions to provide analytics, session replay, heatmaps, funnels, grouping and experimentation. You are responsible for notices, consents, and rights requests toward your visitors, except where we are legally required to act directly. The detailed allocation of responsibilities is in the Data Processing Agreement.
Categories of Customer Data we may process for you (depending on your configuration):
- Online identifiers — cookie/local-storage identifiers, project ingest keys.
- Network metadata — IP address (used for geolocation and security; truncated/pseudonymised where feasible), user-agent string.
- Interaction events — clicks, scrolls, page views, custom events, conversions.
- Session replay payloads — DOM snapshots and mutations, pointer/touch events; input content is masked by default and is captured only where the Customer explicitly disables masking.
- Experiment / A/B test assignments.
Special-category data (Art. 9 GDPR) is not intended to be processed and the Customer must not configure the Service to capture it.
4. Cookies and similar technologies
Tracuto uses only strictly necessary cookies and local storage (login, CSRF protection, session continuity, security, and remembering cookie-banner choice). No third-party advertising or cross-site tracking cookies are set by Tracuto on its own properties.
If we add non-essential analytics or marketing cookies on tracuto.com, we will display a consent banner that complies with Article 5(3) of the ePrivacy Directive (Polish Telecommunications Act and equivalent national rules). You can change or withdraw your choice at any time from a “Cookie preferences” link in the footer.
The tracking script you embed on your own site sets identifiers under your privacy notice and consent layer — those rules are the Customer’s responsibility.
5. How long we keep data
We keep personal data only as long as we need it for the purposes above or as required by law.
| Data | Retention rule (default) |
|---|---|
| Account & profile, organization, project metadata | For the life of the account; deleted within 60 days after account/organization closure, unless law requires longer (e.g. 5 years for Polish accounting/tax records under Ordynacja podatkowa Art. 70 / Ustawa o rachunkowości Art. 74). |
| Billing & invoices | 5 years from the end of the calendar year of the invoice (Polish accounting/tax obligation). |
| Customer Data — events, session replay, heatmaps, funnels | Per your plan: Starter 60 days, Growth 180 days, Professional 365 days, Enterprise — custom. The plan limit is the maximum; under exceptional load the oldest data may be deleted earlier to maintain Service availability. |
| Server / application logs (incl. IP) | 30 days rolling, except entries needed for fraud, abuse, or security investigations. |
| Authentication artefacts (sessions, password-reset tokens, OAuth state) | Deleted on the earlier of expiry or logout / use. |
| Backups | Operational backups are retained for up to 30 days and overwritten on rotation. Personal data inside backups is not indexed for individual deletion; deletion requests are honoured by expiring the backup, not by editing it. |
| Legal-acceptance record | For the life of the account plus 3 years to evidence consent to the Terms / Privacy / DPA. |
If a longer period is required by law (tax, accounting, defence of claims under Polish KC art. 118), we will keep the minimum data needed and isolate it from active processing.
6. Sharing and subprocessors
We use service providers (hosting, payment, email) who process data under written contract and only on our instructions where they act as processors. The current public list is at /subprocessors. Material changes are notified per the DPA (currently 30 days’ prior notice with a right to object on data-protection grounds).
We may disclose information: (a) to comply with law or lawful requests; (b) to protect rights, safety, and security; (c) in connection with a merger or asset sale, with notice where required by law.
7. International transfers
Production processing of Customer Data is performed in the European Economic Area (currently in Germany). Some account-related data is transferred outside the EEA where unavoidable, in particular to our payment processor in the United States. For such transfers we rely on:
- the EU Standard Contractual Clauses (Module Two) issued by the European Commission (Decision (EU) 2021/914), as published by the importer in its DPA;
- where applicable, the UK International Data Transfer Addendum and the Swiss FDPIC adaptation;
- supplementary measures described in the DPA (encryption in transit, contractual confidentiality, audit rights).
We do not rely on a standalone adequacy decision as the sole transfer mechanism without a fallback safeguard.
8. Your rights (EEA/UK/CH and similar jurisdictions)
You may have rights to access, rectify, erase, restrict, port, or object to processing, and to withdraw consent where processing is consent-based.
We do not currently rely on automated decision-making with legal effect within the meaning of Art. 22 GDPR.
You may lodge a complaint with a supervisory authority, in particular the Polish Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa.
How to exercise rights: email [email protected]. We may need to verify your identity. We respond within 30 days, extendable by two further months in complex cases under Art. 12(3) GDPR with notice to you.
9. United States residents — CCPA/CPRA, VCDPA, CPA and similar laws
Where the California Consumer Privacy Act / California Privacy Rights Act applies to California residents whose personal information we process as a business, you have rights to know, delete, correct, and opt out of the sale or sharing of your personal information, as well as to limit the use of sensitive personal information.
- Sale of personal information. We do not “sell” personal information for monetary consideration.
- Sharing for cross-context behavioral advertising. We do not intentionally share personal information for cross-context behavioral advertising. If a future feature changes this, we will update this Policy and provide a “Do Not Sell or Share My Personal Information” mechanism (including Global Privacy Control signal handling) before activation.
- Sensitive personal information. We do not use SPI for inferring characteristics beyond what is strictly necessary to provide the Service.
- Service-provider role. Where we process Customer Data on behalf of a Customer, we act as a service provider / processor and are contractually restricted from selling, sharing, retaining, using, or disclosing that data outside the business purpose specified in the DPA.
- Authorised agents and verification. California residents may submit requests through an authorised agent with written permission. We may verify identity to a level proportionate to the sensitivity of the data.
- Non-discrimination. We will not discriminate against you for exercising any CCPA right.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comparable laws have equivalent rights as far as those laws apply to us. Use the same contact: [email protected].
10. Security
We implement technical and organisational measures appropriate to the risk of the processing, including encryption in transit, access controls, logging, an incident-response procedure and regular reviews. A public summary is at /security. No method of transmission or storage is 100 % secure; in case of a personal data breach, we will notify affected Customers without undue delay as required by Art. 33 GDPR and the DPA.
11. Children
The Service is not directed to children. Customers must not use the Service to collect data from children under the age of digital consent (16 in Poland, lower in some Member States) without an appropriate lawful basis. We do not knowingly collect data from children for our own purposes.
12. Changes
We will post updates here and revise the “Effective date.” Material changes are communicated to active Dashboard Users by email and in-product banner, and at signup the new legal-bundle version must be re-accepted. The previous bundle version remains accessible on request from [email protected].
13. Contact
KOHA-TECH Sp. z o.o. (trade name Tracuto) ul. Nowy Świat 33/13 00-029 Warszawa, Poland KRS: 0001183713 · NIP: 5253054129 · REGON: 542256381 · Share capital: PLN 5,000
Privacy & data protection: [email protected] Legal correspondence: [email protected]