Verifiable information

Trust & Security

For a financial app used in Europe, "we take your privacy seriously" isn't enough. This page lists the exact infrastructure we use, where your data is stored, what certifications apply, and what that means for you under GDPR.

1. Infrastructure & Sub-processors

TrackFi does not run its own servers. We use three established cloud providers, each with documented compliance programmes. Below are the technical facts for each.

Firebase — Google Cloud

Database (Firestore) · Authentication (Google OAuth)

Data stored

Account data (name, email, profile picture, Google ID) and all financial data you enter (transactions, accounts, categories, goals).

Storage location

United States (Google Cloud multi-region)

EU/UK transfer mechanism

Standard Contractual Clauses (SCCs) — Commission Decision 2021/914

Certifications

ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS

Google's privacy policy

policies.google.com/privacy

Google Cloud compliance docs

cloud.google.com/security/compliance

Vercel

Application Hosting · Edge Delivery

Data processed

Technical data only: IP address, browser headers, request metadata — the minimum needed to serve the application.

Infrastructure location

United States (primary), with edge nodes globally

EU/UK transfer mechanism

Standard Contractual Clauses (SCCs)

Certifications

SOC 2 Type II (security, availability, confidentiality)

Vercel's privacy policy

vercel.com/legal/privacy-policy

Stripe

Payment Processing

Data processed

Payment card details, billing address, and subscription status. TrackFi never receives or stores your full card number, CVV, or raw payment credentials.

Infrastructure location

United States and Europe (Stripe manages regional routing)

EU/UK transfer mechanism

Standard Contractual Clauses (SCCs) · Stripe's EU data residency programme

Certifications

PCI DSS Level 1 (the highest tier for payment processors)

Stripe's privacy policy

stripe.com/privacy

2. Data Security

Encryption in transit

TLS 1.2+ enforced on all connections between your browser, Vercel, and Firebase.

Encryption at rest

All data stored in Firebase Firestore is encrypted at rest by Google using AES-256.

Authentication

Google OAuth 2.0 only — TrackFi never stores or handles your Google password.

Bank credentials

Never requested or stored. TrackFi uses manual entry and CSV import — there is no bank connection.

Payment credentials

Never stored by TrackFi. Stripe handles all card data in a PCI-compliant environment.

Data selling

Never. Your data is not sold, rented, or shared with third parties for advertising.

3. GDPR Compliance (EU / UK)

TrackFi is the data controller for personal data processed through the Service. We comply with the General Data Protection Regulation (EU 2016/679) and the UK GDPR.

Legal bases

Contract performance (Art. 6(1)(b)) for core features · Legitimate interests (Art. 6(1)(f)) for analytics and security · Legal obligation (Art. 6(1)(c)) for record-keeping · Consent (Art. 6(1)(a)) for optional marketing.

International transfers

All three sub-processors (Google, Vercel, Stripe) operate under Standard Contractual Clauses (SCCs) approved by the European Commission, providing an adequate safeguard for transfers outside the EEA.

Data retention

Account and financial data: retained until account deletion. Billing records: 7 years (tax law). Analytics: up to 26 months. Security logs: up to 12 months.

Your rights

Access · Rectification · Erasure · Restriction · Portability · Objection. Exercise any right via our contact form.

Supervisory authority

You may lodge a complaint with your national data protection authority (e.g. CNIL, BfDI, ICO, DPC) if you believe your rights have been violated.

4. Controls Available to You

Export your data

All financial records can be exported as CSV directly from the dashboard at any time.

Delete your account

To request account deletion, please use the contact form on the homepage. All personal and financial data will be removed within 30 days. Billing records are retained for 7 years as required by law.

Contact us

Contact form on the homepage. We respond to all privacy requests within 30 days (GDPR-required).

Related documents

Full Privacy Policy

Complete legal document covering all GDPR, LGPD, and CCPA obligations.

Terms of Service

Rules governing use of the TrackFi platform.