Privacy Policy

How thermotrack.io collects, uses and protects your personal data — and your rights under global privacy law.

✓ GDPR Compliant ✓ CCPA Compliant ✓ PDPA Compliant ✓ LGPD Compliant ✓ PIPA Compliant
Last updated: 17 May 2026  ·  Effective: 17 May 2026

1. Who We Are

thermotrack.io Ltd ("thermotrack.io", "we", "us", or "our") operates the website thermotrack.io and the thermotrack.io mobile and web application (together, the "Service"). We provide wireless temperature monitoring solutions for businesses, healthcare providers, logistics operators, and individuals worldwide.

For the purposes of applicable data protection legislation, thermotrack.io Ltd is the data controller of the personal data described in this policy.

2. Scope & Jurisdictions

This policy applies globally to all users of the Service, wherever located. We have specifically designed our practices to meet or exceed the requirements of the following frameworks:

GDPR / UK GDPR European Union & United Kingdom — Regulation (EU) 2016/679
CCPA / CPRA California, USA — California Consumer Privacy Act & Privacy Rights Act
PDPA (Thailand) Personal Data Protection Act B.E. 2562 (2019)
PDPA (Malaysia) Personal Data Protection Act 2010
PDP Law (Indonesia) Undang-Undang Perlindungan Data Pribadi 2022
LGPD (Brazil) Lei Geral de Proteção de Dados Pessoais (Law 13,709/2018)
Privacy Act (Australia) Australian Privacy Act 1988 & Australian Privacy Principles
Cybersecurity Law (Vietnam) Decree 13/2023/ND-CP on personal data protection
BDSG (Germany) Bundesdatenschutzgesetz — national supplement to GDPR

If there is a conflict between this policy and a specific regional requirement that grants you stronger rights, the regional requirement prevails in your jurisdiction.

3. Data We Collect

3.1 Data you provide directly

  • Account data: your name, email address, and password (hashed) when you register.
  • Business data: company name, billing address, and VAT / tax number (for invoicing).
  • Payment data: processed by our PCI-DSS-certified payment provider (Stripe). We never store full card numbers.
  • Contact form submissions: name, email, and the message content you send us.
  • Support communications: emails, chat transcripts, and attachments you share when seeking help.

3.2 Data collected automatically

  • Sensor telemetry: temperature and humidity readings, sensor ID, timestamp, and gateway ID transmitted by your thermotrack.io hardware.
  • Device & usage data: IP address, browser type, operating system, pages visited, feature interactions, and session duration.
  • Log data: server access logs, error logs, and API request logs retained for security and debugging (rolling 30-day window).
  • Location data: approximate location inferred from IP address (country / city level only). We do not use GPS or precise location.

3.3 Data from third parties

  • If you sign in via Google or Apple OAuth, we receive your name and verified email address from that provider. We do not request access to any other account data.
  • Fraud-detection signals provided by our payment processor (Stripe Radar).

4. Legal Basis for Processing (GDPR / UK GDPR)

For users in the EU, UK, and other jurisdictions requiring a legal basis, we process your personal data under the following grounds:

  • Contract performance (Art. 6(1)(b)): to create and manage your account, deliver temperature monitoring services, process payments, and provide customer support.
  • Legitimate interests (Art. 6(1)(f)): to prevent fraud, improve the Service, send transactional emails, maintain security logs, and conduct aggregate analytics. Our interests are balanced against your privacy rights.
  • Consent (Art. 6(1)(a)): to send marketing emails (opt-in only), place non-essential cookies, and process any sensitive data categories. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): to comply with tax law, respond to lawful government requests, and meet our obligations under applicable regulations.

5. How We Use Your Data

  • Providing, operating, and maintaining the thermotrack.io Service.
  • Sending real-time temperature alerts and scheduled reports to you.
  • Processing payments and issuing invoices.
  • Responding to your support requests and enquiries.
  • Sending transactional emails (account activation, password reset, billing receipts).
  • Sending marketing communications — only where you have opted in, with an unsubscribe link in every message.
  • Improving the Service through aggregate, anonymised usage analytics.
  • Detecting and preventing fraud, abuse, and security incidents.
  • Complying with legal obligations and responding to lawful authority requests.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

6. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We share data only with the following categories of recipients, and only to the extent necessary:

  • Cloud infrastructure providers (e.g., AWS, Cloudflare) — hosting and content delivery under data processing agreements.
  • Payment processor (Stripe) — billing and fraud prevention.
  • Email delivery (e.g., Postmark) — transactional and alert emails.
  • Analytics — privacy-respecting, cookieless aggregate analytics only; no personal identifiers shared.
  • Legal authorities — where required by applicable law, court order, or to protect the rights, property, or safety of thermotrack.io or our users. We will notify you of such requests unless prohibited from doing so by law.
  • Business transfers — if thermotrack.io is acquired or merges, your data may transfer to the successor entity under equivalent or stronger privacy protections. You will be notified in advance.

All third-party processors are bound by data processing agreements (DPAs) requiring them to process data only on our instructions and to maintain appropriate security measures.

7. International Data Transfers

Our primary servers are located within the European Union. When data is transferred to a country not recognised by the European Commission as providing adequate protection (e.g., to our US-based processors), we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
  • UK International Data Transfer Agreements (IDTAs) for transfers from the UK.
  • Adequacy decisions where applicable.

A copy of the applicable safeguards is available on request by emailing hello@thermotrack.io.

8. Data Retention

  • Temperature & sensor data: retained for the life of your subscription plus 90 days after cancellation, then permanently and irreversibly deleted.
  • Account data: retained while your account is active. Deleted within 30 days of a verified deletion request or account closure.
  • Billing records: retained for 7 years to comply with financial and tax legislation (legal obligation — not subject to right of erasure during this period).
  • Security & server logs: rolling 30-day window, then automatically purged.
  • Support correspondence: retained for 3 years after the case is closed, then deleted.
  • Marketing consent records: retained until you withdraw consent, plus 3 years as evidence of compliance.

9. Your Privacy Rights

Depending on your location, you have some or all of the following rights. We honour all of them regardless of jurisdiction:

Your Rights at a Glance

👁
Access
Receive a copy of all personal data we hold about you.
✏️
Rectification
Correct inaccurate or incomplete personal data.
🗑️
Erasure ("Right to be Forgotten")
Request permanent deletion of your personal data.
⏸️
Restriction
Temporarily restrict processing while a dispute is resolved.
📦
Portability
Receive your data in a machine-readable format (JSON/CSV).
🚫
Objection
Object to processing based on legitimate interests or for direct marketing.
↩️
Withdraw Consent
Revoke consent at any time without affecting prior processing.
🤖
No Automated Decisions
We do not make solely automated decisions affecting you. You may request human review.

California (CCPA / CPRA) additional rights

California residents may also: opt out of the sale or sharing of personal information (we do not sell data); limit the use of sensitive personal information; and appoint an authorised agent to exercise rights on their behalf.

Thai (PDPA) residents

Under Thailand's PDPA you have the right to withdraw consent, object to processing, and request erasure. Requests are processed within 30 days. You may also lodge a complaint with Thailand's Personal Data Protection Committee (PDPC).

Malaysian (PDPA 2010) residents

You have the right to access, correct, and limit the processing of your personal data. Requests are handled within 21 days.

How to exercise your rights

Submit a request by emailing hello@thermotrack.io or using the deletion form below. We will respond within 30 days (or within any shorter period required by applicable law). We may ask you to verify your identity before fulfilling your request to protect against unauthorised access.

If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority (e.g., the ICO in the UK, the CNIL in France, the BfDI in Germany, or the relevant DPA in your EU member state).

10. Data Deletion Requests

We will delete your data promptly and permanently on request. This is an unconditional right — you do not need to provide a reason.

Request Data Deletion

Email us from the address associated with your account. We will confirm receipt within 2 business days, complete deletion within 30 days, and send you written confirmation when done. Billing records required by law (7-year tax retention) are the only exception.

Send Deletion Request

What happens when you delete your account

  • All temperature sensor readings are permanently wiped from our servers within 30 days.
  • Your name, email address, and account profile are deleted within 30 days.
  • Your data is removed from backups as those backups cycle (within 90 days of deletion).
  • Any shared access tokens issued to third parties are immediately revoked.
  • Billing records are retained for 7 years as required by financial law, but cannot be linked back to your identity after account deletion.

11. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Service and (with your consent) to understand how it is used. You can manage your preferences at any time using the Cookie Settings link.

We do not use advertising cookies, third-party tracking pixels, or sell behavioural advertising data. Our analytics are privacy-preserving and do not create individual user profiles.

12. Children's Privacy

The Service is not directed to children under the age of 16 (or 13 in the United States). We do not knowingly collect personal data from children. If you believe we have inadvertently received data from a child under the applicable age, please contact hello@thermotrack.io and we will delete it promptly.

13. Security

We implement industry-standard technical and organisational security measures including:

  • Encryption in transit: TLS 1.3 for all data between your device and our servers.
  • Encryption at rest: AES-256 for all stored data and database backups.
  • Access controls: role-based access, multi-factor authentication for staff, principle of least privilege.
  • Penetration testing: conducted at least annually by an independent third party.
  • Incident response: we will notify affected users and relevant supervisory authorities of any data breach within 72 hours of discovery, as required by GDPR and equivalent laws.
  • Data minimisation: we collect and store only what is necessary to operate the Service.

No transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to hello@thermotrack.io.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our business, or our data practices. We will notify you of material changes by:

  • Sending an email to the address associated with your account at least 30 days before the change takes effect.
  • Displaying a prominent notice on the thermotrack.io website and in the app.

The "Last updated" date at the top of this page reflects the date of the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account and request deletion of your data.

15. Contact Us & Data Protection Officer

For any questions, concerns, or rights requests relating to this Privacy Policy or your personal data, please contact us:

  • Email (general privacy): hello@thermotrack.io
  • Email (security issues): hello@thermotrack.io
  • Data Controller: thermotrack.io Ltd
  • Registered address: Available on request to verified users and supervisory authorities.

If you are located in the EU or UK and wish to escalate an unresolved complaint, you have the right to contact your local data protection supervisory authority. A list of EU DPAs is available at edpb.europa.eu.