Privacy Policy (Datenschutzerklärung)

This Privacy Policy explains how ZeroTrace (Selda Karakus, Köln, Germany) collects, uses, and protects personal data when you visit our website, use the dashboard, or purchase ZeroTrace hardware and firmware.

Controller within the meaning of Art. 4 No. 7 GDPR is ZeroTrace, Alte Brühler Straße 127, 50997 Köln, Germany, admin@zerotrace.pw.

• Visitors browsing zerotrace.one or zerotrace.pw subdomains
• Dashboard users with an account on our authenticated services
• Customers purchasing hardware, firmware, or licenses
• Support contacts communicating with us by email

ZeroTrace is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us so we can remove it.

• Account data: email, username, hashed password, session tokens
• Order data: billing/shipping address, order history, invoice numbers
• Payment data: processed by Stripe; we only receive a payment confirmation, never card details
• Support data: messages, attachments, and logs you choose to share
• Technical data: IP address, user agent, timestamps, abuse-detection signals, rate-limit logs

• Art. 6(1)(b) — performance of a contract (orders, accounts, licensing)
• Art. 6(1)(c) — legal obligations (tax law, packaging law, etc.)
• Art. 6(1)(f) — legitimate interests (security, fraud prevention, abuse detection)
• Art. 6(1)(a) — consent (cookies and similar, where required)

• Operate the dashboard, licensing, and delivery functionality
• Process orders, issue invoices, and prevent fraud
• Handle customer support and warranty claims
• Secure the Service (logging, rate-limiting, abuse monitoring)
• Comply with German tax, commercial, and packaging-law obligations

We use the following processors under Art. 28 GDPR contracts:

• Stripe Payments Europe Ltd (Dublin, Ireland; further sub-processing by Stripe, Inc. in the United States) — payment processing. Transfer to the US is covered by the EU-US Data Privacy Framework certification and Stripe's Standard Contractual Clauses.
• DHL Paket GmbH (Bonn, Germany) — physical shipment. Shipping address and contact details are shared so the parcel can be delivered.
• Hosting / infrastructure providers (located primarily within the EU/EEA) — operation of the website, dashboard, and licence services.

We do not sell personal data and do not transfer data to third parties for advertising.

Where data is processed outside the EU/EEA — primarily by Stripe for card-payment processing — we rely on a combination of: (i) the EU-US Data Privacy Framework adequacy decision where applicable, (ii) Standard Contractual Clauses under Art. 46(2)(c) GDPR, and (iii) additional safeguards as required by case law (Schrems II). Copies of the SCCs may be requested at admin@zerotrace.pw.

• Encryption in transit (TLS) on all endpoints
• Password hashing using modern algorithms (e.g., argon2 / bcrypt)
• Least-privilege access and security monitoring
• Automated retention and cleanup (see Section 10)

We retain data only as long as needed for the purpose collected:

• Server / access logs (IP, user agent, timestamps): up to 14 days for security and abuse-prevention purposes (Art. 6(1)(f) GDPR), then anonymised or deleted
• Sessions & auth tokens: deleted at expiry
• Desktop licenses: 3 hours from creation
• Atlas agents / cooldowns: 14 days
• Webhook content: 30 days
• Notifications: until read, max 60 days
• Messages & reactions: 90 days
• Invoices, contracts, and tax-relevant records: 10 years (§147 AO)
• Account data: retained while the account exists; deleted on request subject to legal hold

Backups are infrequent and used only during maintenance — deleted records are not recoverable.

ZeroTrace does not carry out automated individual decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.

Our systems use automated rules for fraud and abuse prevention (e.g., rate limiting, anomaly detection, payment-risk signals supplied by Stripe). These rules may flag a session or order for human review but do not, by themselves, deny goods or services without a manual review step.

• Access — request a copy of your data (Art. 15)
• Rectification — correct inaccurate data (Art. 16)
• Erasure — request deletion (Art. 17), subject to legal retention
• Restriction — limit processing (Art. 18)
• Portability — receive your data in a portable format (Art. 20)
• Objection — to processing based on legitimate interests (Art. 21)
• Withdraw consent — at any time, with effect for the future (Art. 7(3))
• Right to lodge a complaint with a supervisory authority — competent for us: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Düsseldorf

To exercise rights, contact admin@zerotrace.pw.

Privacy questions and requests can be sent to admin@zerotrace.pw.

ZeroTrace is currently a sole proprietorship without employees regularly engaged in large-scale processing and is not required to appoint a Data Protection Officer (Art. 37 GDPR / §38 BDSG). The owner, Selda Karakus, handles privacy enquiries directly.