Skip to content
TrackerMaster

Privacy Policy

Last updated: 2026-05-08

This Privacy Policy explains what information Strong Tower Media LLC (“we,” “us”), operator of TrackerMaster at trackermaster.app, collects, why we collect it, how we use and share it, and the choices you have. It applies to trackermaster.app and any related services we offer from this domain.

TrackerMaster is offered to and intended for users in the United States. We do not currently market the service to residents of the European Economic Area or the United Kingdom; if you access the service from those regions, you do so on your own initiative and these U.S.-oriented practices apply.

Summary in plain English

  • We collect the minimum we need to run the service: your account email, your subscription state, the data you record in your trackers, and a small amount of operational telemetry.
  • We do not sell your personal information. We do not share it for cross-context behavioral advertising. We do not train AI or machine-learning models on your tracker data. We do not show ads.
  • Your tracking data is stored in our database with row-level security so that only your authenticated account can read or write it.
  • You can access, correct, export, or delete your account and data at any time by emailing privacy@trackermaster.app. We respond within 45 days.

1. Information we collect

1.1 Account information

When you create an account through the Etsy redemption flow, we collect:

  • Email address.
  • Account password (stored as a salted hash by our authentication provider).
  • Account preferences you set, including unit system (metric/imperial) and tracker theme (light/dark).

1.2 Purchase and redemption information

When you redeem an Etsy purchase at /redeem, we collect:

  • The Etsy receipt (order) number you enter.
  • The verification result returned by Etsy’s receipts API (verified, not found, not paid, etc.).
  • A short-lived, single-use claim token issued by us and stored in an HTTP-only cookie until you complete signup.
  • A timestamped record of the redemption, including the user account it was bound to once claim completed.

We do not receive your Etsy account password, your buyer-side payment instrument, or your Etsy shipping address from this verification.

1.3 Billing information

Subscription payments are processed by Stripe. We do not store your card number or other payment-instrument details. Stripe shares with us a customer identifier, the subscription tier, status, current period end, and event records sufficient to keep your account in sync with your subscription.

1.4 Tracker data

Tracker data is the personal information you record inside a tracker — workouts, sets, reps, habits, and similar entries. It is stored in a single per-user record in our database (column user_tracker_state.state), keyed by tracker slug, capped at two megabytes, and protected by row-level security tied to your authenticated identity. Writes are checked against your active entitlements on every save.

1.5 Operational and security data

  • Server logs — request method, path, status, response time, IP address, user-agent, and referrer. Used to operate the service, diagnose problems, and detect abuse. Retained for a limited operational window.
  • Bot-defense signals — Cloudflare Turnstile is used on /redeem. Turnstile may collect device and browser signals to evaluate automation risk. See Cloudflare’s privacy notice for details.
  • Error reports — when an unhandled error occurs, we send the stack trace, a redacted request URL, and minimal context to Sentry to help us fix the bug. We configure Sentry to scrub common sensitive fields (auth tokens, email payloads); we do not intentionally send tracker data to Sentry.
  • Webhook idempotency records — Stripe webhook event IDs are stored briefly to prevent duplicate processing.

1.6 Cookies and similar technologies

We use a small number of strictly-necessary cookies and storage values:

  • Authentication cookies set by our auth provider so you stay signed in.
  • A short-lived claim cookie (HTTP-only) that holds the single-use claim token between /redeem and the claim form.
  • A bot-defense cookie set by Turnstile during the redeem challenge.

We do not use advertising cookies, cross-site tracking pixels, or analytics that build a long-term behavioral profile of you.

1.7 Sensitive data

We do not request or process categories of data classified as “sensitive personal data” under U.S. state privacy laws (such as precise geolocation, health diagnoses, biometric identifiers, government IDs, or racial/ethnic origin). Tracker entries you choose to record are personal information you control; we do not analyze, infer sensitive-category attributes from, or share that information beyond what is necessary to store and return it to you.

2. How we use your information

  • To create and operate your account and authenticate you when you sign in.
  • To verify your Etsy receipt, mint a claim token, and bind your permanent (Etsy-purchased) slot to the tracker you bought.
  • To serve the trackers you have access to, store the data you record in them, and restore your data when you next sign in.
  • To process subscription payments, manage subscription state, and provide a billing portal.
  • To send transactional emails (see Section 6).
  • To diagnose bugs, prevent abuse, and improve reliability.
  • To enforce our Terms of Service and to comply with applicable law and lawful requests.

What we do not do. We do not sell your personal information. We do not share it for cross-context behavioral advertising. We do not use your tracker data for advertising. We do not train artificial-intelligence or machine-learning models on your tracker data. We do not share your tracker data with other users.

3. Third-party processors and recipients

We rely on the following processors to operate the service. Each receives only the data described and is bound by terms restricting use to operating the service for us.

  • Supabase— database, authentication, and row-level access control. Receives your account record and your tracker data.
  • Vercel— application hosting. Receives standard request metadata and rendered responses.
  • Stripe— subscription billing and payment processing. Receives your email, your billing address (collected by Stripe at checkout), payment instrument (collected by Stripe), and subscription events.
  • Etsy— receipt verification only. We send the receipt number you enter and our seller credentials. We receive a verification result.
  • Cloudflare Turnstile— bot defense on the redeem flow. Receives device and browser signals to evaluate automation risk.
  • Sentry— error tracking. Receives scrubbed stack traces and request context when errors occur.

We may also disclose information when we have a good-faith belief it is necessary to comply with law, respond to lawful requests from public authorities, enforce our Terms, or protect our rights, our users, or the public from harm or fraud. In the event of a merger, acquisition, financing, or sale of assets, account information may be transferred to the acquiring entity, subject to this Privacy Policy.

4. Data retention

  • Active accounts. We keep your account information and tracker data for as long as your account is active.
  • Cancelled subscriptions, retained accounts. If you cancel a subscription but keep the account, your tracker data in deactivated slots is retained so that re-upgrading restores it.
  • Closed accounts. When you delete your account, we delete the account record and the linked tracker-state row from our primary database. Backups containing deleted data are aged out on a rolling schedule (typically within 30 days).
  • Logs and error reports. Server logs are retained for a limited operational window. Stripe webhook events are pruned on a 30-day schedule.
  • Records we are required to keep. Tax, financial, and dispute records may be retained as long as required by applicable law, regardless of account deletion.

5. Security

We protect your data with controls including row-level security pinning every read and write to your authenticated identity, a server-side RPC for atomic per-tracker writes, a scoped Content Security Policy on tracker pages, encrypted secrets storage on our hosting provider, rate limiting and bot defense on the redemption flow, and operational monitoring. No system is perfectly secure; if we become aware of a security incident affecting your information, we will notify affected users in accordance with applicable law.

6. Email from us

We send transactional emails required to operate your account: claim confirmations, billing receipts and invoices, renewal reminders, security notices, account-change notices, and material-change notifications about these legal documents. These messages are part of the service and cannot be opted out of while your account is active.

We do not currently send marketing email. If we begin to, we will provide a clear unsubscribe link in every commercial email and honor unsubscribe requests within ten business days, in accordance with the federal CAN-SPAM Act (15 U.S.C. § 7701 et seq.). Marketing email will only be sent to people who opt in.

7. Your rights

Regardless of where you live in the United States, you may:

  • Access the personal information we hold about you.
  • Correct inaccurate personal information.
  • Delete your account and associated personal information.
  • Receive a portable copy of your tracker data in a machine-readable format.
  • Opt out of any profiling that produces legal or similarly significant effects (we do not conduct such profiling).
  • Appeal a denial of any of the above.

We do not sell personal information, do not share it for cross-context behavioral advertising, and do not process sensitive personal information for purposes beyond providing the service. To exercise any right, email privacy@trackermaster.app from the address on your account. We will respond within 45 days; we may extend by 45 additional days when reasonably necessary, with notice. There is no fee for the first request in any 12-month period.

7.1 California residents (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the rights to know, delete, correct, and opt out of sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise CCPA rights email privacy@trackermaster.app. We will not discriminate against you for exercising any CCPA right.

7.2 Texas residents (TDPSA)

Strong Tower Media LLC qualifies as a small business under U.S. Small Business Administration size standards and is currently exempt from most provisions of the Texas Data Privacy and Security Act(Tex. Bus. & Com. Code Ch. 541). We do not sell personal data and do not process sensitive personal data for sale, so the TDPSA notice required of sellers of sensitive data does not apply. Texas residents may nonetheless submit access, correction, and deletion requests under Section 7; we will honor them on the same terms as residents of other states.

7.3 Residents of other states with comprehensive privacy laws

Residents of California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, Kentucky, and Nebraska — and any other state with a comprehensive consumer privacy statute now in force — have the rights enumerated in Section 7 with respect to the personal information we hold about them. The enumerated rights apply uniformly regardless of state of residence.

8. Children’s privacy (COPPA)

TrackerMaster is not directed to children under 13. Account creation requires that you represent you are at least 13 years old. We do not knowingly collect personal information from children under 13. If we learn we have collected information from a child under 13, we will delete the account and the associated information promptly. To report a suspected under-13 account, email privacy@trackermaster.app. This practice is intended to comply with the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, and 16 C.F.R. Part 312.

9. International users

TrackerMaster is hosted and operated in the United States. By using the service from outside the United States you understand that your information will be processed in the United States, which may have different data-protection rules than your jurisdiction.

10. Changes to this Policy

We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email or through the service. The “Last updated” date at the top of this page reflects the date of the most recent change.

11. Contact us

For privacy questions or to exercise any of the rights in this policy, email privacy@trackermaster.app. For all other questions, email support@trackermaster.app.

Strong Tower Media LLC
Tarrant County, Texas, United States