Holding page. This is a working draft based on our internal GDPR documentation. It will be reviewed and finalised by counsel before public launch. If you need a signed copy now, email privacy@data-trackers.com.
1. Introduction
Data Trackers ("we," "us," "our") is committed to protecting your privacy and to safeguarding personal data you trust to us. This policy explains how we collect, use, disclose and protect information when you use our tracking and analytics service for Articulate Storyline courses.
We operate as a data processor for our customers (freelance instructional designers, corporate training teams, agencies and organisations) who use our service to collect learning analytics from their e-learning courses. For data we collect directly from those customers (account details, billing), we act as a data controller.
2. Controller and processor roles
Under the UK GDPR and EU GDPR:
- Data controller -- our customers, the organisations using Data Trackers to collect learning data, are the controllers for learner data. They decide the purposes and means of processing.
- Data processor -- Data Trackers processes learner data on behalf of those customers according to their documented instructions, as set out in our Data Processing Agreement.
For customer account data (name, email, billing, preferences), Data Trackers is the controller.
3. Information we collect
3.1 Customer account data (as controller)
- Name and work email
- Company or organisation name
- Role or job title
- Billing information (processed via Stripe)
- Account preferences and settings
- Support communication history
3.2 Learner data (as processor)
When customers use Data Trackers to collect learning analytics, we may process, on their behalf:
- Learner identifiers (as configured by the customer; for SCORM courses this is the LMS learner ID and name)
- Quiz performance and assessment results
- Time on slide and course duration
- Navigation patterns and interaction data
- Custom variables defined by the customer
- Completion status and progress data
- Scenario and branching choices
3.3 Technical data
- IP address (anonymised where possible)
- Browser type and version
- Device information
- Timestamps and session data
- Webhook and API logs
What never touches our servers: your Storyline .story source file. All parsing happens client-side in your browser. We do not upload, store or see the file itself.
4. How we use your information
4.1 Customer data
- Provide and maintain the service
- Process payments and manage subscriptions
- Send service-related communications
- Provide customer support
- Improve our products and services
- Comply with legal obligations
4.2 Learner data (on behalf of customers)
- Store data in our BigQuery warehouse for the retention period defined by the customer's subscription tier
- Generate analytics dashboards at the customer's request
- Route data to customer-specified destinations (exports, warehouse connections, webhooks)
- Export data in customer-requested formats (CSV, JSON, direct BigQuery access)
5. Legal basis for processing
We process personal data under the following legal bases:
- Contract performance -- processing necessary to fulfil our service agreement with customers.
- Legitimate interests -- improving our services, ensuring security, preventing fraud.
- Consent -- where explicitly provided (for example, marketing communications).
- Legal obligation -- where required by applicable law.
For learner data, customers are responsible for establishing their own lawful basis for collecting learning analytics (typically consent or legitimate interests).
6. Data sharing and third parties
6.1 Service providers (sub-processors)
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Hosting, auth, database, cloud functions | EU / USA (configurable) |
| BigQuery | Learner data warehouse | EU / USA (configurable) |
| Fivetran | Webhook pipeline for ingesting tracker data | EU / USA |
| Stripe | Payment processing | EU / USA |
| Mailgun / HubSpot | Transactional and marketing email | EU / USA |
| Anthropic (Claude API) | AI recommendations for Tier 2+ customers | USA (no customer data is trained on) |
6.2 International transfers
Where personal data is transferred outside the UK or EEA, we use Standard Contractual Clauses (SCCs) approved by the European Commission and UK Addendum, and verify the recipient's data protection practices.
7. Data retention
Learner data retention varies by subscription tier:
- Free tier: 30 days
- Mid tier: 12 months
- Premium tier: unlimited (while subscribed)
Customer account data is retained for the duration of the subscription plus 30 days for account recovery, unless longer retention is required by law. You may request earlier deletion of your data at any time.
8. Your rights under GDPR
If you are a Data Trackers customer you have the following rights:
- Access -- request a copy of your personal data
- Rectification -- request correction of inaccurate data
- Erasure -- request deletion ("right to be forgotten")
- Restriction -- request limitation of processing
- Portability -- receive your data in a portable format
- Objection -- object to processing based on legitimate interests
- Withdraw consent -- where processing is based on consent
If you are a learner whose data has been processed through our platform by one of our customers, please contact the organisation that deployed the course -- they are the controller for your data.
9. Security measures
We implement appropriate technical and organisational measures, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control and multi-factor authentication
- Regular security assessments and vulnerability management
- Secure development and code review practices
- Staff training on data protection
- Documented incident response procedures
- Client-side
.storyparsing so source files never touch our infrastructure
10. Cookies and tracking
We use essential cookies to operate the service and optional analytics cookies to improve it. See our Cookie policy for details and management options.
11. Children's privacy
Our service is not directed at children under 16. We do not knowingly collect personal data from children. Customers using Data Trackers in educational contexts involving minors are responsible for obtaining appropriate parental consent and complying with child-protection law.
12. Changes to this policy
We may update this policy periodically. We will notify you of material changes by email or prominent notice on the site. Continued use after changes constitutes acceptance of the updated policy.
13. Contact
Questions about this policy, or to exercise your rights:
- Email: privacy@data-trackers.com
- Post: Data Trackers, [registered address to be added at launch]
UK residents can complain to the Information Commissioner's Office (ICO). EU residents can complain to their local supervisory authority.