Mobile App Privacy Policy

Version: 1.1

Effective date: 2026-05-14

1. Scope

This Privacy Policy applies to InstalTrack mobile applications published on Google Play and Apple App Store.

To the extent functionally linked to a user account, this policy also covers data processed through the InstalTrack website and web portal (e.g. registration, sign-in, contact form, and service communications).

2. Data Controller and Contact

InstalTrack is the controller for account-level user data. InstalTrack is the service trade name and the legal service provider is Tomasz Szymoński, VAT ID 6792895776, ul. Białoruska 61/7, 30-638 Krakow, Poland, European Union. For business customer data entered into the app, the business customer remains the controller and InstalTrack acts as a processor unless applicable law states otherwise.

Contact: [email protected]. Address: ul. Białoruska 61/7, 30-638 Krakow, Poland, European Union.

2A. Google and Apple Developer Accounts

InstalTrack mobile applications are published and managed through Google Play and Apple App Store developer accounts held by the legal service provider.

App store operators (Google Play and Apple App Store) may process personal data as independent data controllers under their own terms and privacy policies. Such independent processing is outside the controller-processor scope of this policy.

3. Categories of Data We May Collect

  • Account data: first name, last name, email address, phone number, user role, account identifiers.
  • Authentication and security data: login identifiers, session tokens, password reset information, security logs.
  • Device and app technical data: device type, operating system, app version, technical identifiers, diagnostics and crash logs.
  • Operational data: projects, stages, documents, photos/attachments, customer and team data entered by users or organizations.
  • User-provided location-related data: project addresses used for map rendering and geocoding (converting an address into coordinates).
  • Communication data: push tokens, notification preferences, and system communication history.
  • Web form data: information submitted via registration and contact forms (including email, phone number, and message content).

The exact set of data depends on features used in the app, account configuration, and enabled technical integrations.

4. Purposes of Processing

  • Providing services and maintaining user accounts.
  • Authentication, authorization, and fraud/abuse prevention.
  • Supporting project, document, and workflow functionality in the app.
  • Displaying projects on maps and geocoding project addresses.
  • Sending notifications and service-related communications.
  • Contacting users by email or phone for account, support, and request-handling purposes.
  • Maintaining, diagnosing, and improving app quality.
  • Complying with legal obligations and asserting legal claims.

5. Legal Bases

Legal bases include: performance of a contract (service delivery), legitimate interests (security, diagnostics, service improvement), legal obligations, and consent where required by law.

5A. Responsibility for User-Entered Data

The user or organization entering data into the app declares that they have rights and authorization to use such data (including customer data, team-member data, email addresses, and phone numbers), obtained required notices and consents, and that entered data is true, accurate, and up to date.

6. Data Sharing and Processors

Data may be shared with trusted technical service providers strictly as needed to operate the app (e.g. hosting, authentication, email delivery, push notifications, error monitoring).

We use DigitalOcean for application infrastructure and database hosting (EU region environment). We may also use other comparable infrastructure providers where necessary for service operation, security, scalability, or continuity.

For traffic security, abuse prevention, and edge security controls, we may use Cloudflare, which may process standard request technical data (e.g. IP address and browser/WebView metadata).

For error monitoring and service stability, we may use Sentry, which may process technical diagnostic data and error events.

More information: DigitalOcean Data Processing Agreement.

More information: Cloudflare Privacy Policy.

More information: Sentry and Your Data, Sentry Data Processing Addendum.

We do not sell users' personal data.

We use Google Firebase, including Firebase Authentication and Firebase Cloud Messaging (FCM), to support sign-in, account security, and push notifications. As a result, selected technical data and identifiers (e.g. account identifiers, device/push tokens, and technical metadata) may be processed by these services under their terms and privacy policy.

We may use Mailgun (Sinch Email) for transactional email delivery and service communications, which may process contact details and technical email delivery metadata.

More information: Firebase Privacy and Security, Firebase Data Processing and Security Terms.

More information: Mailgun Terms, Sinch Data Processing Agreement.

For map features, we also use external map and geocoding providers. Project addresses entered by users may be sent to OpenStreetMap (map tiles) and Photon by Komoot (geocoding) to display project locations on a map. These services may also receive standard request technical data (e.g. IP address and WebView/browser metadata).

More information: OpenStreetMap, Nominatim Usage Policy, Photon by Komoot.

7. Data Retention

We retain data for as long as needed to provide the service, perform contractual obligations, ensure security, comply with legal obligations, and resolve disputes. After required periods, data is deleted or anonymized.

8. User Rights and Account Deletion

  • You may request access, correction, deletion, restriction, and portability of your data, subject to applicable law.
  • You can submit requests at [email protected].
  • Account-related requests are handled without undue delay, usually within 30 days, unless law requires otherwise.
  • You can delete your account in account settings or request deletion by email.
  • Public Google Play account deletion page: http://instaltrack.com/mobile-app-account-deletion.
  • You also have the right to lodge a complaint with a competent EU supervisory authority.

8A. Content Safety and Rules Enforcement

To protect users, legal compliance, and platform security, we may remove, block, or restrict data and content that is unlawful or includes abusive, sexual, violent, hateful, infringing, or otherwise prohibited material.

We may also temporarily suspend or terminate access where reasonably required for legal, security, or abuse-prevention reasons.

9. Children and Minors

The app is not directed to children. We do not knowingly collect personal data from children. If we learn that child data was provided, we will take steps to delete it.

10. International Data Transfers

If data is transferred outside the European Economic Area, we apply appropriate legal safeguards such as standard contractual clauses or other mechanisms required by law.

11. Data Security

We use appropriate technical and organizational measures to protect data against unauthorized access, loss, misuse, or disclosure.

12. Policy Changes

We may update this policy. Changes are published on this page together with the updated version and effective date.

12A. Force Majeure

We are not liable for delays, interruptions, or unavailability of the service caused by events beyond our reasonable control, including war, armed conflict, terrorism, civil unrest, sanctions, government actions, natural disasters, epidemics, internet outages, third-party infrastructure failures, or energy shortages.

13. Governing Law and Jurisdiction

This Privacy Policy and all matters related to the service are governed by the laws of Poland.

Any disputes arising from this Privacy Policy or use of the service shall be resolved exclusively by the competent courts in Poland.

14. Contact

[email protected]