Privacy policy
Last updated: July 1, 2026
1. Introduction
TrackIt Life is a trading name of A&C Digital Ltd ("we", "our", or "us"), registered in England & Wales. This Privacy Policy explains how we collect, use, and protect your information when you use our service at trackitlife.co.uk. We do not sell, share, or monetise your personal information.
2. Corporate Website (trackitlife.co.uk)
This section covers data collected on our corporate website, separate from the TrackIt Life web application.
2.1 Analytics
We use self-hosted Umami analytics on our corporate website. Umami is designed to be privacy-friendly:
- No cookies are set
- No personal data is collected
- No cross-site tracking
- All analytics data is stored on our own EU infrastructure (OVH, France)
- Analytics data includes: anonymous page views, referrer, browser type, country (from IP, not stored)
No consent is required for this analytics as no personal data is processed.
2.2 Waitlist Signup
If you join our waitlist, we collect:
- Your email address
- Timestamp of signup
Legal basis: Consent (Art. 6(1)(a) GDPR). You explicitly opt in by checking the consent box and submitting the form.
Your email is used solely to notify you when TrackIt Life launches. You can unsubscribe at any time by contacting privacy@trackitlife.co.uk. We do not share waitlist emails with third parties.
2.3 Contact Form
If you submit a contact form, we collect:
- Your name
- Your email address
- The subject/category of your enquiry
- Your message
Legal basis: Consent (Art. 6(1)(a) GDPR) for general enquiries. Legitimate interest (Art. 6(1)(f)) for GDPR/privacy requests.
Contact form data is retained for 12 months after resolution, then deleted. Data is stored on our EU infrastructure and processed only by TrackIt Life team members.
3. Data Controller
The data controller is A&C Digital Ltd, trading as TrackIt Life. For data protection enquiries, contact privacy@trackitlife.co.uk.
4. Information We Collect
4.1 Information you provide
- Account data: Name, email address, password (bcrypt-hashed), account preferences
- Financial data: Expenses, savings, transaction history (dates, descriptions, balances), budgets, categories, templates. Monetary values and balances are encrypted at rest — descriptions, categories, dates, and tags are stored unencrypted.
- Fitness data: Workout logs, exercise plans, progress records, screenshots, smartwatch imports
- Grocery data: Shopping lists, grocery plans, receipt items, store preferences
- Diet data: Meal plans, nutrition logs, food photos, dietary preferences
- Uploaded documents: Bank statement PDFs and CSVs submitted for AI parsing (processed in real-time, not stored by the AI provider)
4.2 Information collected automatically
- Device information: Browser type, operating system, screen resolution
- Log data: IP address, access timestamps, pages visited
- Activity logs: User actions within the platform (creates, updates, deletes) — used for your activity feed and audit trail
- Security events: Login attempts, password changes, 2FA events, session management
- Admin access logs: All administrative actions are logged with timestamps and admin identity
- Cookies: Authentication session cookies only — see our Cookie Policy
4.3 Information we do NOT collect
- Bank login credentials or banking API tokens
- National insurance, social security, or government ID numbers
- Biometric data
- Location data (no GPS tracking)
- Contact lists or phone data
- Data from third-party social media accounts
5. How We Use Your Information
We use your information to:
- Provide and maintain the TrackIt Life service
- Process and categorise your financial transactions
- Generate personalised insights and analytics
- Deliver AI-powered features (with your explicit consent)
- Send transactional emails (account verification, password resets)
- Monitor service health and prevent abuse
- Comply with legal obligations
We do NOT use your information for:
Advertising, profiling for third parties, selling data, training AI models on your data, or any purpose beyond providing the TrackIt Life service to you.
5.1 Account activity logging
TrackIt Life maintains an activity log of significant user actions (creating budgets, importing statements, deleting records, etc.). This log powers your in-app activity feed and provides an audit trail. Activity logs are retained for 90 days and are included in GDPR data exports. All activity logging is fire-and-forget — it never blocks your primary operations.
6. Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Article 6):
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the TrackIt Life service you signed up for
- Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement
- Consent (Art. 6(1)(a)): AI features, optional analytics, marketing communications — each requires explicit opt-in and can be withdrawn at any time via the Privacy Center
- Legal obligation (Art. 6(1)(c)): Where required by law (e.g., responding to lawful data requests)
7. Data Sharing
We share data only with the minimum number of processors required to operate the service. We do not sell data or share it for advertising purposes.
| Provider | Purpose | Data Shared |
|---|---|---|
| Brevo (EU) | Transactional emails | Email address only |
| BunnyCDN (EU) | CDN & edge delivery | IP address, request headers |
| Mistral AI (France) | AI PDF statement parsing (if enabled and consented) | PDF document content — zero data retention policy, not stored or used for training |
| OVH (France) | Infrastructure hosting | All application data — stored encrypted, EU-only |
| Hetzner (Germany) | Encrypted backups | Encrypted backup archives only |
| Umami (self-hosted) | Privacy-friendly analytics | Anonymous page views — no cookies, no personal data |
All infrastructure providers are EU-based. No user data leaves the European Union.
8. Data Security
We implement the following security measures:
- Encryption at rest: All monetary values and balances are encrypted before storage using vault-derived keys. Transaction descriptions, categories, and dates are stored unencrypted.
- EU infrastructure: All data is hosted on OVH servers in France, with encrypted backups on Hetzner in Germany.
- TLS encryption: All data in transit is encrypted via TLS 1.2+
- Password hashing: All passwords are hashed using bcrypt with appropriate salt rounds
- Session security: HTTP-only, secure, SameSite cookies with configurable expiry
- Two-factor authentication: Optional TOTP-based 2FA for all accounts
- Audit trail: All significant actions are logged with timestamps, user identity, and IP address
Important: Only monetary values and balances are encrypted at rest. Transaction descriptions, merchant names, categories, tags, and dates are stored in plaintext to enable search, categorisation, and analytics features.
9. Data Retention
- Account data: Retained while your account is active. Deleted upon account deletion request.
- Financial, fitness, grocery, and diet data: Retained while your account is active. Cascade-deleted upon account deletion.
- Activity logs: Retained for 90 days, then automatically purged.
- Security logs: Retained for 12 months for fraud prevention.
- Uploaded documents: Processed in real-time and not retained by the AI provider. Your original uploads are stored on our infrastructure until you delete them.
- Backups: Encrypted backups are retained for 30 days, then automatically deleted.
10. Your Rights
Under the GDPR, you have the following rights:
- Right of access: Request a copy of all personal data we hold about you. Available via the Privacy Center or by contacting us.
- Right to data portability: Export all your data in JSON or CSV format at any time through the Privacy Center.
- Right to rectification: Correct any inaccurate personal data. Most data can be edited directly within the app.
- Right to erasure: Request complete deletion of your account and all associated data. This is a cascade delete — every record across every collection is permanently removed.
- Right to restrict processing: Request that we limit how we process your data while a complaint is being resolved.
- Right to object: Object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds.
- Right to withdraw consent: Withdraw consent for any optional feature (AI parsing, analytics, marketing) at any time via the Privacy Center. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, use the Privacy Center in your account settings or email privacy@trackitlife.co.uk. We will respond within 30 days.
11. International Transfers
All primary data processing occurs within the EU (France). Our third-party processors:
- Brevo: Processing in EU. Standard Contractual Clauses (SCCs) in place for any US transfer.
- BunnyCDN: EU-based infrastructure.
- Mistral AI: France-based. Zero data retention.
- OVH: France-based.
- Hetzner: Germany-based.
No user data is routinely transferred outside the European Economic Area.
12. Children's Privacy
TrackIt Life is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@trackitlife.co.uk and we will delete the data promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the service after changes constitutes acceptance of the updated policy.
14. Contact Us
For any privacy-related questions or to exercise your data rights:
- Email: privacy@trackitlife.co.uk
- In-app: Privacy Center → Data Subject Requests
- Post: A&C Digital Ltd, England & Wales
15. Supervisory Authority
If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
16. AI Features and Data Processing
TrackIt Life uses AI features powered by Mistral AI, headquartered in France. When you use AI PDF statement parsing:
- Your PDF document is sent to Mistral's API for text extraction
- Mistral operates a zero data retention policy — your document is processed in real-time, never stored, and never used for model training
- Only parsing metadata (success/failure, transaction count, processing time) is logged by TrackIt Life
- AI parsing requires explicit opt-in consent via the Privacy Center — you can withdraw consent at any time
- Our ML categorisation engine runs on our own infrastructure and processes transaction metadata (merchant names, categories) — never monetary values
- All AI features are optional. You can use TrackIt Life without enabling any AI functionality.
This privacy policy applies to the TrackIt Life service operated by A&C Digital Ltd. For questions, contact privacy@trackitlife.co.uk.