Privacy Policy

Last updated: May 2026 · Version 1.0

Plain-English summary: Perlicom Systems Ltd, an Irish company, runs Vehicle Tracker. We collect only the data we need to operate the Service: who is signed in, which trackers exist, where they are. We never sell or rent personal data, and we never share it for cross-context behavioural advertising. All data is hosted in the European Union and governed by GDPR.

1. Who we are (Data Controller)

The data controller for this Service is:

Company: Perlicom Systems Ltd
Registered address: Dalgin, Milltown, Tuam, Co. Galway, Ireland
Company registration: IE 123456
VAT: IE9692570W
Privacy contact / Data Protection Officer: privacy@perlicom.com

2. Controller and processor roles

Vehicle Tracker has two distinct relationships with personal data:

For data about you, the customer (your name, email, billing details, login activity), we are the controller.
For data about people you track (drivers, contractors, lone workers), we are the processor; you are the controller. You decide why and how that data is processed and you are responsible for providing the privacy notice required by Articles 13/14 GDPR.

3. Data we collect and why

The table below is our full Article 13/14 disclosure: each row sets out a category of personal data, why we process it, the lawful basis under Article 6 GDPR and how long we keep it.

Data	Purpose	Lawful basis	Retention
Google account profile (name, email, profile picture) returned by Google OAuth	Authenticate you, populate your display name, send service email	Performance of contract (Art. 6(1)(b))	While your account exists; deleted within 30 days of account closure
Tracker definitions (name, registration, type, owner contact details)	Show your fleet on the map; send alerts to nominated contacts	Contract (Art. 6(1)(b))	While your account exists, then 30 days
Position data (lat, lng, speed, heading, timestamp) — note this can be personal data when it relates to a person rather than an inanimate asset	Provide live map, route history, alerts, reports	Performance of contract (Art. 6(1)(b)) when on your own assets; processor relationship under Art. 28 when relating to drivers/contractors	180 days TTL on the position collection; older data is automatically deleted by MongoDB. Reports aggregate before that cutoff.
Geofences and alert rules	Trigger enter/exit and threshold alerts	Contract (Art. 6(1)(b))	While your account exists
Subscription, billing and invoice data (plan, status, last 4 digits of card, billing address, VAT number)	Process your subscription, issue compliant invoices, comply with Irish/EU tax law	Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))	7 years (Irish tax law) for invoices
Connection metadata (IP address, browser, OS, device type, timestamps)	Authenticate sessions, detect abuse and account takeover, troubleshoot, capacity planning	Legitimate interests (Art. 6(1)(f))	Security and audit logs: 90 days; aggregated, non-identifying telemetry: indefinite
Push-notification tokens (FCM / APNs)	Deliver alert notifications	Contract (Art. 6(1)(b))	Until you sign out or revoke the token
Cookies / local storage strictly necessary for the Service (session, CSRF, theme)	Keep you signed in, prevent CSRF, remember UI preferences	Strictly necessary — no consent required (ePrivacy Reg. 5(3) exemption)	Up to 12 months

What we do not do: We do not run advertising trackers. We do not share data with ad networks. We do not profile you or build behavioural advertising audiences. We do not perform automated decision-making with legal or similarly significant effects under Article 22 GDPR.

4. Encryption and security

Web traffic is encrypted in transit using TLS 1.2+ with HSTS.
Position ingestion from devices is over HTTPS only; device tokens are stored as SHA-256 hashes, not plaintext.
Authentication is delegated to Google (OAuth). We do not store passwords.
Patched, monitored servers; regular dependency scanning; least-privilege staff access; audit logging.

In the event of a personal-data breach likely to result in a risk to your rights, we will notify the Irish Data Protection Commission within 72 hours of becoming aware (Art. 33) and notify affected users without undue delay (Art. 34).

5. Sub-processors

Processor	Role	Region
Hetzner Online GmbH	Hosting (compute, storage, network)	Germany / Finland (EU)
Cloudflare, Inc.	DNS, DDoS protection, TLS termination at the edge	EU edge nodes; SCCs in place for any non-EU transit
Google LLC (OAuth)	Authentication only	EU + USA; SCCs + Data Privacy Framework
Google LLC (Maps JavaScript API)	Map tiles and geocoding for the live map	EU + USA; SCCs + DPF
Google LLC (Firebase Cloud Messaging)	Push notification delivery to phones	EU + USA; SCCs + DPF
Apple Inc. (APNs)	Push notification delivery to iOS devices	USA; SCCs + DPF
Stripe Payments Europe Ltd	Subscription billing and card processing	Ireland (EU)
SMTP relay provider configured by us	Transactional email	EU

6. International data transfers

Personal data is processed in the European Economic Area by default. Where a sub-processor (Google, Apple) operates from outside the EEA, we rely on the European Commission's Standard Contractual Clauses and, for US-based processors that have self-certified, the EU-US Data Privacy Framework.

7. Your rights

If you are in the EEA, the UK or another jurisdiction with comparable rights, you have the right to:

Access your personal data (Art. 15 GDPR).
Rectify inaccurate data (Art. 16).
Erase your data ("right to be forgotten", Art. 17). Where erasure conflicts with our legal obligation to retain invoices, we will keep the minimum required data until the obligation expires.
Restrict processing (Art. 18).
Data portability — receive your data in a machine-readable format (Art. 20).
Object to processing based on legitimate interests (Art. 21).
Withdraw consent at any time, where consent is the basis.
Lodge a complaint with a supervisory authority. The lead authority is the Irish Data Protection Commission, dataprotection.ie; you may also complain to the authority in your own country.

To exercise any of these rights, email privacy@perlicom.com. We respond within one month and will not charge a fee unless your request is manifestly unfounded or excessive (Art. 12(5)).

8. Cookies and similar technologies

Vehicle Tracker uses only strictly necessary cookies and local-storage entries — for session tokens, CSRF protection and theme preference. We do not set non-essential cookies and therefore do not display a consent banner. We do not use third-party advertising or behavioural tracking cookies.

9. Children

Vehicle Tracker is not intended for users under 16. The age of digital consent in Ireland is 16 (Data Protection Act 2018, s.31). We do not knowingly collect data from children under 16.

10. Automated decision-making and profiling

We do not use any solely automated decision-making that produces legal or similarly significant effects on you, within the meaning of Article 22 GDPR.

11. Changes to this policy

If we change this policy in a way that affects your rights, we will notify registered users by email and post a notice on this page at least 30 days before the change takes effect. Minor clarifications will not trigger a notice.

12. Contact

Privacy / DPO: privacy@perlicom.com
Security disclosure: security@perlicom.com
Postal: Dalgin, Milltown, Tuam, Co. Galway, Ireland