Privacy Policy
Last updated: May 2026
1. Data Controller
The data controller for your personal data is Trackstar Company, trading as ThinQr Solutions, registered at Spuistraat 249 C, 1012 VP Amsterdam, KvK number 91189276, BTW NL004875713B98.
For questions or requests regarding your personal data, contact our Privacy Contact at privacy@thinqr.com.
ThinQr has not formally appointed a Data Protection Officer under GDPR Art. 37, as our processing activities do not meet the mandatory appointment criteria. The Privacy Contact handles all data-protection matters.
ThinQr is a business-to-business service intended exclusively for professional use by adults. The Service is not directed at, and we do not knowingly collect personal data from, anyone under 18 years of age. If you believe we have collected data from a minor, contact privacy@thinqr.com and we will delete it.
2. Data We Collect
Account & Profile Data
When you create an account, we collect your name, email address, password (hashed), and optionally your phone number, language preference, and profile photo. If you sign up as part of an organization, we also collect your job title and role within the company.
Business Data
When you use ThinQr, you provide business data including: your company name, industry, business type, customer channel, fulfillment model, products and services, team structure, training content, and uploaded documents. This data is used solely to provide the Service and is owned by you.
Usage Data
We automatically collect information about how you interact with the Service, including: pages visited, features used, timestamps, referring URLs, browser type, operating system, device type, and IP address. This data is collected via server logs and analytics tools.
Payment Data
Payment information (credit card numbers, billing address) is processed directly by Stripe and is not stored on our servers. We receive and store your Stripe customer ID, subscription status, and transaction history.
3. Legal Bases for Processing (GDPR Art. 6)
We process your personal data on the following legal bases:
- Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including account management, training generation, business mapping, and customer support.
- Legitimate interest (Art. 6(1)(f)): Analytics and product improvement, fraud prevention, security monitoring, and direct marketing to existing customers (with opt-out).
- Consent (Art. 6(1)(a)): Marketing cookies (specifically our
thinqr_lead_idcookie), promotional emails, and optional analytics. You may withdraw consent at any time. - Legal obligation (Art. 6(1)(c)): Tax and accounting records, regulatory compliance.
4. AI Data Handling
ThinQr uses third-party AI providers to power features such as training generation, business mapping analysis, briefings, and document processing:
- Anthropic (Claude): Used for training generation, business mapping, ThinQr AI assistant, and document summarization. Your business data is sent to Claude's API for processing but is not stored by Anthropic for model training. Data is processed under Anthropic's commercial API terms, which explicitly exclude training use.
- OpenAI (GPT-4 Vision): Used exclusively for contract OCR and document text extraction. Document content is sent for processing but is not stored by OpenAI for model training under their API data usage policy.
AI-generated outputs (training modules, analysis, recommendations) are stored within your ThinQr account and are subject to the same data retention and deletion policies as your other data.
Transfers of your business data to Anthropic and OpenAI for AI processing are carried out under Art. 6(1)(b) GDPR (performance of a contract), as these transfers are necessary to provide the features you have subscribed to.
No automated decision-making with legal or similar effect. ThinQr does not make decisions based solely on automated processing that produce legal or similarly significant effects on data subjects (GDPR Art. 22). AI-generated outputs (training assignments, feedback suggestions, warnings, briefings, recommendations) are provided as support tools and are reviewed and actioned by human administrators before taking effect.
5. Optional Integrations — Google Business Profile
If you choose to connect your Google Business Profile to ThinQr (optional, available from Settings → Connected Accounts), we request the following OAuth scope:
https://www.googleapis.com/auth/business.manage— to read your reviews, performance metrics, and posts, and to publish replies and posts with your explicit approval.
What we store: Encrypted OAuth access and refresh tokens, reviews and replies, daily performance metric snapshots (profile views, calls, directions, website clicks, search queries), and post history. All data is scoped to your company via row-level security.
How we use it: To draft review replies and Google Posts for your approval, to generate analytics and briefings, and to suggest training and operational improvements. We do not sell or share this data with third parties.
Retention: Data is retained while your ThinQr subscription is active. On disconnection, stored Google data is deleted within 30 days. On account closure, all data including Google data is deleted within 30 days in line with our standard retention policy.
Your control: You can disconnect your Google Business Profile from ThinQr at any time from Settings → Connected Accounts. Disconnection revokes ThinQr's access via the Google OAuth revoke endpoint and deletes all stored Google data within 30 days. You can also revoke access directly at myaccount.google.com/permissions.
Compliance: ThinQr's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
For questions about Google data processing, contact our Privacy Contact at privacy@thinqr.com.
6. Data Retention
- Active accounts: Your data is retained for as long as your account is active and you maintain a valid subscription.
- Cancelled accounts: After cancellation, your data is preserved for 30 days (grace period), after which it is permanently deleted from our systems and backups within 90 days.
- Financial records: Transaction and invoice data is retained for 7 years as required by Dutch tax law (AWR).
- Server logs: Automatically deleted after 90 days.
- Analytics data: Anonymized and aggregated after 26 months.
7. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the following rights:
- Right of access (Art. 15): Request a copy of your personal data.
- Right to rectification (Art. 16): Request correction of inaccurate data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest, including profiling and direct marketing.
- Right to restrict processing (Art. 18): Request restriction of processing in certain circumstances.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at privacy@thinqr.com. We will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
8. Subprocessors
We use the following subprocessors to deliver the Service. For full details, see our Data Processing Agreement.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database, Auth, Storage | EU (aws-eu-central-1) |
| Vercel | Hosting, CDN | EU (Frankfurt, fra1) |
| Anthropic | AI processing | US |
| OpenAI | Contract OCR | US |
| Stripe | Payments | US/EU |
| Resend | Email delivery | US |
| Upstash | Rate limiting | EU (fra1) |
9. International Data Transfers
Some of our subprocessors are based in the United States. For these transfers, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into our agreements with US-based processors.
- Supplementary measures including encryption in transit (TLS 1.2+) and at rest, access controls, and contractual restrictions on data use.
10. Cookies
We use a limited number of cookies to operate the Service. For full details on cookies used and how to manage them, see our Cookie Policy.
11. Security
We implement appropriate technical and organizational measures to protect your personal data, including: encryption in transit and at rest, row-level security policies, rate limiting, input validation, regular security audits, and access controls. For details, see our Data Processing Agreement.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, for significant changes, by email. We encourage you to review this page periodically.
13. Contact
Trackstar Company, trading as ThinQr Solutions
Spuistraat 249 C, 1012 VP Amsterdam
KvK: 91189276
BTW: NL004875713B98
Privacy Contact: privacy@thinqr.com