This document explains what TrackYourYear collects, why, how long we keep it, and what choices you have. We try to keep it short and specific. If anything is unclear, email hello@trackyouryear.com.
1. Who we are
TrackYourYear (“we”, “us”) is a small, independent toolkit for year-progress, countdowns, and date and time calculations. The site is operated by Sladjan, based in Belgrade, Serbia. For privacy questions, write to hello@trackyouryear.com or use the contact page.
2. At a glance
- No account required. Public visitors browse anonymously.
- No analytics until you say yes. The cookie banner is opt-in; analytics scripts are deferred until consent.
- No ads, no ad networks, no behavioural profiling.
- No selling, sharing, or trading of data.
- You can revoke consent at any time via the cookie preferences link in the footer.
- You can request deletion at any time by emailing us. We respond within 30 days.
3. What we collect
We split this into four buckets so it’s clear what is actually captured.
3.1 Anonymous analytics (only after you accept cookies)
- Page views, referrer, screen size, device type.
- Approximate country derived from your IP at the analytics provider; we do not store the IP itself on our servers.
- An anonymous client ID that lets us count returning visitors.
- Click and scroll events on the homepage and on tool pages, used to see which features are useful.
We do not collect names, emails, or addresses through analytics.
3.2 Email submissions (only when you initiate them)
- Email lead capture: if you opt in to year-progress updates we store your email, the trigger you chose, and a referral tag in our database.
- Contact form: name, email, and message you submit. Used only to reply.
3.3 User-published content
- Custom countdowns or events you publish through the public tools are stored on our server with the data you chose to enter.
3.4 Operator session
- If you sign in to the operator-only admin area, we set a session cookie via Supabase so you stay logged in across pages.
4. Why we collect it
- Analytics tell us which pages and tools are useful and which need fixing or removing.
- Email opt-ins let us send the updates you explicitly asked for.
- Contact submissions let us answer your message.
- Operator sessions let the site owner publish content without re-authenticating on every action.
5. Lawful basis (GDPR)
- Consent (Art. 6(1)(a)): analytics cookies and email updates.
- Contract / pre-contract (Art. 6(1)(b)): replying to a contact-form message.
- Legitimate interest (Art. 6(1)(f)): operator authentication and minimal abuse-prevention rate limits. We balance-test these against your privacy interests; you can object at any time.
6. How long we keep it
- PostHog analytics events: 365 days, then automatically purged.
- Google Analytics 4 events: 14 months (the shortest retention GA4 offers).
- Email lead records: until you unsubscribe or ask for deletion. Inactive records (no opens for 24 months) are removed.
- Contact-form messages: 12 months from your last reply, then deleted.
- Operator sessions: 7 days, then expire and have to be re-authenticated.
- Server logs: 30 days for security and debugging, after which they are deleted automatically.
7. Who we share it with (sub-processors)
We use a small number of trusted infrastructure providers. Each one has a data-processing agreement with us:
- Supabase— database and auth session storage. Hosted in the EU.
- PostHog— product analytics (only after consent).
- Google Analytics 4 — site analytics (only after consent).
- Vercel / Bunny CDN— hosting and edge delivery.
We do not sell, share, rent, or trade personal data with any advertiser, data broker, or marketing partner.
8. International transfers
Some sub-processors (Google, PostHog) may process data outside the EEA. Where that happens, we rely on EU Standard Contractual Clausesand the provider’s additional safeguards. You can request the names of the receiving countries by emailing us.
9. Security
- HTTPS everywhere; HTTP requests are redirected and HSTS-pinned.
- Database access is gated by Supabase Row-Level Security policies and never exposed directly to the browser.
- Operator authentication uses short-lived magic links; we do not store your password (we never set one).
- Secrets are kept in encrypted environment variables, never in the codebase.
- Server logs are sampled and rotated every 30 days.
10. Your rights (GDPR / CCPA)
Whatever your jurisdiction, you can ask us to:
- Access the data we hold about you.
- Correctanything that’s wrong.
- Deleteyour data (subject to legal-retention exceptions, e.g. tax records, which do not apply here as we don’t take payments).
- Export a portable copy of your data.
- Restrict or object to processing.
- Withdraw consent at any time without giving a reason.
To use any of these rights, email hello@trackyouryear.com from the address on file. We respond within 30 days, free of charge, unless requests are clearly unfounded or excessive.
11. Children
TrackYourYear is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has submitted data, email us and we will delete it.
12. Cookies
- Strictly necessary: theme preference, cookie-banner choice, operator session. These are set without consent because the site cannot function without them.
- Analytics: PostHog and Google Analytics 4. Loaded only after you click Accept on the cookie banner.
- No advertising or third-party tracking cookies are set anywhere on the site.
You can withdraw analytics consent any time using the Cookie preferences link in the footer, or by clearing your cookies in your browser.
13. Automated decision-making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
14. Breach notification
If we detect a personal-data breach that is likely to result in a risk to your rights or freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.
15. Complaints
You can lodge a complaint with your local data-protection authority at any time. Examples:
- EU: your member-state DPA — full list at edpb.europa.eu.
- UK: Information Commissioner's Office.
- California: California Attorney General.
We’d still appreciate hearing from you first so we can fix the issue directly.
16. Changes to this policy
We update the “last updated” badge above when we change anything. Material changes (new sub-processor, new data category, longer retention) are announced on the homepage for 30 days before taking effect.
17. Contact
For privacy questions or data-rights requests, write to hello@trackyouryear.com. For everything else use the contact page.