Skip to main content
Prompt Monitoring LogoPROMPT MONITORING
  • Product
  • Pricing
  • Blog

Privacy Notice

for prompt-monitoring.com, geo-tool.com and the GEO Tool application · Date: 3 July 2026 · Version 1.1

Controllertrack by track GmbH, Schliemannstraße 23, 10437 Berlin, Deutschland
Privacy contactdatenschutz@geo-tool.com
Telephone+49 30 21923869
NoteThis English version is a convenience translation of the German privacy notice.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is track by track GmbH, Schliemannstraße 23, 10437 Berlin, Deutschland.

Email: datenschutz@geo-tool.com · Telephone: +49 30 21923869. Managing director: Tobias Sander. Register court: Amtsgericht Berlin-Charlottenburg, HRB 129805 B. VAT ID: DE814954842.

2. Data protection officer

We have currently not appointed a data protection officer because, according to our current assessment, the statutory requirements are not met. If this changes, this Privacy Notice will be updated. You can contact us regarding privacy matters at datenschutz@geo-tool.com.

3. General principles

We process personal data only to the extent necessary to provide the website, application, contract performance, security, communication, billing, analytics services or to comply with legal obligations, or where consent has been given.

Legal bases include Article 6(1)(a) GDPR (consent), Article 6(1)(b) GDPR (contract or pre-contractual measures), Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR (legitimate interests).

We delete personal data once the respective purpose ceases to apply and no statutory retention duties, evidence interests or legitimate security interests prevent deletion.

4. Website provision and server log files

When you access our website, technically necessary information is processed, including IP address, date and time of access, requested page/file, data volume, referrer URL, browser type and version, operating system and technical status messages.

The purposes are technical delivery, stability, error analysis, abuse prevention and security. The legal basis is Article 6(1)(f) GDPR. Our legitimate interest is secure and functional provision of the website and application.

Hosting and infrastructure may be provided through service providers such as Vercel, Hetzner and Neon. The actual production stack is documented in section 13 and, where applicable, in the DPA.

5. Cookies, local storage and consent management

We use technically necessary cookies and similar technologies required for website operation, login functions, security, session management or functions explicitly requested by the user. The legal basis for storing or accessing information on the device is Section 25(2) no. 2 TDDDG; subsequent processing of personal data is based on Article 6(1)(f) GDPR or Article 6(1)(b) GDPR.

Non-essential cookies, tracking, marketing or analytics technologies are used only with consent where consent is legally required. The legal bases are Section 25(1) TDDDG and Article 6(1)(a) GDPR. Consent may be withdrawn at any time with future effect.

For campaign attribution, UTM parameters or comparable URL parameters may be stored in the browser's session storage and generally deleted when the browser tab is closed.

6. Contact, demos, free GEO analysis and report delivery

If you contact us by form, email, telephone, calendar booking or via a free GEO analysis, we process the data you provide, including name, email address, company, role, telephone number, message, domain, brand, search terms, prompts, report data and technical metadata.

The purposes are handling the request, performing the requested analysis, sending the report, preparing and following up meetings, abuse prevention and documentation. Legal bases are Article 6(1)(b) GDPR for pre-contractual or contract-related requests and Article 6(1)(f) GDPR for other communication and legitimate internal follow-up.

We may display request or lead data internally in communication and coordination tools such as Slack where required for fast handling. We limit content to what is necessary.

Promotional newsletters or marketing emails are sent only where consent exists or where a statutory existing-customer rule applies. You can object to promotional communications at any time.

7. GEO analysis, AI models, search services and external APIs

The core function of GEO Tool is to analyse how websites, brands, products or content appear in generative AI systems, AI-supported search services, answer engines and search results. Required inputs such as domains, brands, search terms, prompts, URLs and technical analysis parameters are transmitted to suitable interfaces and service providers.

Please do not enter special categories of personal data under Article 9 GDPR, confidential personal content, credentials, payment data or sensitive confidential information into analysis fields unless expressly agreed and safeguarded.

Depending on configuration, services such as OpenRouter for model routing, DataForSEO for SERP and AI answer data and additional AI or search providers may be used. Model routing may involve further model providers depending on the selected model. For personal Customer data, only approved models, appropriate safeguards and, where available, no-training/zero-retention settings should be used.

The legal basis is Article 6(1)(b) GDPR where processing is necessary for the requested analysis or contract performance, and Article 6(1)(f) GDPR for our legitimate interest in providing, improving, securing and quality-assuring the core functionality. Where consent is required, processing is based on Article 6(1)(a) GDPR.

8. User account, contract processing and billing

For paid functions, we process account, contract and usage data, including name, business contact details, company, login and authentication data, roles/permissions, plan, bookings, invoice data, usage scope, support requests and technical logs.

Purposes are contract performance, user management, access control, billing, support, security, abuse prevention and evidence. Legal bases are Article 6(1)(b) GDPR, Article 6(1)(c) GDPR for statutory retention duties, and Article 6(1)(f) GDPR for security and abuse prevention.

Payments may be processed through payment providers such as Stripe. Payment card data is generally processed directly by the payment provider and not stored by us permanently. Depending on the processing, Stripe may also act as an independent controller.

9. Email delivery and system messages

We may use email service providers for transactional emails, reports, login, security, product and service messages. Processed data includes email address, name, email content, delivery status and technical delivery metadata. Legal basis is Article 6(1)(b) GDPR or Article 6(1)(f) GDPR.

10. Web analytics

Where we use audience measurement, we primarily use privacy-friendly tools such as Plausible Analytics, where possible without cookies and without personal profiling. The legal basis is Article 6(1)(f) GDPR where the specific configuration does not require consent. Consent-based analytics or marketing services are used only after consent.

11. Retention periods

Data categoryTypical retention / criteria
Server logsGenerally short-term for security and error analysis; longer retention only for security incidents or evidence interests.
Contact and demo requestsUntil the request is completed and thereafter according to statutory limitation/evidence periods; marketing communication until objection/withdrawal.
Free analysis and report dataAs long as necessary for report provision, follow-up, abuse prevention and product analysis; deletion/anonymisation after purpose expires.
Account, contract and billing dataDuring the contract term; thereafter according to statutory retention periods, especially commercial and tax law, usually 6 or 10 years.
Customer inputs and analysis resultsAccording to plan, contract purpose, account settings and DPA; after termination deletion or anonymisation unless retention obligations apply.

12. Recipients and categories of recipients

We disclose personal data only where necessary for providing the website, application, analysis, communication, billing, security, legal enforcement or statutory obligations.

Recipients may include hosting, database, security, AI/LLM, search data, proxy, email, payment, analytics, CRM, communication, legal, tax and IT service providers. Where they process personal data on our behalf, we conclude data processing agreements.

13. Service providers and third-country aspects

The following overview must be verified against the actual production stack and kept up to date. It does not replace the detailed subprocessor list in the DPA where processing on behalf of Customers occurs.

Service / categoryPurposeSeat / processing locationSafeguards / notes
VercelHosting, delivery, compute and edge infrastructureUSA / possible EU regionsVerify DPA/SCC/DPF status and concrete region per setup.
NeonPostgres database, account, analysis and usage dataProject region by setup; internally indicated Frankfurt/EUConfirm region and DPA/SCC before go-live.
HetznerContent engine, server/infrastructureGermany/EUArticle 28 GDPR data processing agreement.
DataForSEOSERP, search and AI answer dataEstonia/Ukraine or as provider statesCheck DPA and third-country aspects per API use.
OpenRouter / model providersRouting and querying generative AI modelsUSA; additional countries depending on modelUse for personal data only with suitable DPA/SCC/DPF basis and approved model/retention settings.
GeonodeProxy/scraping infrastructure for website analysisAs provider statesCheck DPA and scope; minimise personal data.
SlackInternal notifications and coordination of requests/leadsUSA/EUCheck DPA/SCC/DPF status; data minimisation.
PlausibleAudience measurementEU, including Germany/Estonia as provider statesPrefer cookie-free, privacy-friendly configuration.
StripePayment processingEU/USAProcessing under Stripe documentation; role depends on processing.
Email service provider (Resend, Inc., USA — EU sending region)Reports, system and service emailsUSA / EUEU Standard Contractual Clauses

14. International data transfers

Personal data may be transferred to countries outside the EU/EEA, especially when using US-based hosting, AI, search, communication, payment or email services. Where no adequacy decision exists, transfers are based on appropriate safeguards under Article 46 GDPR, in particular EU Standard Contractual Clauses supplemented by technical and organisational measures. The EU-U.S. Data Privacy Framework may additionally be used for certified US providers.

We provide copies or information about relevant safeguards upon request where no confidentiality or security interests prevent this.

15. No automated individual decision-making

We do not make automated decisions within the meaning of Article 22 GDPR that produce legal effects concerning you or similarly significantly affect you. GEO reports, scores and recommendations are analysis and decision-support tools and require human review.

16. Your rights

Subject to statutory requirements, you have rights of access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), data portability (Article 20 GDPR), objection to processing based on Article 6(1)(f) GDPR (Article 21 GDPR), and withdrawal of consent with future effect (Article 7(3) GDPR).

To exercise your rights, contact datenschutz@geo-tool.com.

17. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The authority generally responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin, Germany.

18. Updates

This Privacy Notice is effective as of 3 July 2026. It may need to be updated as our website, application, service providers, legal requirements or authority guidance develop. The current version is available at geo-tool.com/de/datenschutz.

track by track GmbH · Schliemannstraße 23, 10437 Berlin, Deutschland · datenschutz@geo-tool.com

Prompt Monitoring LogoPROMPT MONITORING

Find, score and track money prompts every day.

Prompt Monitoring is the track by track GmbH product for commercial AI search prompts, competitor visibility and cited sources.

BVMW Mitglied – Bundesverband mittelständische Wirtschaft
Google AI Essentials zertifiziert
BSFZ – Bescheinigungsstelle Forschungszulage

Quick Links

  • Product
  • Pricing
  • Prompt Monitoring Blog
  • Technical GEO Audit
  • Contact

Legal

  • Imprint
  • Privacy Policy
  • Terms & Conditions
  • Sitemap

Contact

Schliemannstraße 23
10437 Berlin, Germany
hi@prompt-monitoring.com
+49 30 21923869
BVMW Mitglied – Bundesverband mittelständische Wirtschaft
Google AI Essentials zertifiziert
BSFZ – Bescheinigungsstelle Forschungszulage

© 2026 track by track GmbH. All rights reserved.

Made with ❤️ in BerlinEU data residency · DPA