Privacy Notice
for prompt-monitoring.com, geo-tool.com and the GEO Tool application · Date: 3 July 2026 · Version 1.1
| Controller | track by track GmbH, Schliemannstraße 23, 10437 Berlin, Deutschland |
| Privacy contact | datenschutz@geo-tool.com |
| Telephone | +49 30 21923869 |
| Note | This English version is a convenience translation of the German privacy notice. |
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is track by track GmbH, Schliemannstraße 23, 10437 Berlin, Deutschland.
Email: datenschutz@geo-tool.com · Telephone: +49 30 21923869. Managing director: Tobias Sander. Register court: Amtsgericht Berlin-Charlottenburg, HRB 129805 B. VAT ID: DE814954842.
2. Data protection officer
We have currently not appointed a data protection officer because, according to our current assessment, the statutory requirements are not met. If this changes, this Privacy Notice will be updated. You can contact us regarding privacy matters at datenschutz@geo-tool.com.
3. General principles
We process personal data only to the extent necessary to provide the website, application, contract performance, security, communication, billing, analytics services or to comply with legal obligations, or where consent has been given.
Legal bases include Article 6(1)(a) GDPR (consent), Article 6(1)(b) GDPR (contract or pre-contractual measures), Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR (legitimate interests).
We delete personal data once the respective purpose ceases to apply and no statutory retention duties, evidence interests or legitimate security interests prevent deletion.
4. Website provision and server log files
When you access our website, technically necessary information is processed, including IP address, date and time of access, requested page/file, data volume, referrer URL, browser type and version, operating system and technical status messages.
The purposes are technical delivery, stability, error analysis, abuse prevention and security. The legal basis is Article 6(1)(f) GDPR. Our legitimate interest is secure and functional provision of the website and application.
Hosting and infrastructure may be provided through service providers such as Vercel, Hetzner and Neon. The actual production stack is documented in section 13 and, where applicable, in the DPA.
5. Cookies, local storage and consent management
We use technically necessary cookies and similar technologies required for website operation, login functions, security, session management or functions explicitly requested by the user. The legal basis for storing or accessing information on the device is Section 25(2) no. 2 TDDDG; subsequent processing of personal data is based on Article 6(1)(f) GDPR or Article 6(1)(b) GDPR.
Non-essential cookies, tracking, marketing or analytics technologies are used only with consent where consent is legally required. The legal bases are Section 25(1) TDDDG and Article 6(1)(a) GDPR. Consent may be withdrawn at any time with future effect.
For campaign attribution, UTM parameters or comparable URL parameters may be stored in the browser's session storage and generally deleted when the browser tab is closed.
6. Contact, demos, free GEO analysis and report delivery
If you contact us by form, email, telephone, calendar booking or via a free GEO analysis, we process the data you provide, including name, email address, company, role, telephone number, message, domain, brand, search terms, prompts, report data and technical metadata.
The purposes are handling the request, performing the requested analysis, sending the report, preparing and following up meetings, abuse prevention and documentation. Legal bases are Article 6(1)(b) GDPR for pre-contractual or contract-related requests and Article 6(1)(f) GDPR for other communication and legitimate internal follow-up.
We may display request or lead data internally in communication and coordination tools such as Slack where required for fast handling. We limit content to what is necessary.
Promotional newsletters or marketing emails are sent only where consent exists or where a statutory existing-customer rule applies. You can object to promotional communications at any time.
7. GEO analysis, AI models, search services and external APIs
The core function of GEO Tool is to analyse how websites, brands, products or content appear in generative AI systems, AI-supported search services, answer engines and search results. Required inputs such as domains, brands, search terms, prompts, URLs and technical analysis parameters are transmitted to suitable interfaces and service providers.
Please do not enter special categories of personal data under Article 9 GDPR, confidential personal content, credentials, payment data or sensitive confidential information into analysis fields unless expressly agreed and safeguarded.
Depending on configuration, services such as OpenRouter for model routing, DataForSEO for SERP and AI answer data and additional AI or search providers may be used. Model routing may involve further model providers depending on the selected model. For personal Customer data, only approved models, appropriate safeguards and, where available, no-training/zero-retention settings should be used.
The legal basis is Article 6(1)(b) GDPR where processing is necessary for the requested analysis or contract performance, and Article 6(1)(f) GDPR for our legitimate interest in providing, improving, securing and quality-assuring the core functionality. Where consent is required, processing is based on Article 6(1)(a) GDPR.
8. User account, contract processing and billing
For paid functions, we process account, contract and usage data, including name, business contact details, company, login and authentication data, roles/permissions, plan, bookings, invoice data, usage scope, support requests and technical logs.
Purposes are contract performance, user management, access control, billing, support, security, abuse prevention and evidence. Legal bases are Article 6(1)(b) GDPR, Article 6(1)(c) GDPR for statutory retention duties, and Article 6(1)(f) GDPR for security and abuse prevention.
Payments may be processed through payment providers such as Stripe. Payment card data is generally processed directly by the payment provider and not stored by us permanently. Depending on the processing, Stripe may also act as an independent controller.
9. Email delivery and system messages
We may use email service providers for transactional emails, reports, login, security, product and service messages. Processed data includes email address, name, email content, delivery status and technical delivery metadata. Legal basis is Article 6(1)(b) GDPR or Article 6(1)(f) GDPR.
10. Web analytics
Where we use audience measurement, we primarily use privacy-friendly tools such as Plausible Analytics, where possible without cookies and without personal profiling. The legal basis is Article 6(1)(f) GDPR where the specific configuration does not require consent. Consent-based analytics or marketing services are used only after consent.
11. Retention periods
| Data category | Typical retention / criteria |
|---|---|
| Server logs | Generally short-term for security and error analysis; longer retention only for security incidents or evidence interests. |
| Contact and demo requests | Until the request is completed and thereafter according to statutory limitation/evidence periods; marketing communication until objection/withdrawal. |
| Free analysis and report data | As long as necessary for report provision, follow-up, abuse prevention and product analysis; deletion/anonymisation after purpose expires. |
| Account, contract and billing data | During the contract term; thereafter according to statutory retention periods, especially commercial and tax law, usually 6 or 10 years. |
| Customer inputs and analysis results | According to plan, contract purpose, account settings and DPA; after termination deletion or anonymisation unless retention obligations apply. |
12. Recipients and categories of recipients
We disclose personal data only where necessary for providing the website, application, analysis, communication, billing, security, legal enforcement or statutory obligations.
Recipients may include hosting, database, security, AI/LLM, search data, proxy, email, payment, analytics, CRM, communication, legal, tax and IT service providers. Where they process personal data on our behalf, we conclude data processing agreements.
13. Service providers and third-country aspects
The following overview must be verified against the actual production stack and kept up to date. It does not replace the detailed subprocessor list in the DPA where processing on behalf of Customers occurs.
| Service / category | Purpose | Seat / processing location | Safeguards / notes |
|---|---|---|---|
| Vercel | Hosting, delivery, compute and edge infrastructure | USA / possible EU regions | Verify DPA/SCC/DPF status and concrete region per setup. |
| Neon | Postgres database, account, analysis and usage data | Project region by setup; internally indicated Frankfurt/EU | Confirm region and DPA/SCC before go-live. |
| Hetzner | Content engine, server/infrastructure | Germany/EU | Article 28 GDPR data processing agreement. |
| DataForSEO | SERP, search and AI answer data | Estonia/Ukraine or as provider states | Check DPA and third-country aspects per API use. |
| OpenRouter / model providers | Routing and querying generative AI models | USA; additional countries depending on model | Use for personal data only with suitable DPA/SCC/DPF basis and approved model/retention settings. |
| Geonode | Proxy/scraping infrastructure for website analysis | As provider states | Check DPA and scope; minimise personal data. |
| Slack | Internal notifications and coordination of requests/leads | USA/EU | Check DPA/SCC/DPF status; data minimisation. |
| Plausible | Audience measurement | EU, including Germany/Estonia as provider states | Prefer cookie-free, privacy-friendly configuration. |
| Stripe | Payment processing | EU/USA | Processing under Stripe documentation; role depends on processing. |
| Email service provider (Resend, Inc., USA — EU sending region) | Reports, system and service emails | USA / EU | EU Standard Contractual Clauses |
14. International data transfers
Personal data may be transferred to countries outside the EU/EEA, especially when using US-based hosting, AI, search, communication, payment or email services. Where no adequacy decision exists, transfers are based on appropriate safeguards under Article 46 GDPR, in particular EU Standard Contractual Clauses supplemented by technical and organisational measures. The EU-U.S. Data Privacy Framework may additionally be used for certified US providers.
We provide copies or information about relevant safeguards upon request where no confidentiality or security interests prevent this.
15. No automated individual decision-making
We do not make automated decisions within the meaning of Article 22 GDPR that produce legal effects concerning you or similarly significantly affect you. GEO reports, scores and recommendations are analysis and decision-support tools and require human review.
16. Your rights
Subject to statutory requirements, you have rights of access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), data portability (Article 20 GDPR), objection to processing based on Article 6(1)(f) GDPR (Article 21 GDPR), and withdrawal of consent with future effect (Article 7(3) GDPR).
To exercise your rights, contact datenschutz@geo-tool.com.
17. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The authority generally responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin, Germany.
18. Updates
This Privacy Notice is effective as of 3 July 2026. It may need to be updated as our website, application, service providers, legal requirements or authority guidance develop. The current version is available at geo-tool.com/de/datenschutz.
track by track GmbH · Schliemannstraße 23, 10437 Berlin, Deutschland · datenschutz@geo-tool.com