GDPR Compliance Statement
For EU Customers of BARD Tracker
Last updated May 4, 2025
Data Controller and Contact Information
BARD Tracker
3726 SE 8th Ave
Portland, OR 97202
info@bardtracker.com
+1 (503) 662-2712
We act as the data processor for customer-submitted project data and as the data controller for account-related information.
Lawful Basis for Processing
- Consent
- Performance of a contract
- Legitimate interest
Types of Data Collected
- Account data (e.g., names, email addresses)
- Project data (e.g., description, tasks, comments)
- Usage data (e.g., IP address, browser type)
- Billing data (for subscriptions)
No sensitive personal data (e.g. age, ethnicity, political affiliation) is collected.
Data Hosting and Transfers
Our infrastructure is hosted on AWS us-east-1 (Virginia, USA). Data transfers are protected by:
- EU-U.S. Data Privacy Framework (AWS certified)
- Standard Contractual Clauses (SCCs)
- Transfer Impact Assessments (TIAs)
User Rights
EU/EEA users have the right to:
- Access their data
- Correct data
- Request deletion
- Object to processing
- Port data
- Withdraw consent
All BARD Tracker projects have an Export CSV facility for porting data.
All users' data can be accessed, corrected, and/or deleted at-will at all granularity levels, from comments, tickets, projects, accounts, up to entire organizations.
Previously given consent can be withdrawn at any time.
Contact us at info@bardtracker.com for any inquiries about exercising these rights.
Security and Privacy by Design
- Encryption (HTTPS, encrypted storage)
- Access controls
- Vulnerability assessments
- Data minimization
Data Retention and Backup Policy
Data is retained while accounts are active, and deleted upon request or termination.
We maintain regular backups of our systems to ensure the security and availability of data. These backups are stored securely and are retained for a limited period of time in accordance with our data retention policy.
Right to Erasure
We respect your rights under applicable data protection laws, including your **Right to Erasure** (also known as the "Right to be Forgotten"). If you request the deletion of your personal data, we will take reasonable steps to ensure that your data is removed from our active systems, and historical backups.
Please note that:
- Personal data may continue to exist in our backup systems temporarily after an erasure request is processed.
- Backup data is securely encrypted and is only accessed in case of system restoration or disaster recovery.
Sub-Processors
We use the following vetted, GDPR-compliant sub-processors, and have signed Data Processing Agreements (DPAs) with them:
- Amazon Web Services
- CloudFlare
- Sentry
International Data Transfers
We may transfer your personal data outside of the European Economic Area (EEA) to the United States, where our service providers (Amazon Web Services, or AWS) are located. AWS provides secure cloud storage and hosting services that we use to deliver our Services to you.
We ensure that such transfers are conducted in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR). Specifically:
Adequate Safeguards: We rely on the European Commission’s Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure that your personal data is adequately protected when transferred outside the EEA.
Data Security: AWS is certified under recognized security standards (e.g., ISO 27001) and provides robust encryption and security measures to protect your data.
By using our Services, you acknowledge that your data may be transferred to countries outside of the EEA, including the United States, and you consent to such transfers.
Data Breach Notification
In the event of a data breach, we shall notify users and relevant authorities per GDPR Articles 33 and 34.
Contact and Complaints
For questions or complaints, contact our Data Protection Officer:
Micah Geisel
micah@botandrose.com
You may also contact your local Data Protection Authority.