Privacy Policy – TrackMaker

Last updated: May 14, 2026

This Privacy Policy explains how Geo Studio Technology Ltd. (“Geo Studio”, “we”, “us”), operator of trackmaker.com and related services, collects, uses, stores, and protects personal data of website visitors and customers.

We are a Brazilian company. Our processing of personal data is primarily governed by Brazil’s General Data Protection Law — LGPD (Federal Law 13,709/2018). For users in the European Economic Area (EEA), we also observe the principles of the General Data Protection Regulation (GDPR). For users in the United States, we comply with applicable frameworks including CalOPPA, COPPA, and the CAN-SPAM Act.

1. Data controller

The controller of your personal data is:

Geo Studio Technology Ltd.
Rua Corcovado, 432 — Jardim América
Belo Horizonte/MG, Brazil — ZIP 30421-389
Phone: +55 (31) 3373-9001
Website: trackmaker.com

2. Data Protection Officer (DPO / Encarregado)

In compliance with Art. 41 of the LGPD (and Art. 37 of the GDPR where applicable), we have appointed:

Name: Odilon Ferreira da Silva Junior
Privacy contact e-mail: author (at) gpstm.com

All communications regarding the processing of personal data, including the exercise of data subject rights, should be directed to this contact.

3. What personal data we collect

We collect only the data strictly necessary to provide our services:

Account data: full name, e-mail, phone number, shipping address, and tax ID (CPF/CNPJ for Brazilian customers, or equivalent — only when required for invoicing).
Transaction data: order history, products purchased, amounts, and dates.
Browsing data: IP address, browser type, pages visited, and access timestamps, recorded in server logs for security purposes.
Session data (essential cookies): session and shopping cart identifiers.

We do not collect sensitive data (racial origin, religious belief, political opinion, health data, etc.) or payment data (credit card numbers, CVV) — all financial transactions are processed directly by external payment gateways.

4. When we collect data

We collect your data when you:

Register on the website or application;
Place an order;
Request a software license;
Subscribe to our newsletter or marketing communications;
Contact us through support channels;
Browse the website (technical data automatically captured in logs).

5. Purposes and legal bases for processing

Each processing operation we carry out has a specific purpose and a corresponding legal basis under LGPD (Art. 7) and, where applicable, GDPR (Art. 6):

Purpose	LGPD legal basis	GDPR legal basis
Process an order, generate invoice, deliver the product	Performance of a contract — Art. 7, V	Art. 6(1)(b) — contract
Invoicing and retention of fiscal data	Compliance with legal/regulatory obligation — Art. 7, II	Art. 6(1)(c) — legal obligation
Maintain the shopping cart during the session	Legitimate interest — Art. 7, IX	Art. 6(1)(f) — legitimate interest
Fraud prevention on the license form (reCAPTCHA)	Legitimate interest — Art. 7, IX	Art. 6(1)(f) — legitimate interest
Send newsletter and marketing communications	Consent — Art. 7, I	Art. 6(1)(a) — consent
Respond to support requests	Performance of a contract / pre-contractual steps — Art. 7, V	Art. 6(1)(b) — contract
Defense in judicial, administrative, or arbitration proceedings	Regular exercise of rights — Art. 7, VI	Art. 6(1)(f) — legitimate interest

6. Cookies

We use only strictly necessary cookies for the website to function. These are first-party cookies (set by our own domain) and are not shared with third parties for marketing or behavioral tracking purposes.

Cookie	Purpose	Duration
Session / shopping cart	Remember items added to the cart during navigation	Session (deleted on browser close)
Language/region preference	Maintain the user’s chosen language	Up to 12 months

Because these cookies are strictly necessary to deliver the service requested by the user (LGPD Art. 7, IX; GDPR Recital 30), they operate without the need for prior consent.

We do not use Google Analytics, Google Ads, Facebook Pixel, remarketing tools, or any behavioral tracking tags on this website.

You may disable cookies at any time in your browser settings. Note that doing so may prevent the shopping cart from functioning correctly.

7. Google reCAPTCHA

On the license management area (/license), we use Google reCAPTCHA to prevent fraud and automated abuse. This service collects technical data (IP address, mouse and keyboard events, device identifiers) and sends it to Google servers in the United States.

Legal basis: legitimate interest in fraud prevention (LGPD Art. 7, IX; GDPR Art. 6(1)(f)).
Google’s privacy policy: policies.google.com/privacy
reCAPTCHA terms of service: policies.google.com/terms

8. Sharing with third parties

We share your data only with service providers strictly necessary for business operations:

Payment gateway: Stripe — processes credit card and bank slip payments.
Shipping carriers: Correios (Brazilian postal service) and other carriers when applicable, for physical delivery.
Hosting provider: AWS and VULTR — server infrastructure.
Accounting and tax authorities: when required by law (electronic invoices, tax filings).
Google (reCAPTCHA): as described in section 7.

We do not sell, rent, or transfer your personal data to third parties for their own marketing purposes.

Disclosure of data may occur when required by law, by judicial order, or by lawful request from a competent authority, strictly within applicable legal limits.

9. International data transfers

Some of the providers listed above (notably Google reCAPTCHA and payment gateways) process data on servers outside Brazil. These transfers are carried out under LGPD Art. 33 (and GDPR Chapter V where applicable), relying on:

Standard Contractual Clauses (SCCs) approved by relevant authorities;
Adequacy decisions where available;
Other safeguards required by the LGPD and the GDPR.

10. Data retention

We retain your data only for as long as necessary to fulfill the purposes for which it was collected, observing the following minimum periods:

Category	Retention period
Customer account data	While the account is active, or until deletion is requested
Invoicing/tax data	5 years (Brazilian Tax Code, Art. 173)
Access and security logs	6 months (Brazilian Marco Civil da Internet, Art. 15)
Newsletter	Until consent is withdrawn

After these periods, data is anonymized or deleted.

11. Information security

We implement reasonable technical and administrative measures to protect your data, including:

Restricted access to authorized personnel only, with individual authentication;
Data transmitted over encrypted connections (HTTPS/TLS);
PCI-DSS compliant payment gateways — we do not store credit card data on our servers;
Continuous monitoring against threats (malware, intrusions);
Regular backups.

While we make these efforts, no system can be guaranteed 100% secure. In the event of a security incident that may result in relevant risk or damage to data subjects, we will notify the Brazilian Data Protection Authority (ANPD) and affected data subjects within a reasonable timeframe, as required by LGPD Art. 48 (and GDPR Art. 33 for EEA users, within 72 hours where applicable).

12. Your rights as a data subject

Under LGPD Art. 18 (and equivalent GDPR Articles 15–22 for EEA users), you have the right to, at any time, by submitting a request to the DPO (section 2):

Confirmation that we process your data;
Access to your data;
Correction of incomplete, inaccurate, or outdated data;
Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the law;
Data portability to another service provider, upon express request;
Deletion of personal data processed based on your consent;
Information about public and private entities with which we have shared your data;
Information about the possibility of refusing consent and the consequences of such refusal;
Withdrawal of consent, at any time, by express manifestation.

EEA users additionally have the right to lodge a complaint with their local supervisory authority and the right to object to processing based on legitimate interest.

13. How to exercise your rights

Send your request to the DPO’s e-mail (section 2), including:

Full name;
E-mail address used in our records;
Clear description of the right you wish to exercise.

We will respond within 15 days, as required by LGPD Art. 19 (or within one month, as required by GDPR Art. 12 for EEA users). For complex requests, we may extend this period and will inform you accordingly.

If you believe your request was not adequately addressed, you may file a complaint with:

Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
European Union: the supervisory authority of your member state.
United States — California: the California Attorney General’s office.

14. Children and minors

Our website and services are not directed to minors under 18 years of age. In compliance with LGPD Art. 14, GDPR Art. 8, and the U.S. Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect personal data from children under 13 (under 16 in the EEA, under 12 in Brazil for specific consent requirements) without verifiable parental consent. We do not advertise to or solicit personal information from children.

If we become aware that we have inadvertently collected such data without parental consent, we will delete it promptly.

15. California residents (CalOPPA / CCPA)

Under the California Online Privacy Protection Act, California residents have specific rights. Our practices comply as follows:

Users may visit our website anonymously (without registering).
This Privacy Policy is accessible from a link containing the word “Privacy” on the website footer.
Changes to this Policy will be announced on this page, with the updated date at the top.
Logged-in users may modify their personal information by accessing their account.

We do not sell personal information as defined by the California Consumer Privacy Act (CCPA).

16. CAN-SPAM Act (United States)

For commercial e-mail communications, we comply with the CAN-SPAM Act:

We do not use false or misleading subjects or sender addresses;
We identify commercial messages as such;
We include our physical business address;
We honor opt-out and unsubscribe requests promptly (within 10 business days);
Each marketing e-mail includes an unsubscribe link.

You may unsubscribe at any time using the link at the bottom of any commercial e-mail, and we will promptly remove you from all marketing correspondence.

17. Do Not Track signals

Browser “Do Not Track” (DNT) signals are not currently standardized. Because we do not engage in behavioral tracking or serve targeted advertising on this website, our processing is unaffected by the presence or absence of DNT signals.

18. Changes to this policy

This Privacy Policy may be updated periodically to reflect changes in our services or applicable legislation. The “Last updated” date at the top of this document indicates the date of the most recent revision. We recommend periodic review.

Material changes will be communicated to registered users by e-mail and/or a prominent notice on the website.

19. Governing law and venue

This Privacy Policy is governed by the laws of the Federative Republic of Brazil, in particular:

Federal Law 13,709/2018 (LGPD);
Federal Law 12,965/2014 (Marco Civil da Internet);
Federal Law 8,078/1990 (Consumer Defense Code);
Federal Decree 7,962/2013 (E-commerce regulations).

The courts of Belo Horizonte/MG, Brazil, are elected as the competent venue for any disputes, without prejudice to the consumer’s prerogative to bring proceedings in their own domicile under the Brazilian Consumer Defense Code (Art. 101, I).

For EEA users, this clause does not affect statutory rights to bring claims before courts in your country of residence.

20. Contact

For any questions about this Privacy Policy, your personal data, or to exercise your rights:

Data Protection Officer (DPO): author (at) gpstm.com
General inquiries: author (at) gpstm.com
Mailing address: Rua Corcovado, 432 — Jardim América — Belo Horizonte/MG, Brazil — ZIP 30421-389
Phone: +55 (31) 3373-9001