<- Back to Home

Privacy Policy

Last updated: April 27, 2026

1. Overview

This Privacy Policy explains how we process personal data when you use GTA Garage Tracker.

Personal data means any information relating to an identified or identifiable natural person.

We aim to describe the processing in a concise, transparent, and understandable form in line with Art. 12 and Art. 13 GDPR.

2. Controller

The controller responsible for data processing on this website is:

Thore Kues
Email: kues.thore@gmail.com

3. How Data Is Collected

Some data is provided directly by you, for example when you sign in with Discord, edit your profile, create garages, upload images, send feedback, or post crew content.

Other data is collected automatically when you access the website. This mainly includes technical data such as IP address, browser type, operating system, referrer, time of access, and request metadata.

4. Purposes and Legal Bases

We process personal data only where a legal basis exists under Art. 6 GDPR.

  • Art. 6(1)(b) GDPR: to provide the service, manage accounts, store your garages and vehicles, and handle requested features such as sharing and exports.
  • Art. 6(1)(c) GDPR: where processing is necessary to comply with legal obligations, including mandatory reporting where applicable.
  • Art. 6(1)(f) GDPR: to operate the platform securely, prevent abuse, moderate content, defend legal claims, and maintain service integrity.
  • Art. 6(1)(a) GDPR: where consent is required, for example if non-essential cookies or similar technologies are introduced later.

5. Hosting

This website is hosted by an external provider. Hosting is used to provide the website securely and efficiently.

Processing in connection with hosting is based on Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Vercel Inc.
440 N Barranca Avenue #4133
Covina, CA 91723
United States

6. Retention Periods

Unless a more specific retention period is stated below, personal data is stored only for as long as necessary for the relevant purpose.

Data is deleted when it is no longer required, unless statutory retention duties apply or continued storage is necessary to establish, exercise, or defend legal claims.

Certain enforcement data may remain stored after account deletion where this is necessary to enforce platform rules and prevent repeated abuse.

7. Your Rights

You may exercise your rights by contacting kues.thore@gmail.com.

  • Right of access under Art. 15 GDPR
  • Right to rectification under Art. 16 GDPR
  • Right to erasure under Art. 17 GDPR
  • Right to restriction of processing under Art. 18 GDPR
  • Right to data portability under Art. 20 GDPR
  • Right to object under Art. 21 GDPR
  • Right to lodge a complaint with a supervisory authority under Art. 77 GDPR

8. Right to Object

If we process your personal data on the basis of Art. 6(1)(e) or Art. 6(1)(f) GDPR, you have the right to object at any time for reasons arising from your particular situation. If you object, we will stop processing the affected data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defence of legal claims.

9. Security

The website uses SSL/TLS encryption to protect confidential transmissions.

10. Cookies and Local Storage

We use technically necessary cookies and similar storage mechanisms that are required to provide the service, maintain sessions, remember language choices, and store the dismissal state of the cookie notice.

Processing is based on Art. 6(1)(f) GDPR. Where access to information on the device falls within Sec. 25(2) No. 2 TDDDG because it is strictly necessary to provide the digital service expressly requested by the user, no separate consent is required.

We do not describe analytics, marketing, or cross-site tracking cookies in this policy because the current implementation does not rely on them. If that changes, this policy and any required consent flow must be updated before deployment.

11. Server Log Files

The hosting provider automatically processes server log data such as IP address, browser type, operating system, referrer, hostname, and time of the request.

This processing is necessary for technical delivery, security monitoring, and troubleshooting, and is based on Art. 6(1)(f) GDPR.

12. Authentication via Discord OAuth

To sign in, we use Discord OAuth. Discord may provide us with your Discord user ID, username, avatar URL, and email address depending on the available account data.

We use this information to create and maintain your account, authenticate you, and display your profile within the service.

Processing is based on Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Discord's own privacy information also applies: https://discord.com/privacy

13. Application Database via Supabase

Application data such as garages, vehicles, profile settings, crew memberships, moderation data, and acceptance timestamps is stored through Supabase.

Supabase acts as a processor on our behalf.

Supabase, Inc.
65 Chulia Street #38-02/03
OCBC Centre
Singapore 049513

14. File Storage via Cloudflare R2

Uploaded images such as podium images and crew logos are stored in Cloudflare R2.

Cloudflare acts as a processor on our behalf.

Deleted images are removed from storage unless retention is required for legal or enforcement reasons.

Cloudflare, Inc.
101 Townsend St
San Francisco, CA 94107
United States

15. Automated Image Checks via Sightengine

Before an uploaded image is stored, it is transmitted to Sightengine for automated content classification.

The purpose is to detect prohibited NSFW or explicit content and prevent misuse of the platform.

Processing is based on Art. 6(1)(f) GDPR. If legal obligations apply in an individual case, Art. 6(1)(c) GDPR may also apply.

Sightengine, Bte 37
16 bis rue d'Odessa
75014 Paris
France

16. CSAM Scanning and Mandatory Reporting

Images stored in Cloudflare R2 may be subject to Cloudflare's CSAM scanning programme.

Where material is detected that must be reported under applicable law, it may be reported to the National Center for Missing and Exploited Children (NCMEC) or another legally competent body.

Where such reporting is required, processing is based on Art. 6(1)(c) GDPR.

17. User Content and Public Sharing

When you submit user content such as a bio, podium image, crew description, crew posts, or shared garage/profile data, that content is stored and displayed according to the feature settings you choose.

Public profile sharing and public garage sharing may make your username, avatar, bio, vehicle information, garage layouts, and related aggregate statistics visible to other users or unauthenticated visitors who have the share link or visit public areas of the service.

Processing is based on Art. 6(1)(b) GDPR because this visibility is part of the requested service functionality.

18. Reports, Moderation, and Enforcement

If content is reported, we store the reporting user, the reported object, the reason, timestamps, and related moderation actions.

If moderation action is taken, we may store the reason, the affected content reference, and the resulting account or content status.

This processing is based on Art. 6(1)(f) GDPR and serves abuse prevention, platform safety, and dispute handling.

19. Suspension and Ban Data

If an account is suspended, suspension status, duration, and reason may be stored on the user record.

If an account is permanently banned, a SHA-256 hash derived from the Discord account identifier may be stored in a separate ban registry to prevent ban evasion.

This data may be retained beyond account deletion where necessary for enforcement. Processing is based on Art. 6(1)(f) GDPR.

20. Feedback and Support Requests

If you submit feedback through the service, we process your user ID, message content, and related metadata to review and respond to your request.

Processing is based on Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR, depending on the nature of the request.

21. Terms Acceptance Records

When you accept the Terms of Service, we store the acceptance timestamp on your account to document consent to the current contractual terms.

Processing is based on Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

22. International Data Transfers

Some providers used by the service are located outside the European Union or may process data in third countries, especially the United States.

Where a transfer to a third country takes place, it is carried out only where a lawful transfer mechanism exists, for example adequacy decisions or the EU Standard Contractual Clauses, as applicable to the provider relationship.

23. Source and Adaptation

This text was prepared for this application and structurally adapted from common GDPR website disclosure patterns.