Trackur logo - Home trackur.app

Privacy Policy

How Trackur handles your data. Last updated April 2026.

Who we are

Trackur is a solo-operated web-hosted application providing a user- operated visual job application tracking system. Trackur does not provide any employement-related services including but not limited to: coaching, recruitment, consulting, headhunting, hiring, staffing, or any similar product or service. In this policy, "we," "us," and "Trackur" all refer to the operator of the service. You can reach us at [email protected] for any privacy-related questions or requests.

What we collect

Accounts are created by signing in with Google, GitHub, or LinkedIn. We receive only the basic profile fields those providers release by default for OAuth sign-in — typically your email address, display name, and a user identifier. We do not request additional scopes during sign-in, and we do not use or offer password-based authentication.

When you use Trackur, we store the job-application data you enter: company names, roles, stages, dates, next steps, notes, and anything similar you type into the app. You can edit, export to CSV, or delete any of this data at any time.

If you upload a resume file to Trackur, we store the file (PDF or DOCX, up to 200 KB, up to ten files per account) along with a filename, optional label, and file size. Resume files often contain personal information — your full name, phone number, home address, employment history. We treat them as private to your account and store them behind the access controls described below.

If you connect Google Drive to link resumes stored there instead of uploading them, we store the OAuth tokens needed to read from your Drive on your behalf (see the Google Drive section below) and, for each file you link, its Drive file ID, name, MIME type, and icon URL.

If you enable browser notifications to get reminders for upcoming next-step dates, your browser grants us permission to show notifications to you.

We do not collect IP-based location data, device fingerprints, or any behavioural analytics about how you use the Trackur app.

Where your data lives

Trackur runs on a short list of third-party service providers. These are the only parties that process your data on our behalf, and each handles a specific part of the service:

  • Supabase hosts our PostgreSQL database and our authentication service. Your account record, job entries, resume metadata, and Google Drive tokens (if applicable) are stored here. Database-level Row-Level Security policies ensure every account can only read and write its own rows.
  • Cloudflare R2 stores the resume files you upload directly to Trackur, in a private bucket. Files are not publicly listable or readable; downloads are granted only through short-lived presigned URLs (valid 60 seconds) generated by our server when you request them.
  • Vercel hosts the Trackur web app and the serverless functions that mediate file uploads, downloads, and the Google Drive integration. No user data is persisted on Vercel beyond transient function execution.
  • Google processes authentication if you sign in with Google, and fulfills read-only file requests if you connect Google Drive. Google's own privacy policy governs its handling of that data.
  • GitHub and LinkedIn process authentication if you sign in with those providers. Their own privacy policies govern their handling.
  • Your browser's notification system — if you enable notifications, delivery of reminders may involve a standard push service operated by your browser or operating-system vendor (for example, to wake the app to fire a reminder while your tab is closed). We do not control those services and do not send personal information through them beyond the content of the reminder itself.

We do not share, sell, rent, or otherwise transfer your data to any other third party. The providers listed above act as processors on our behalf.

The Google Drive integration

Google Drive is an optional feature. You can use Trackur without ever connecting it. If you do connect it, the following applies:

  • We request only Google's per-file Drive scope (drive.file). This scope grants Trackur access only to the specific files you pick through Google's Picker inside Trackur — Google itself enforces this at the API level. We cannot list, search, or read any other file in your Drive, and we cannot create, rename, move, share, or delete anything in your Drive.
  • We store your Drive access token and refresh token on our server so we can download the files you link to Trackur jobs. These tokens never leave our server — your browser does not see them. Even with these tokens, the drive.file scope limits what Trackur can reach to the files you have explicitly picked.
  • When you pick a file through Google's Picker, we record only that file's Drive ID, name, MIME type, and icon URL. We do not access files you did not explicitly pick.
  • When you download a linked Drive file from Trackur, our server fetches the file's bytes from Google Drive using your stored token and streams them to your browser. We do not cache, copy, or retain the file contents.
  • When you disconnect Google Drive from Settings, we immediately revoke your access and refresh tokens with Google and delete the token row from our database. The metadata rows (Drive file ID, name) we created while you were connected remain, so your existing job references are not broken; any download attempt will fail until you reconnect.

Trackur's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Cookies and local storage

The Trackur app at my.trackur.app uses your browser's local storage to remember your view preference (board or table), your table sort order, and your dark-mode choice. It uses Supabase's authentication tokens (stored in your browser) to keep you signed in between sessions. The app sets no third-party tracking cookies and runs no third-party analytics.

Our separate marketing website at trackur.app uses Cloudflare's built-in web analytics to understand aggregate traffic patterns. Cloudflare's analytics is cookie-less and does not fingerprint individual visitors. It applies only to the marketing site — the app itself runs no analytics.

Notifications

If you enable notifications in Settings, your browser will ask for permission to display notifications on Trackur's behalf. We use that permission to remind you about upcoming next-step dates. We do not track whether a notification was seen, dismissed, or clicked. You can revoke the permission at any time from your browser's site settings.

Your rights and controls

You can access, edit, and delete your job entries and resume files at any time from the app. You can export your job data to CSV. You can disconnect Google Drive at any time from Settings, which revokes our access immediately.

If you want to exercise any right over your data that you cannot complete yourself — for example, a copy of the data we hold about you, or correction of something you cannot edit in the app — email [email protected] and we will respond in a reasonable amount of time.

Deleting your account

To delete your account and all associated data, email [email protected] with the subject line Account Deletion. We will process the request in a reasonable amount of time.

On processing, we will remove your account record, your job entries, your uploaded resume files and their metadata, any Google Drive tokens, and any other data tied to your account. Files that live in your Google Drive (which we only ever read, never wrote) are not affected — they remain in your Drive untouched.

One narrow exception: if at the time of deletion we are legally required to retain certain records — for example, transaction records required by generally accepted accounting principles (GAAP) or applicable tax law — we will retain only those specific records and only for the period required. Trackur does not currently charge for its service, and this exception will apply only if and when that changes.

Security

We protect your data with access-scoped database policies (Row-Level Security), private file storage with short-lived presigned URLs, HTTPS on every request, server-side handling of any OAuth tokens so they never reach your browser, and the absence of any server-side caching of Google Drive file contents. No system is perfectly secure, but these measures reflect our current best effort.

Children

Trackur is not directed at children under the age of 13, and we do not knowingly collect data from them. If you believe a child has given us data, please email us and we will delete it.

Changes to this policy

If we make changes to how we handle your data, we will update the "Last updated" date at the top of this page. For changes that materially affect how your data is handled, we will also contact account holders by email. We will not email for minor wording or formatting changes.

Contact

Questions, requests, or concerns about this policy or your data: [email protected].